I've configured failover in GNS between two ASAs. I'm doing this for real this weekend, but I've run into a snag. If I shut the outside interface on the primary, traffic stops and the standby doesn't take over. The standby works though because I can manually fail it over and it passes traffic just fine. Is shutting the interface not a good way to test this?
If failover does not occur when the interface is close/shut - you have a config issue, you need to make sure the "outside" or any of the interfaces are monitored, you also should define either by the number of interfaces or % of failures the failover will kick in. Including the polling times, hold times etc - you should apply this in your lab an real environment.
Thanks Andrew. Shutting the interface on the opposite side makes sense. All of the interfaces are monitored by default. I'm pretty confident that in a real environment, the ASA will fail over when I pull the link from the outside interface. I'm trying to reproduce the scenario if the interface itself went out.
I'm going to recreate my environment in GNS and try to shut the opposite end and see what happens.
The GNS3 lab - failover will not work for you in a virtual LAB - it must be an actual physical test lab, sorry I missed the "GNS" reference in the original post . The issue is - the PIX/ASA are virtual machines - and as such "auto" provide ethernet keepalivesand assume a good interface....so shuting the other device down, will not being down the PIX/ASA interface.
Just to double check - fire up a PIX/ASA with no network connections to it in GNS3 and config 1 interface, then open it. I'm pretty sure it will say up/up all the time!
I also think your real life failover test will pass 100%.
I think you're right GNS is good for some things, but sometimes real world tests are the only way to prove something really works. I'm installing the standby this Sunday, so I think I'll be fine. In GNS I can manually failover and it works fine....
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...