Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 Failover

I've configured failover according to the Configuration Guide document and am scratching my head about a particular issue while testing failover. Failover seems fine when I disconnect the failover/state cable on the master or when I turn off/reboot the master but I cannot get the standby to assume the master role if I shutdown/unplug one of the regular interfaces (inside/outside) on the master unit. I do a 'show failover' on the master and it shows the link failure but failover does not occur. I have verified that all of my monitor-interfaces are configured correctly and I have not changed the 'failover interface-policy' from its default value of 1 interface. Does a link loss not constitute a failure where failover is concerned on the ASA?

Thanks in advance for the feedback!

- MN

11 REPLIES
New Member

Re: ASA 5510 Failover

are you able to post some of the config for this ? It's hard to answer without seeing the config as it may just be a config issue..

New Member

Re: ASA 5510 Failover

Sure... The ASA is running version 7.0.2. Here is the relevant part of the configuration related to failover...

failover

failover lan unit secondary

failover lan interface failover_plus_state Ethernet0/3

failover key *****

failover replication http

failover link failover_plus_state Ethernet0/3

failover interface ip failover_plus_state 10.5.0.1 255.255.255.252 standby 10.5.0.2

monitor-interface inside

monitor-interface outside

Again, thanks for any information you can provide!

- MN

New Member

Re: ASA 5510 Failover

Hi, when you do a sh fail does the status all show as NORMAL ?

New Member

Re: ASA 5510 Failover

correct me if iam wrong but the activ/active and active/passive or redundancy in asa's started only from 5520.

New Member

Re: ASA 5510 Failover

A Security Plus license is available for the 5510 that allows Active/Standby redundancy.

When I do a 'show failover' on the primary unit both the local and remote devices/interfaces show up/normal. When I do a 'show failover' from the secondary unit the local devices/interfaces show up/normal but the remote devices show up and the remote interfaces show unknown. I was kind of at a loss to explain this behavior but it seemed consistent no matter which unit as primary.

I found a command called 'failover interface-policy' that seems to be used to determine the number of interfaces with a failure that caused failover to occur. The default is 1 so I didn't change it -- it just doesn't seem to be working.

I guess I could open a TAC case but I thought someone on this forum might have run into this before.

Anonymous
N/A

Re: ASA 5510 Failover

Hello. Were you able to solve this? I am currently running into the same problem with my ASA5520's. They will failover then the primary is powered off, but will not when there is a link failure. Not sure if this is a bug or not.

Thanks,

Andrew

Anonymous
N/A

Re: ASA 5510 Failover

New Member

Re: ASA 5510 Failover

Hi all

Was there a solution for this Problem found?

I have the same Issue: Failoverlink is OK, synchronisation is OK, Failover while powerdown is OK, but Link status is shown as unknown.

Any Solutions??

regards Phil

New Member

Re: ASA 5510 Failover

I see similar behavior with two ASA5520, 7.0.4 configured in active/standby. Single/routed mode. Power off the active and the standby comes up fine. Unplug an interface on the active and nothing happens. monitor-interface is supposed to be on by default and interface policy is 1, so a single interface going down should trigger a failover. It's not happening.

New Member

Re: ASA 5510 Failover

I had the same problem and discovered that I mis-interpreted part of the config instructions. The note to the step makes it seem that the step is not required.Basically you need to assign the standby interfaces their own ip using this command on the active when you config interfaces;

ip address active_addr netmask standby standby_addr

Once I had done that I can yank a cable and not miss a beat.

This is the snip from the config guide for active/standby:

Step 3 If you have not done so already, configure the active and standby IP addresses for each interface (routed mode) or for the management interface (transparent mode). The standby IP address is used on the security appliance that is currently the standby unit. It must be in the same subnet as the active IP

address.

Note: Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated Stateful Failover interface. You use the failover interface ip command to configure a dedicated Stateful Failover interface in a later step.

hostname(config-if)# ip address active_addr netmask standby standby_addr

New Member

Re: ASA 5510 Failover

Discovered an interesting thing with failover on two ASA5520's. When I added the standby address to each interface config and reloaded I could pull a cable and watch a continuous ping I had running through the asa from outside to an inside host. The ping never skipped a beat, not one dropped. In the interest of experience I did a configure factory-default and reconfigured the device from scratch including the standby addresses and failover mac addresses for each interface.

Now when I pull a cable pings are dropped for the interface polltime interval and then the secondary becomes active. Normal behavior it would seem since the unit polls interfaces a minimum of every 3 seconds. So in theory an interface could be down for 3 seconds before the unit notices it.

Doesn't explain why the first go round failed over with no drops.

407
Views
4
Helpful
11
Replies
CreatePlease login to create content