I've configured failover according to the Configuration Guide document and am scratching my head about a particular issue while testing failover. Failover seems fine when I disconnect the failover/state cable on the master or when I turn off/reboot the master but I cannot get the standby to assume the master role if I shutdown/unplug one of the regular interfaces (inside/outside) on the master unit. I do a 'show failover' on the master and it shows the link failure but failover does not occur. I have verified that all of my monitor-interfaces are configured correctly and I have not changed the 'failover interface-policy' from its default value of 1 interface. Does a link loss not constitute a failure where failover is concerned on the ASA?
Thanks in advance for the feedback!
Sure... The ASA is running version 7.0.2. Here is the relevant part of the configuration related to failover...
failover lan unit secondary
failover lan interface failover_plus_state Ethernet0/3
failover key *****
failover replication http
failover link failover_plus_state Ethernet0/3
failover interface ip failover_plus_state 10.5.0.1 255.255.255.252 standby 10.5.0.2
Again, thanks for any information you can provide!
A Security Plus license is available for the 5510 that allows Active/Standby redundancy.
When I do a 'show failover' on the primary unit both the local and remote devices/interfaces show up/normal. When I do a 'show failover' from the secondary unit the local devices/interfaces show up/normal but the remote devices show up and the remote interfaces show unknown. I was kind of at a loss to explain this behavior but it seemed consistent no matter which unit as primary.
I found a command called 'failover interface-policy' that seems to be used to determine the number of interfaces with a failure that caused failover to occur. The default is 1 so I didn't change it -- it just doesn't seem to be working.
I guess I could open a TAC case but I thought someone on this forum might have run into this before.
Hello. Were you able to solve this? I am currently running into the same problem with my ASA5520's. They will failover then the primary is powered off, but will not when there is a link failure. Not sure if this is a bug or not.
Was there a solution for this Problem found?
I have the same Issue: Failoverlink is OK, synchronisation is OK, Failover while powerdown is OK, but Link status is shown as unknown.
I see similar behavior with two ASA5520, 7.0.4 configured in active/standby. Single/routed mode. Power off the active and the standby comes up fine. Unplug an interface on the active and nothing happens. monitor-interface is supposed to be on by default and interface policy is 1, so a single interface going down should trigger a failover. It's not happening.
I had the same problem and discovered that I mis-interpreted part of the config instructions. The note to the step makes it seem that the step is not required.Basically you need to assign the standby interfaces their own ip using this command on the active when you config interfaces;
ip address active_addr netmask standby standby_addr
Once I had done that I can yank a cable and not miss a beat.
This is the snip from the config guide for active/standby:
Step 3 If you have not done so already, configure the active and standby IP addresses for each interface (routed mode) or for the management interface (transparent mode). The standby IP address is used on the security appliance that is currently the standby unit. It must be in the same subnet as the active IP
Note: Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated Stateful Failover interface. You use the failover interface ip command to configure a dedicated Stateful Failover interface in a later step.
hostname(config-if)# ip address active_addr netmask standby standby_addr
Discovered an interesting thing with failover on two ASA5520's. When I added the standby address to each interface config and reloaded I could pull a cable and watch a continuous ping I had running through the asa from outside to an inside host. The ping never skipped a beat, not one dropped. In the interest of experience I did a configure factory-default and reconfigured the device from scratch including the standby addresses and failover mac addresses for each interface.
Now when I pull a cable pings are dropped for the interface polltime interval and then the secondary becomes active. Normal behavior it would seem since the unit polls interfaces a minimum of every 3 seconds. So in theory an interface could be down for 3 seconds before the unit notices it.
Doesn't explain why the first go round failed over with no drops.