Thanks Chad. I downloaded it and printed it out. It seems Like I went through everything required, but failover still isnt quite getting there. I think Im really close though. On the primary unit, I get:

VSASA# sho fail state

====My State===

Primary | Active |

====Other State===

Secondary | Standby |

====Configuration State===

====Communication State===

=========Failed Reason==============

My Fail Reason:

Other Fail Reason:

Comm Failure

ciscoasa# sho fail

Failover On

Failover unit Secondary

Failover LAN Interface: failover GigabitEthernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 15 seconds

Interface Policy 1

Monitored Interfaces 1 of 250 maximum

failover replication http

Version: Ours 7.0(5), Mate Unknown

Last Failover at: 10:51:43 UTC Jul 6 2006

This host: Secondary - Active

Active time: 74713 (sec)

slot 0: ASA5520 hw/sw rev (1.1/7.0(5)) status (Up Sys)

slot 1: ASA-SSM-10 hw/sw rev (1.0/5.0(2)S152.0) status (Up)

Interface management (192.168.1.80): Normal (Waiting)

Other host: Secondary - Failed

Active time: 0 (sec)

slot 0: empty

slot 1: empty

Interface management (0.0.0.0): Unknown (Waiting)

Stateful Failover Logical Update Statistics

Link : failover GigabitEthernet0/3 (up)

Stateful Obj xmit xerr rcv rerr

General 0 0 0 0

sys cmd 0 0 0 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 0 0 0 0

Xlate_Timeout 0 0 0 0

VPN IKE upd 0 0 0 0

VPN IPSEC upd 0 0 0 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 0 0

Xmit Q: 0 0 0

ciscoasa#

It appears that the failover isnt quite working, no traffic is being passed over the ethernet cable. Right now I just have a cable, not a switch or hub. I tried crossover and straight through to no avail. I am getting link status however but the orange light is on as well, and Im not sure thats correct.

Bob

The cable doesn't matter. The interfaces on the ASA are MDI/MDX so they can auto x-over.

If the SHOW Failover output is supposed to be from the primary then it is not configure correctly.

'Failover unit Secondary' indicats that it is not the primary.

This host: Secondary - Active = It is the secondary firewall and is currently active.

Thanks,

Chad

OK Yup, got it. I had the primary/failover addresses backward on the failover interfaces. they need to be the same, not flipped. As soon as I did that all was well, thanks for narrowing it down for me.

The other 'mystery' to me is now that it fails over correctly, I notice that all the interfaces (inside/outside) have the same IP address. This makes sense of course but then how does active/active work? Im pretty sure I have it setup for active/active, but how can there be two interfaces on the network with the same IP Address?

Active/Active only works if you running multiple context mode. Based on the output of the show failover you are not running multiple context mode.

You are setup in a Active/Passive failover.

Link for multiple context mode.

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080636f9b.html

Please rate posts if they helped!

Thanks,

Chad

hi buddy pls take care before going for active/active setup with multiple context cause u cannot terminate vpns and run dynmic routing protocols on the asa once u enter into multiple context mode. it' sounds sad but yes it is. see ya

regards

sebastan