topic Re: ASA failover in Network Security

ASA failover

alex210 — Thu, 15 Apr 2021 10:37:39 GMT

Hi folks ,

I had an issue when failover the ASA from the primary to secondary node. only one group fails to the secondary node.

below some outputs.

ASA# show failover state

State Last Failure Reason Date/Time

This host - Secondary
Group 1 Failed Ifc Failure 12:52:56 Apr 10 2021
admin temp: No Link
Group 2 Active None

Other host - Primary
Group 1 Active None

Group 2 Standby Ready None

====Configuration State===
Sync Done - STANDBY
====Communication State===

Re: ASA failover

balaji.bandi — Thu, 15 Apr 2021 10:44:59 GMT

If this Active / Active Multi context

you getting error : Group 1 Failed Ifc Failure 12:52:56 Apr 10 2021

below thread may help you.

https://community.cisco.com/t5/network-security/asa-context-failover-ifc-failure/m-p/4313898

Still have issue you need to post more information

Version

config

fail over config

Re: ASA failover

alex210 — Thu, 15 Apr 2021 12:44:37 GMT

which kind of info.

Re: ASA failover

balaji.bandi — Thu, 15 Apr 2021 13:21:03 GMT

Version

config

fail over config

Re: ASA failover

alex210 — Sat, 17 Apr 2021 12:53:04 GMT

ASA# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FL-interface Port-channel2 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 35 of 1043 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.12(2), Mate 9.12(2)

This host: Primary
Group 1 State: Active
Active time: 69343 (sec)
Group 2 State: Active
Active time: 69238 (sec)

slot 0: FPR-2130 hw/sw rev (49.46/9.12(2)) status (Up Sys)
admin Interface out (20.40.20.161): Normal (Waiting)
admin Interface notused (0.0.0.0): Normal (Waiting)
admin Interface test_mgmt (192.168.1.1): Normal (Monitored)

Other host: Secondary
Group 1 State: Failed
Active time: 3 (sec)
Group 2 State: Standby Ready
Active time: 147 (sec)

slot 0: FPR-2130 hw/sw rev (49.46/9.12(2)) status (Up Sys)
admin Interface out (0.0.0.0): No Link (Waiting)
admin Interface no (0.0.0.0): Normal (Waiting)
admin Interface test_mgmt (192.168.1.2): Normal (Monitored)

Stateful Failover Logical Update Statistics
Link : state-interface Port-channel2.1 (up)
Stateful Obj xmit xerr rcv rerr
General 7655259088 0 9697939 65
sys cmd 7689514 0 7689511 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 7425396031 0 1768835 10
UDP conn 183195261 0 128711 0
ARP tbl 38950028 0 110605 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 14728 0 139 0
VPN IKEv1 P2 11476 0 135 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 434 0 0 0
SIP Tx 310 0 0 0
SIP Pinhole 0 0 0 0
Route Session 782 0 0 55
Router ID 0 0 0 0
User-Identity 524 0 3 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Umbrella Device-ID 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 33 67722857
Xmit Q: 0 174 7801599118

Re: ASA failover

balaji.bandi — Sun, 18 Apr 2021 08:22:25 GMT

Still config is missing in this post as we requested, based on show failover here is my observation to check and fix :

his host: Primary
Group 1 State: Active
Active time: 69343 (sec)
Group 2 State: Active
Active time: 69238 (sec)

slot 0: FPR-2130 hw/sw rev (49.46/9.12(2)) status (Up Sys)
admin Interface out (20.40.20.161): Normal (Waiting)
admin Interface notused (0.0.0.0): Normal (Waiting)
admin Interface test_mgmt (192.168.1.1): Normal (Monitored)

Other host: Secondary
Group 1 State: Failed
Active time: 3 (sec)
Group 2 State: Standby Ready
Active time: 147 (sec)

slot 0: FPR-2130 hw/sw rev (49.46/9.12(2)) status (Up Sys)
admin Interface out (0.0.0.0): No Link (Waiting)
admin Interface no (0.0.0.0): Normal (Waiting)
admin Interface test_mgmt (192.168.1.2): Normal (Monitored)

Some guide Lines :

https://myitmicroblog.svbtle.com/asa-activeactive-failover-why-the-interface-status-is-unknownwaitingfailednotmonitored

Re: ASA failover

Marvin Rhoads — Sun, 18 Apr 2021 09:29:00 GMT

Most likely group 2 does not include the failed interface that caused group 1 to failover.

Re: ASA failover

alex210 — Sun, 18 Apr 2021 11:16:37 GMT

I have an interface which is up on the active node and down on the standby node. can this caused the failover to fail ?

Re: ASA failover

balaji.bandi — Sun, 18 Apr 2021 13:53:12 GMT

show us more information - related to config and what interface going down, we been asked this before, to get the right suggestion we need the right information, we only guess the suggestions maybe not right to fix in time.

Re: ASA failover

alex210 — Sun, 18 Apr 2021 13:58:36 GMT

which config do you want ? commands ..

Re: ASA failover

alex210 — Sun, 18 Apr 2021 14:20:07 GMT

failover
failover lan unit primary
failover lan interface FL-interface Port-channel4
failover link state-interface Port-channel4.2
failover interface ip FL-interface 10.10.10.254 255.255.255.252 standby 10.10.10.253
failover interface ip state-interface 10.10.10.80 255.255.255.252 standby 10.10.10.81
failover group 1
preempt
failover group 2
secondary
preempt

Re: ASA failover

Hannibal — Wed, 21 Apr 2021 11:28:42 GMT

Hi Community

I would like to know if the community has had experiences or any discussion about the best practices to migrate two ASA firewalls in standalone mode operating in a critical network.

The process is to migrate the two ASAs to new Firepower hardware with ASA image. in Multiple Context and Failover Active Active.

Each ASA old ASA will pass as a Context on the new hardware. It is very interesting what I should do so I would like to know about the experiences in these cases.

In other words, Best practices for hardware migration from ASA Firewall to Firepower 2100 with active active failover ASA image and multiple contexts within a network in critical operation.

Thank you in advance, Community

Re: ASA failover

balaji.bandi — Wed, 21 Apr 2021 11:38:05 GMT

i woluld suggest to open a new thread, this thread have different issue.

Re: ASA failover

Hannibal — Thu, 22 Apr 2021 07:39:42 GMT

Thanks Balaji. I did that yesterday, I hope any comments. I had been looking into the community and no similar case

Regards