Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Testing failover?

All,

I've configured failover in GNS between two ASAs. I'm doing this for real this weekend, but I've run into a snag. If I shut the outside interface on the primary, traffic stops and the standby doesn't take over. The standby works though because I can manually fail it over and it passes traffic just fine. Is shutting the interface not a good way to test this?

Thanks,

John

HTH, John *** Please rate all useful posts ***
6 REPLIES

Re: Testing failover?

John,

If failover does not occur when the interface is close/shut - you have a config issue, you need to make sure the "outside" or any of the interfaces are monitored, you also should define either by the number of interfaces or % of failures the failover will kick in.  Including the polling times, hold times etc - you should apply this in your lab an real environment.

HTH>

Re: Testing failover?

And just to be clear and clarify the "the interface is close/shut" this cannot be an interface on the PIX/ASA, it has to be the device directly connected to it i.e Switch/Router interface.

If you admin close the "outside" or "inside" or any interface used for monitoring - this is a config change and will be "replicated" to the failover mate, this will not initiate a failover situation.

HTH>

Re: Testing failover?

Thanks Andrew. Shutting the interface on the opposite side makes sense. All of the interfaces are monitored by default. I'm pretty confident that in a real environment, the ASA will fail over when I pull the link from the outside interface. I'm trying to reproduce the scenario if the interface itself went out.

I'm going to recreate my environment in GNS and try to shut the opposite end and see what happens.

Thanks!

John

HTH, John *** Please rate all useful posts ***

Re: Testing failover?

Ahhh John,

The GNS3 lab - failover will not work for you in a virtual LAB - it must be an actual physical test lab, sorry I missed the "GNS" reference in the original post .  The issue is - the PIX/ASA are virtual machines - and as such "auto" provide ethernet keepalivesand assume a good interface....so shuting the other device down, will not being down the PIX/ASA interface.

Just to double check - fire up a PIX/ASA with no network connections to it in GNS3 and config 1 interface, then open it.  I'm pretty sure it will say up/up all the time!

I also think your real life failover test will pass 100%.

HTH>

Re: Testing failover?

I think you're right GNS is good for some things, but sometimes real world tests are the only way to prove something really works. I'm installing the standby this Sunday, so I think I'll be fine. In GNS I can manually failover and it works fine....

Thanks Andrew!

John

HTH, John *** Please rate all useful posts ***

Re: Testing failover?

np - glad to help.

223
Views
13
Helpful
6
Replies
CreatePlease to create content