topic If the pings do not work as in Network Security

ASA Failover configuration

Cisco Freak — Tue, 12 Mar 2019 07:53:18 GMT

Hi All,

I have this configuration in 2 ASA firewalls to enable failover, but for some reason its not working.

Primary-ASA# sh run failover
failover
failover lan unit primary
failover lan interface FOLINK GigabitEthernet2
failover interface ip FOLINK 112.1.1.1 255.255.255.0 standby 112.1.1.2
Primary-ASA#

Secondary-ASA# sh run failover
failover
failover lan unit secondary
failover lan interface FOLINK GigabitEthernet2
failover interface ip FOLINK 112.1.1.1 255.255.255.0 standby 112.1.1.2
Secondary-ASA#

But the failover is not able to detect the mate.

Primary-ASA# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FOLINK GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 60 maximum
Version: Ours 8.4(2), Mate Unknown
Last Failover at: 02:43:18 UTC Jun 15 2016
This host: Primary - Active
Active time: 15501 (sec)
Other host: Secondary - Not Detected
Active time: 0 (sec)

Stateful Failover Logical Update Statistics
Link : Unconfigured.

Primary-ASA#

Secondary-ASA# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: FOLINK GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 60 maximum
Version: Ours 8.4(2), Mate Unknown
Last Failover at: 02:27:35 UTC Jun 15 2016
This host: Secondary - Active
Active time: 14123 (sec)
Other host: Primary - Failed
Active time: 0 (sec)

Stateful Failover Logical Update Statistics
Link : Unconfigured.

Secondary-ASA#

Can anyone please explain why this is not working?

Hi,

Aditya Ganjoo — Wed, 15 Jun 2016 06:35:49 GMT

Hi,

Are you able to ping the failover IP's ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

If the pings do not work as

jpederson1 — Wed, 15 Jun 2016 16:44:07 GMT

If the pings do not work as Aditaya stated Make sure the interface is active for the failover link. Your config looks fine to me.

Don't know if its something

Cisco Freak — Wed, 15 Jun 2016 19:27:51 GMT

Don't know if its something related to GNS3, but I reapplied the same command it started working.

Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 19:08:37 UTC Jun 15 2016
This host: Primary - Active
Active time: 867 (sec)
Other host: Secondary - Standby Ready
Active time: 0 (sec)

I have one more question.

Cisco Freak — Wed, 15 Jun 2016 19:28:51 GMT

I have one more question.

Primary-ASA# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FOLINK GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1

What's unit poll frequency vs interface poll?

Hi,

Aditya Ganjoo — Thu, 16 Jun 2016 00:25:40 GMT

Hi,

Here is a brief explanation:

Failover Poll Times-Contains the fields for defining how often hello messages are sent on the failover link, and, optionally, how long to wait before testing the peer for failure if no hello messages are received.

Unit Failover-The amount of time between hello messages among units. The range is between 1 and 15 seconds or between 200 and 999 milliseconds.

Unit Hold Time-Sets the time during which a unit must receive a hello message on the failover link, or else the unit begins the testing process for peer failure. The range is between 1and 45 seconds or between 800 and 999 milliseconds. You cannot enter a value that is less than 3 times the polltime.

Monitored Interfaces-The amount of time between polls among interfaces. The range is between 1and 15 seconds or 500 to 999 milliseconds.

Interface Hold Time-Sets the time during which a data interface must receive a hello message on the data interface, after which the peer is declared failed. Valid values are from 5 to 75 seconds.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Thanks Aditya for the the

Cisco Freak — Thu, 16 Jun 2016 02:41:05 GMT

Thanks Aditya for the the detailed explanation.

So unit polling is done by each ASA to make sure the peer ASA is available.

And the interface poll is done by each ASA to make sure that all monitored interface in both the ASA are fine.

If the hold time expires for any of these polls, then that interface is set in test mode and a 4 step test is conducted in that interface. If the unit poll is failing the failover link between ASAs will be tested. If the interface poll expires, then that specific interface will be tested.

Am I right?

Hi<

Aditya Ganjoo — Thu, 16 Jun 2016 02:47:14 GMT

Hi<

Yes you are correct.

You can go through this link as well:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/77809-pixfailover.html#tri

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Awesome!!!

Cisco Freak — Thu, 16 Jun 2016 02:59:37 GMT

Awesome!!!

One last question.. Should all the 4 tests pass for an interface to return to an active status. Or even passing 1 out of that 4 will put the interface back in active status?

All the tests should be

Aditya Ganjoo — Thu, 16 Jun 2016 03:13:01 GMT

All the tests should be passed.

Check this link:

https://supportforums.cisco.com/document/13076/understanding-how-interface-testing-works-pix-failover

Regards,

Aditya

Please rate helpful posts and mark correct answers.