topic ASA multi context failover link down issue in Network Security

ASA multi context failover link down issue

pro6151945 — Sun, 28 Jun 2020 17:48:00 GMT

Dear experts,

We are having 2 physical cisco ASA firewalls and both are in multi context mode.

The problem i am facing is, Fail over is fail. I found out that on standby ASA, the link is showing down. I changed the cable but still the issue is there. Please find the show commands below:-

ASA01/act(config)# show fail
Failover On
Last Failover at: 17:09:43 GMT Jun 15 2020
This context: Active
Active time: 1139504 (sec)
Interface internet (192.168.88.4): Normal (Waiting)
Interface outside (192.168.89.4): Normal (Waiting)
Interface DMZ (192.168.110.1): Normal (Not-Monitored)
Interface test (192.168.211.1): Normal (Waiting)
Interface DMZ-Citrix-GW (192.168.250.1): Normal (Not-Monitored)
Interface old-network (192.168.253.1): Normal (Waiting)
Interface inside (192.168.87.4): Normal (Monitored)
Peer context: Failed
Active time: 64 (sec)
Interface internet (192.168.88.5): No Link (Waiting)
Interface outside (192.168.89.5): No Link (Waiting)
Interface DMZ (192.168.110.2): Normal (Not-Monitored)
Interface test (192.168.211.2): No Link (Waiting)
Interface DMZ-Citrix-GW (192.168.250.2): Normal (Not-Monitored)
Interface old-network (192.168.253.2): No Link (Waiting)
Interface inside (192.168.87.5): Normal (Monitored)

-ASA01/stby# sh int ip br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/4 unassigned YES unset down down
GigabitEthernet0/4.88 192.168.88.5 YES CONFIG down down
GigabitEthernet0/4.89 192.168.89.5 YES CONFIG down down
GigabitEthernet0/4.110 192.168.110.2 YES CONFIG down down
GigabitEthernet0/4.211 192.168.211.2 YES CONFIG down down
GigabitEthernet0/4.250 192.168.250.2 YES CONFIG down down
GigabitEthernet0/4.253 192.168.253.2 YES CONFIG down down
GigabitEthernet0/5 192.168.87.5 YES CONFIG up up

The switch is learning is MAC address of this ASA but still i cannot make it up.

Re: ASA multi context failover link down issue

balaji.bandi — Sun, 28 Jun 2020 18:25:34 GMT

How are they connected in the network, do you have any topology.

as per the log port, 4 looks down, investigate physically and also check switch side any logs?

Re: ASA multi context failover link down issue

pro6151945 — Mon, 29 Jun 2020 08:13:22 GMT

Hi,

They are connected to WSW01 Switch. Please see below:-

WSW01#sh int status | i ASA
Gi1/0/2 To--SH-ASA01- connected trunk a-full a-1000 10/100/1000BaseTX
Gi1/0/3 To--SH-ASA01- connected trunk a-full a-1000 10/100/1000BaseTX
Gi1/0/4 To--SH-ASA01- connected trunk a-full a-1000 10/100/1000BaseTX
Gi2/0/2 To--SH-ASA02- connected trunk a-full a-1000 10/100/1000BaseTX
Gi2/0/3 To--SH-ASA02- connected trunk a-full a-1000 10/100/1000BaseTX
Gi2/0/4 To--SH-ASA02- connected trunk a-full a-1000 10/100/1000BaseTX

WSW01#sh mac address-table interface Gi2/0/4 (this port on ASA side is showing down)
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
88 0062.ecd1.88f3 DYNAMIC Gi2/0/4
253 0062.ecd1.88f3 DYNAMIC Gi2/0/4
211 0062.ecd1.88f3 DYNAMIC Gi2/0/4
89 0062.ecd1.88f3 DYNAMIC Gi2/0/4
110 0062.ecd1.88f3 DYNAMIC Gi2/0/4
250 0062.ecd1.88f3 DYNAMIC Gi2/0/4
Total Mac Addresses for this criterion: 6

