topic Re: ASA Stateful Failover in Network Security

ASA Stateful Failover

Man29er — Mon, 03 Jun 2024 09:38:03 GMT

Hi. I'm trying to establish if I have my firewall setup correctly for stateful failover. We've had reports that failing over the firewalls caused ip phones to drop their calls, suggesting it is not setup as stateful. From what I can establish, it is setup correctly.

FIREWALL1# sh run | inc failover
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet1/8
failover key *****
failover replication http
failover link FAILOVER GigabitEthernet1/8
failover interface ip FAILOVER 10.10.10.1 255.255.255.252 standby 10.10.10.2
no failover wait-disable

Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet1/8 (up)
Stateful Obj xmit xerr rcv rerr
General 270651667 0 9977695 6
sys cmd 126320 0 126320 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 202463432 0 8101532 0
UDP conn 62368435 0 1620812 6
ARP tbl 5693559 0 129030 0
Xlate_Timeout 0 0 0 0

The only command I may have got incorrect is the line;-

failover link FAILOVER GigabitEthernet1/8.

I found a reference saying;- If the Stateful Failover link uses the failover link or a regular data interface, then you only need to supply the if_name argument.

If this configuration is all correct, is there any adjustments I can make so calls are not dropped when we failover? Calls will be RTP over UDP, which will I guess the failover does not keep the state up.

Firewalls are 5516-X running 9.16(4)57 and Phones handsets are Avaya.

Thanks in advance for any advice.

Re: ASA Stateful Failover

tvotna — Mon, 03 Jun 2024 09:41:06 GMT

Config is ok. Stateful failover for SIP is supported since ASA 8.0.2 so calls shouldn't drop. You can check that SIP connections are replicated to the standby unit, I believe "show sip" should display sessions there too. But after that you'll need to open TAC case as troubleshooting is nearly impossible on live system due to the lack of conditional debug for SIP feature. Failover debugs are also not useful on a production system.

Re: ASA Stateful Failover

MHM Cisco World — Mon, 03 Jun 2024 09:43:50 GMT

There are two timeout

Floating timeout and conn holddown timeout

Try shortest these timeout abd check the udp traffic if it drop any more or not

MHM

Re: ASA Stateful Failover

tvotna — Mon, 03 Jun 2024 09:58:14 GMT

These commands have nothing to do with failover, but I agree that it worth to verify if NSF (non-stop forwarding) is configured, provided that you use OSPF or BGP on ASA so that routes are not lost during failover event. This is not needed in case of static routing.

Re: ASA Stateful Failover

Man29er — Mon, 03 Jun 2024 09:59:27 GMT

Thanks you for the reply, so would it be a case of putting the Poll times to the lowest?

Re: ASA Stateful Failover

MHM Cisco World — Wed, 05 Jun 2024 06:10:49 GMT

Dont adjust this timer
let me check effect of it on UDP traffic.
the timer I suggest before is make Conn clear when the interface is change, the Poll timer is effect how fast the FW HA exchage and detect.

update you today

MHM

Re: ASA Stateful Failover

Man29er — Mon, 03 Jun 2024 10:20:47 GMT

So we use h323 and SIP depending on phones, but the its mainly h323. When I do a "show H323 ras" on the active, I can see h323 calls, but cannot see those on the standby unit. should I see them?

Re: ASA Stateful Failover

tvotna — Mon, 03 Jun 2024 11:23:37 GMT

I don't know. Documentation doesn't mention that state replication for RAS is not supported. Do you see H.225 and H.245 connections ("show h225" / "show h245") on standby?

Re: ASA Stateful Failover

Man29er — Mon, 03 Jun 2024 11:47:20 GMT

No, nothing shows on the standby for either H225 or H245. I can see H225 on active.

Re: ASA Stateful Failover

tvotna — Mon, 03 Jun 2024 15:55:42 GMT

Hard to say. I'd enable "logging standby", configure logging to syslog at informational level and check what standby unit logs when call is established and also right after failover event when the unit becomes active. In the syslog search for IP addresses of IP phones, gatekeeper, etc.

Also, I'd verify that TCP/1720 connections are present on the standby: "show conn long protocol tcp port 1720". They might still be there even if "show h225" output is empty. Same for TCP/1719. H.245, RTP and RTCP ports are all dynamic, so you may need to compare all connections for some IP phone between active and standby: "show conn long addr <phone>". Something like that.

