Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Stateful failover on Cisco ASA with failed interface

Hi

We have a failover pair of ASA5540's. We are experiencing some connectivity issues through the primary siwtch that the primary ASA is connected to and want to fail over to the secondary ASA. Unfortunately the secondary ASA is reporting a status of failed because the VLAN for the interface in question "dmz-pest" does not exist on the secondary switch.

Traffic on the dmz-client cannot be interupted. Can anyone tell me if I fail over the firewalls will the failover be statfeul? I.e. will connections resume thorugh the secondary or will users experience any outage?

Does the firewall maintain state even if the secondary ASA is reporting a failed state?

Last Failover at: 14:45:26 UTC Sep 16 2007

This host: Primary - Active

Active time: 1547156 (sec)

slot 0: ASA5540 hw/sw rev (1.0/7.2(2)) status (Up Sys)

Interface outside (203.94.186.66): Normal

Interface inside (172.18.1.101): Normal

Interface dmz-corplink (0.0.0.0): Link Down (Not-Monitored)

Interface dmz-client (172.18.242.254): Normal

Interface dmz-pest (10.0.1.130): Normal (Waiting)

Interface dmz-pub (172.18.2.254): Normal (Not-Monitored)

Interface dmz-iro (172.18.240.254): Normal (Not-Monitored)

slot 1: empty

Other host: Secondary - Failed

Active time: 0 (sec)

slot 0: ASA5540 hw/sw rev (1.0/7.2(2)) status (Up Sys)

Interface outside (203.94.186.73): Normal

Interface inside (172.18.1.102): Normal

Interface dmz-corplink (0.0.0.0): Normal (Not-Monitored)

Interface dmz-client (172.18.242.253): Normal

Interface dmz-pest (10.0.1.131): Failed (Waiting)

Interface dmz-pubs (172.18.2.201): Normal (Not-Monitored)

Interface dmz-iro (0.0.0.0): Normal (Not-Monitored)

slot 1: empty

Many thanks

1 REPLY
New Member

Re: Stateful failover on Cisco ASA with failed interface

I have just given this some thought. I will remnove the monitor-inteface command for the dmz-pest interface. This should return the firewalls to a ready state and then I shouldn't have any concern about the firewalls failing over statefully. Does this make sense?

Ta

2159
Views
0
Helpful
1
Replies
CreatePlease to create content