on ASA-01

-ASA01/act(config)# sh int ip br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/4 unassigned YES unset up up
GigabitEthernet0/4.88 192.168.88.4 YES CONFIG up up
GigabitEthernet0/4.89 192.168.89.4 YES CONFIG up up
GigabitEthernet0/4.110 192.168.110.1 YES CONFIG up up
GigabitEthernet0/4.211 192.168.211.1 YES CONFIG up up
GigabitEthernet0/4.250 192.168.250.1 YES CONFIG up up
GigabitEthernet0/4.253 192.168.253.1 YES CONFIG up up
GigabitEthernet0/5 192.168.87.4 YES CONFIG up up

on ASA-2 (which is standby)

ASA01/stby(config)# sh int ip br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/4 unassigned YES unset down down
GigabitEthernet0/4.88 192.168.88.5 YES CONFIG down down
GigabitEthernet0/4.89 192.168.89.5 YES CONFIG down down
GigabitEthernet0/4.110 192.168.110.2 YES CONFIG down down
GigabitEthernet0/4.211 192.168.211.2 YES CONFIG down down
GigabitEthernet0/4.250 192.168.250.2 YES CONFIG down down
GigabitEthernet0/4.253 192.168.253.2 YES CONFIG down down
GigabitEthernet0/5 192.168.87.5 YES CONFIG up up

I have checked the cable and it looks fine and switch is learning the MAC address as well.

Re: ASA multi context failover link down issue

balaji.bandi — Mon, 29 Jun 2020 17:53:36 GMT

There may be small information we missing here. Can you post ASA side config(striping all security info) - also Switch side config, please.

Re: ASA multi context failover link down issue

pro6151945 — Mon, 29 Jun 2020 18:47:25 GMT

Hi,

can you please define exactly which section you want me to share because the config is huge.

Thanks

Re: ASA multi context failover link down issue

balaji.bandi — Mon, 29 Jun 2020 18:57:37 GMT

I am more looking at interface config both the side. if possible show cdp neigh.

Re: ASA multi context failover link down issue

pro6151945 — Wed, 01 Jul 2020 06:36:19 GMT

Switch connected to ASA

WSW01#sh ip int br | i 2/0/4
GigabitEthernet2/0/4 unassigned YES unset up up

interface GigabitEthernet2/0/4
description To-ASA02-G0/4
switchport mode trunk
end

WSW01#sh cdp nei int
WSW01#sh cdp nei internalInterface gi
WSW01#sh cdp nei internalInterface ?
<0-9> InternalInterface interface number

WSW01#sh mac add

WSW01#sh mac address-table interface gigabitEthernet 2/0/4
Mac Address Table
-------------------------------------------

ASA01/stby(config)# sh int GigabitEthernet0/4
Interface GigabitEthernet0/4 "", is down, line protocol is down
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is off
Available for allocation to a context
MAC address 0062.ecd1.88f3, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (511/511)
output queue (blocks free curr/low): hardware (511/511)

-ASA01/stby(config)# sh int ip br | i GigabitEthernet0/4
GigabitEthernet0/4 unassigned YES unset down down
GigabitEthernet0/4.88 unassigned YES unset down down
GigabitEthernet0/4.89 unassigned YES unset down down
GigabitEthernet0/4.110 unassigned YES unset down down
GigabitEthernet0/4.211 unassigned YES unset down down
GigabitEthernet0/4.250 unassigned YES unset down down
GigabitEthernet0/4.253 unassigned YES unset down down

interface GigabitEthernet0/4
interface GigabitEthernet0/4.88
vlan 88
interface GigabitEthernet0/4.89
vlan 89
interface GigabitEthernet0/4.110
description *** DMZ FE ***
vlan 110
interface GigabitEthernet0/4.211
vlan 211
interface GigabitEthernet0/4.250
vlan 250
interface GigabitEthernet0/4.253
vlan 253

Above are config between the switch and the ASA, you can see that switch is learning the mac for the ASA and status is up on switch side. CDP it is not learning because other side is ASA and due to policies its not showing.

Please assist.