ASA Active-Standby failover issues

Ahmed843 — Wed, 02 Apr 2025 14:30:15 GMT

Hello Everyone,

The secondary ASA became Active for no apparent reason. Please find the show command output below. I just want to confirm that in case the secondary fails, the primary will become Active again. Also, I'd like to investigate the reason why this failover occurred in the first place.

First ASA

VPN01# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet0/7 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 466 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.14(4)24, Mate 9.14(4)24
Serial Number: Ours xxxxxx1Q, Mate xxxxxxxZB
Last Failover at: 17:20:55 EDT Mar 20 2025
This host: Secondary - Active
Active time: 1097618 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.14(4)24) status (Up Sys)
Interface outside (1.1.1.1): Normal (Monitored)
Interface SHARED (X.X.255.6): Normal (Monitored)
Interface management (X.X.1.115): Normal (Not-Monitored)
Other host: Primary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.14(4)24) status (Up Sys)
Interface outside (1.1.1.1): Normal (Monitored)
Interface SHARED (X.X.255.206): Normal (Monitored)
Interface management (10.X.1.215): Normal (Not-Monitored)

VPN01# sho failover history

Second ASA

VPN01# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/7 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 466 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.14(4)24, Mate 9.14(4)24
Serial Number: Ours XXXXXXZB, Mate XXXXXX1Q
Last Failover at: 17:23:12 EDT Mar 20 2025
This host: Primary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.14(4)24) status (Up Sys)
Interface outside (1.1.1.1): Normal (Monitored)
Interface SHARED (x.x.x.206): Normal (Monitored)
Interface management (x.x.x.215): Normal (Not-Monitored)
Other host: Secondary - Active
Active time: 1098096 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.14(4)24) status (Up Sys)
Interface outside (1.1.1.1): Normal (Monitored)
Interface SHARED (x.x.x.6): Normal (Monitored)
Interface management (x.x.x.115): Normal (Not-Monitored)

VPN01# show failover history

Re: ASA Active-Standby failover issues

Mark Elsen — Wed, 02 Apr 2025 16:07:26 GMT

- @Ahmed843 wrote : >....I just want to confirm that in case the secondary fails, the primary will become Active again
Since there was a failover that cannot be exactly guaranteed, yet the outputs you provided
seem rather OK at first sight.
It's therefore always useful to configure a syslog server on the active ASA, to have a central
place where logs are send and which can then be reviewed when there is a failover.

You can also connect to the current active ASA with https://cway.cisco.com/cli/ (needs to be downloaded first)
At the top right or left you can press (run) 'System Diagnostics'

Re: ASA Active-Standby failover issues

Ahmed843 — Wed, 02 Apr 2025 18:58:51 GMT

Thanks, marce1000 for the advice and also thanks for the (cway) tools.

topic Re: ASA Active-Standby failover issues in Network Security

ASA Active-Standby failover issues

Re: ASA Active-Standby failover issues

Re: ASA Active-Standby failover issues