Re: ASA Stateful Failover

Man29er — Mon, 03 Jun 2024 16:44:06 GMT

Thank you. "show conn long protocol tcp port 1720" returns info on the standby that looks identical to the primary. I'll setup the logging on the secondary too. I'm away for a few days so will do that on return. Thanks for you help.

Re: ASA Stateful Failover

MHM Cisco World — Mon, 03 Jun 2024 16:50:50 GMT

Show Conn identical will good sign of healthy HA between two FW'

If you can when you have time check arp table also check if it identical or not.

MHM

Re: ASA Stateful Failover

paul driver — Tue, 04 Jun 2024 08:04:14 GMT

Hello
Can you post the output of the following please?
sh failover
sh failover interfaces
sh run all monitor

Re: ASA Stateful Failover

Man29er — Tue, 04 Jun 2024 09:21:32 GMT

Output below...

FIREWALL1# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet1/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 410 maximum
MAC Address Move Notification Interval not set
failover replication http
Cipher in use: 3DES/AES
Version: Ours 9.16(4)57, Mate 9.16(4)57
Serial Number: Ours JAD2xxxxx, Mate JAD2xxxxxx
Last Failover at: 14:52:49 GMT/BDT May 23 2024
This host: Primary - Active
Active time: 1019847 (sec)
slot 1: ASA5516 hw/sw rev (3.3/9.16(4)57) status (Up Sys)
Interface INSIDE (x.x.x.x): Normal (Monitored)
Interface APPS (x.x.x.x): Link Down (Not-Monitored)
Interface APPS2 (x.x.x.x): Link Down (Not-Monitored)
Interface OUTSIDE (x.x.x.x): Normal (Waiting)
Interface MISC (0.0.0.0): Link Down (Not-Monitored)
Interface APPS3 (x.x.x.x): Normal (Waiting)
Interface VOICE (x.x.x.x): Normal (Monitored)
Interface MGMT (192.168.x.x.): Normal (Monitored)
slot 2: SFR5516 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 2: SFR5516 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
Other host: Secondary - Standby Ready
Active time: 13755 (sec)
slot 1: ASA5516 hw/sw rev (3.3/9.16(4)57) status (Up Sys)
Interface INSIDE (x.x.x.x): Normal (Monitored)
Interface APPS (0.0.0.0): Normal (Not-Monitored)
Interface APPS2 (0.0.0.0): Normal (Not-Monitored)
Interface OUTSIDE (0.0.0.0): Normal (Waiting)
Interface MISC (0.0.0.0): Normal (Not-Monitored)
Interface APPS3 (0.0.0.0): Normal (Waiting)
Interface VOICE (x.x.x.x): Normal (Monitored)
Interface MGMT (192.168.x.x): Normal (Monitored)
slot 2: SFR5516 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 2: SFR5516 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)

Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet1/8 (up)
Stateful Obj xmit xerr rcv rerr
General 305279662 0 9989197 6
sys cmd 137822 0 137822 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 229734352 0 8101532 0
UDP conn 69223841 0 1620812 6
ARP tbl 6183669 0 129030 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 1 0 0 0
SIP Tx 1 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Umbrella Device-ID 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 13 9996728
Xmit Q: 0 1 305832185
FIREWALL1# show failover int
FIREWALL1# show failover interface
interface FAILOVER GigabitEthernet1/8
System IP Address: 10.10.10.1 255.255.255.252
My IP Address : 10.10.10.1
Other IP Address : 10.10.10.2
FIREWALL1# sh run all monitor
FIREWALL1# sh run all monitor-interface
monitor-interface INSIDE
no monitor-interface APPS
no monitor-interface APPS2
monitor-interface OUTSIDE
no monitor-interface MISC
monitor-interface APPS3
monitor-interface VOICE
monitor-interface MGMT
monitor-interface service-module
FIREWALL1#

Re: ASA Stateful Failover

MHM Cisco World — Tue, 04 Jun 2024 10:47:39 GMT

waiting your reply about ARP
also share
show service-policy inspect SIP
show service-policy inspect h323 ras

to check if policy drop the packet when the traffic shift from the Active to standby
NOTE:- you need to do show service-policy at least three times to see which counter is increase

MHM