https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3180405#M1066457 <P>Hi Karsten,</P><P>&nbsp;</P><P>Thanks for your responce to my query.</P><P>&nbsp;</P><P>We observe Secondary ASA has taken the "Active" role as soon as the Primary unit has failed.</P><P>&nbsp;</P><P>We can able to reach the Firewall from LAN and able to ping the public Networks from Firewall.</P><P>&nbsp;</P><P>But, we could not able to reach Public Networks from LAN through Secondary ASA upto 10 mins.</P><P>&nbsp;</P><P>Do we need to change the global timeouts configured for connections and Xlate to process the timeout on liveconnections to reiniate the connections?</P> Wed, 06 Sep 2017 04:13:58 GMT Chaitanya Krishna Narra 2017-09-06T04:13:58Z https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3179948#M1066454 <P>Hi,&nbsp;</P><P>&nbsp;</P><P>We have configured failover (<SPAN>Active/Standby)&nbsp;</SPAN>between our 2 ASA firewalls using the configuration giving below.</P><P>&nbsp;</P><P>We have tested the failover by power down our Primary ASA (ASA-1) firewall and our Secondary ASA (ASA-2) is become Active. But, the secondary Firewall taking more time (up to 10 Mins) to forward the traffic on ISP's, after the Primary firewall is down.</P><P>&nbsp;</P><P>Could someone please help me to reduce the time, to start forwarding the traffic from Secondary ASA to reach internet on ISP's, after the Primary firewall is down.</P><P>&nbsp;</P><P><STRONG>Failover Configuration ASA - 1:</STRONG></P><P>&nbsp;</P><P># failover<BR /># failover lan unit primary<BR /># failover lan interface folink GigabitEthernet1/8<BR /># failover link statelink GigabitEthernet1/7<BR /># failover interface ip folink 10.10.10.1 255.255.255.252 standby 10.10.10.2<BR /># failover interface ip statelink 10.10.10.5 255.255.255.252 standby 10.10.10.6</P><P>&nbsp;</P><P><STRONG>Failover configuration ASA - 2:</STRONG></P><P>&nbsp;</P><P><SPAN># failover</SPAN><BR /><SPAN># failover lan unit secondary</SPAN><BR /><SPAN># failover lan interface folink GigabitEthernet1/8</SPAN><BR /><SPAN># failover link statelink GigabitEthernet1/7</SPAN><BR /><SPAN># failover interface ip folink 10.10.10.1 255.255.255.252 standby 10.10.10.2</SPAN><BR /><SPAN># failover interface ip statelink 10.10.10.5 255.255.255.252 standby 10.10.10.6</SPAN></P> Fri, 21 Feb 2020 14:16:10 GMT https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3179948#M1066454 Chaitanya Krishna Narra 2020-02-21T14:16:10Z https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3179962#M1066455 <P>This is not normal behavior. The secondary unit should take over the active role within 15 seconds and start forwarding traffic. What did you see on the logs in that timespan? Did your traffic reach the ASA, was the ASA reachable from the internet?</P> Tue, 05 Sep 2017 07:49:51 GMT https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3179962#M1066455 Karsten Iwen 2017-09-05T07:49:51Z https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3180405#M1066457 <P>Hi Karsten,</P><P>&nbsp;</P><P>Thanks for your responce to my query.</P><P>&nbsp;</P><P>We observe Secondary ASA has taken the "Active" role as soon as the Primary unit has failed.</P><P>&nbsp;</P><P>We can able to reach the Firewall from LAN and able to ping the public Networks from Firewall.</P><P>&nbsp;</P><P>But, we could not able to reach Public Networks from LAN through Secondary ASA upto 10 mins.</P><P>&nbsp;</P><P>Do we need to change the global timeouts configured for connections and Xlate to process the timeout on liveconnections to reiniate the connections?</P> Wed, 06 Sep 2017 04:13:58 GMT https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3180405#M1066457 Chaitanya Krishna Narra 2017-09-06T04:13:58Z https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3180432#M1066459 <P>What protocol do use to to reach ISP from firewall. I am more interested in the topology</P> Wed, 06 Sep 2017 05:30:30 GMT https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3180432#M1066459 Pawan Raut 2017-09-06T05:30:30Z https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3180455#M1066460 <P><SPAN>S</SPAN><SPAN>tatefull failover should&nbsp;</SPAN><SPAN>synchronize the connections to the standby unit so that this device can directly take over the forwarding. Does "show failover" show any signs&nbsp;</SPAN><SPAN>of malfunction?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Do you have a maintenace window? Then do a "no failover active" on the active unit&nbsp;to test if failover works when initiated gracefully.</SPAN></P> Wed, 06 Sep 2017 07:05:52 GMT https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3180455#M1066460 Karsten Iwen 2017-09-06T07:05:52Z https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3180465#M1066463 <P>Hi Karsten,</P><P>&nbsp;</P><P>When we do "no failover active" on Primary Firewall, the Secondary Firewall is able to start forwarding the traffic within sec's.</P><P>But, if we powerdown the Primary Firewall (Active) without "no failover active" command, Secondary Firewall changing the role to "Active" and taking time to forward the traffic (upto 10 mins).</P><P>&nbsp;</P><P>On status of "Show failover", we can see interface status of both Firewalls is on "Normal" and can able to see Active/Standby status on Primary/Secondary firewalls.</P><P>&nbsp;</P><P>We are routing the traffic on Firewall using "Static and Default" routes and please find the attached for network topology.</P> Wed, 06 Sep 2017 07:32:57 GMT https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3180465#M1066463 Chaitanya Krishna Narra 2017-09-06T07:32:57Z https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3180473#M1066465 <P>Your topology is quite common and normaly works as expected. Can you post the output of "show failover"?</P> Wed, 06 Sep 2017 07:52:16 GMT https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3180473#M1066465 Karsten Iwen 2017-09-06T07:52:16Z https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3180539#M1066467 <P>Hi Karsten,</P><P>&nbsp;</P><P>Please find the attached, for output of "show failover" from Primary and Secondary Firewalls.</P> Wed, 06 Sep 2017 11:07:20 GMT https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3180539#M1066467 Chaitanya Krishna Narra 2017-09-06T11:07:20Z https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3180552#M1066469 <P>Please don't use word-documents to post text, just use text-documents ...&nbsp;</P> <P>In the output I don't see anything that should cause these problems. I would upgrade the ASAs to lhe latest&nbsp;interims-release and test again.&nbsp;The release-notes don't mention this problem, but there are other failover related bugs fixed.</P> <P>If that all doesn't help&nbsp;(and no other one has an idea) you should open a TAC-case.</P> Wed, 06 Sep 2017 11:26:54 GMT https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3180552#M1066469 Karsten Iwen 2017-09-06T11:26:54Z https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3180914#M1066472 <P>Hi Karsten,</P><P>&nbsp;</P><P>Thanks for your observations and suggestions on this issue.</P> Thu, 07 Sep 2017 05:53:54 GMT https://community.cisco.com/t5/network-security/asa-failover-active-standby/m-p/3180914#M1066472 Chaitanya Krishna Narra 2017-09-07T05:53:54Z