ASA failover link over the etherchannel connected switches
We have two ASA firewalls located in different locations.
Firewalls are in Active/Standby modes.
Failover links of firewalls are connected to two different switches.
These switches are connected to each other with two dark fibers aggregated to Etherchannel (source-mac address mode)
When one of fiber links fails and then immediately is connected again, secondary ASA is going to Active state and then to Standy state again.
Please see the output bellow.
The holddown timer is set to 15 seconds.
What could be the cause of this state change?
ciscoasa# sh failover history ========================================================================== From State To State Reason ========================================================================== 22:54:20 GET Apr 4 2014 Standby Ready Just Active HELLO not heard from mate
22:54:20 GET Apr 4 2014 Just Active Active Drain HELLO not heard from mate
22:54:20 GET Apr 4 2014 Active Drain Active Applying Config HELLO not heard from mate
22:54:20 GET Apr 4 2014 Active Applying Config Active Config Applied HELLO not heard from mate
22:54:20 GET Apr 4 2014 Active Config Applied Active HELLO not heard from mate
22:54:42 GET Apr 4 2014 Active Cold Standby Failover state check
22:54:43 GET Apr 4 2014 Cold Standby Sync Config Failover state check
22:55:36 GET Apr 4 2014 Sync Config Sync File System Failover state check
22:55:36 GET Apr 4 2014 Sync File System Bulk Sync Failover state check
22:55:51 GET Apr 4 2014 Bulk Sync Standby Ready Failover state check
Maybe spanning tree recalculation. I know you said there was an etherchannel but I would make sure it is built properly. Also run "Show spanning-tree detail" on the switches after you unplug/replug and check when the last topology change was.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...