topic hi, in Network Security

Cisco ASA Failover

ataur-rahman1 — Tue, 12 Mar 2019 07:50:43 GMT

hello team

kindly help me for below , i have two cisco ASA 5525 as active / standby , as i know in HA by default all physical interfaces will be monitored but sub interfaces is not monitored

i have one interface that is ( inside) there is no ip address assigned to it and i have created many sub interfaces ( 100 + ) on that physical interface , i want to confirm , to failover to trigger if inside interface goes down physically ( the failover will happen smoothly or i have to confirgure standby ip on all sub interfaces and to monitor all the sub interfaces )

Your assessment is correct.

Marvin Rhoads — Sun, 05 Jun 2016 14:08:42 GMT

Your assessment is correct.

hi,

johnlloyd_13 — Sun, 05 Jun 2016 14:37:01 GMT

hi,

you'll need to configure the monitoring of 'inside' interface/subinterface on each security context and also the failover policy/criteria, i.e. number of failed interfaces or specify as percentage.

see helpful link and sample below.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_active_standby.html#41939

ciscoasa/pri/act(config)# failover interface-policy ?

configure mode commands/options:
<1-216> number of failed interfaces
<1-100>% percentage of failed interfaces
ciscoasa/pri/act(config)# failover interface-policy 50%

thanks john , the monitoring

ataur-rahman1 — Sun, 05 Jun 2016 14:56:00 GMT

thanks john , the monitoring of inside ( physical interface is already monitored ) but do i have to monitor the sub interfaces also ( as there is no IP address on inside interface and the status of inside interface is as below)

my major concern is if inside interface physically goes down the failover should trigger and the production environment shouldnt effect

[Interface inside (0.0.0.0): Normal (Waiting)]

Interface llllllllllll (10.215.218.2): Normal (Not-Monitored)
Interface pppppp (10.10.10.1): Normal (Not-Monitored)

ASA/pri/act# sh run all monitor-interface
monitor-interface outside
monitor-interface inside
no monitor-interface lllllllllllll
no monitor-interface pppppp

yes, you should monitor

johnlloyd_13 — Sun, 05 Jun 2016 15:11:25 GMT

yes, you should monitor subinterfaces which corresponds to the configured 'nameif' on each context.

monitor-interface iii

monitor-interface ppp

don't also forget the failover interface-policy command that i mentioned.

appreciated your help :)

ataur-rahman1 — Sun, 05 Jun 2016 15:18:40 GMT

appreciated your help 🙂

in addition , should i have to add the standby IPs under all sub interfaces as currently there is no standby IPs configured in any of the sub interface

hi,

johnlloyd_13 — Mon, 06 Jun 2016 01:05:17 GMT

hi,

it's not a hard prerequisite to configure the standby IPs for failover.

you'll do this if you want the 'monitor-interface' feature to work properly.

hi ,

ataur-rahman1 — Sun, 12 Jun 2016 14:47:01 GMT

hi ,

is there any limitation of monitoring interfaces , i just checked its 250 ( are these limitations of sub interfaces )

hi john

ataur-rahman1 — Sun, 12 Jun 2016 15:21:35 GMT

hi john

the default policy is if single interface goes down , the fail over is triggered ,

ciscoasa/pri/act(config)# failover interface-policy ?

configure mode commands/options:
<1-216> number of failed interfaces
<1-100>% percentage of failed interfaces
ciscoasa/pri/act(config)# failover interface-policy 50%

how can i specify if outside physical interface (i.e single interface ) goes down the fail over should be triggered

and inside few sub interfaces goes down ( may be 50% down) then only the trigger should happen

the reason behind this question is , if all the subinterfaces are up but the outside interface is down and i have implemented this command then may be the fail over will not happen as i have modified the default policy to 50% of sub interfaces