The purpose of this article is to explain the impact of interface monitoring on ASA failover pair.
Here is the documentation which is already available on Cisco.com:
The unit can fail if one of the following events occurs:
•The unit has a hardware failure or a power failure.
•The unit has a software failure.
•Too many monitored interfaces fail.
•The no failover active command is entered on the active unit or the failover active command is entered on the standby unit.
Active unit failed (power or hardware)
Mark active as failed
No hello messages are received on any monitored interface or the failover link.
Formerly active unit recovers
Standby unit failed (power or hardware)
Mark standby as failed
When the standby unit is marked as failed, then the active unit does not attempt to fail over, even if the interface failure threshold is surpassed.
Failover link failed during operation
Mark failover interface as failed
You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.
Failover link failed at startup
If the failover link is down at startup, both units become active.
Stateful Failover link failed
State information becomes out of date, and sessions are terminated if a failover occurs.
Interface failure on active unit above threshold
Interface failure on standby unit above threshold
When the standby unit is marked as failed, then the active unit does not attempt to fail over even if the interface failure threshold is surpassed.
Now, following will explain the use of 'monitor-interface' command and its impact on physical and sub-interfaces:
If the physical interface is not monitored (using no monitor-interface), ASA won’t failover even if interface goes down (configured with nameif/IP).
Here are the recreate results:
E0/2 of ASA named as test with IP 126.96.36.199/30.
E0/2.100 in vlan 100 named sub100 with IP 100.100.100.1/30
E0/2.200 in vlan 200 named sub200 with IP 188.8.131.52/30
E0/2 of primary connects to f0/43 on switch
E0/2 of secondary connects to f0/44 on switch
ASA(config)# sh run int
ip address 10.10.10.13 255.255.255.0 standby 10.10.10.15
ip address 184.108.40.206 255.255.255.0 standby 220.127.116.11
ip address 18.104.22.168 255.255.255.252 standby 22.214.171.124
ip address 100.100.100.1 255.255.255.252 standby 100.100.100.2
ip address 126.96.36.199 255.255.255.252 standby 188.8.131.52
description LAN/STATE Failover Interface
Default: Interface e0/2 (physical) is monitored but sub100 and sub200 are not:
ASA(config)# sh run all monitor-interface
no monitor-interface sub100
no monitor-interface sub200
Failover is healthy:
ASA(config)# sh fail
Failover unit Primary
Failover LAN Interface: Failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 110 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 08:11:54 EDT Mar 29 2013
This host: Primary - Active
Active time: 3781 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.2(5)) status (Up Sys)
Interface outside (10.10.10.13): Normal (Monitored)
Interface inside (184.108.40.206): Normal (Monitored)
Interface test (220.127.116.11): Normal (Monitored)
Interface sub100 (100.100.100.1): Normal (Not-Monitored)
Interface sub200 (18.104.22.168): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(8)E4) status (Up/Up)
IPS, 7.0(8)E4, Up
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (10.10.10.15): Normal (Monitored)
Interface inside (22.214.171.124): Normal (Monitored)
Interface test (126.96.36.199): Normal (Monitored)
Interface sub100 (100.100.100.2): Normal (Not-Monitored)
Interface sub200 (188.8.131.52): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/7.1(6)E4) status (Up/Up)
IPS, 7.1(6)E4, Up
Stateful Failover Logical Update Statistics
Link : Failover Ethernet0/3 (up)
I shutdown f0/43 on switch:
Got kicked out as ASA failed over: Expected
ASA(config)# login as: cisco
Type help or '?' for a list of available commands.
ASA# sh fail
Failover unit Secondary
Last Failover at: 22:56:29 EDT Mar 26 2013
This host: Secondary - Active
Active time: 37 (sec)
Interface test (184.108.40.206): Normal (Waiting)
Other host: Primary - Failed
Active time: 3807 (sec)
Interface outside (10.10.10.15): Normal (Waiting)
Interface inside (220.127.116.11): Normal (Waiting)
Interface test (18.104.22.168): No Link (Waiting)
Now, I disable monitoring on physical interface as follows:
ASA(config)# no monitor-interface test
no monitor-interface test
I do no shut on f0/43 shut down f0/44 (to bring e0/2 on secondary-active down) on switch:
Link goes down on Secondary-active but failover is *not* triggered: Expected
Monitored Interfaces 2 of 110 maximum
Active time: 115 (sec)
Interface test (22.214.171.124): No Link (Not-Monitored)
Interface sub100 (100.100.100.1): No Link (Not-Monitored)
Interface sub200 (126.96.36.199): No Link (Not-Monitored)
Other host: Primary - Standby Ready
Interface test (188.8.131.52): Normal (Not-Monitored)
I enabled monitoring on sub100, keeping monitoring disabled on test (physical interface):
ASA(config)# monitor-interface sub100
ASA# sh run all monitor-interface
Now, I shut down f0/44 again to bring e0/2 link of secondary-active down and as expected failover is triggered:
Last Failover at: 09:17:38 EDT Mar 29 2013
Active time: 3857 (sec)
Interface sub100 (100.100.100.1): No Link (Waiting)
Active time: 137 (sec)
Interface sub100 (100.100.100.2): Unknown (Waiting)
Thus, if interface is not monitored using 'no monitor-interface' command. ASA won't failover even if physical interface goes down.
For failover to occur:
- Physical interface should be monoitored.
- If not, one of the logical interface configured using this physical interface should be monitored.
Hey Guys,I have a query. Suppose if failover cable is broken and there is no communication between Active and Standby, so in this case Active will remain Active and Standby will also become active (As no active unit found in the failover group) , so both units are now active. Do you have idea how to resolve this situation? (Restore failover interface is one option, I am looking for any other option).Early response is highly appreciated.Thanks