topic ASA Firewall - Normal(Waiting) in Network Security

ASA Firewall - Normal(Waiting)

Chin — Tue, 12 Mar 2019 06:36:28 GMT

Hi Guys,

Im trying to get the failover state for one of the inside interfaces to change to Monitored, and it doesnt seem to be working. The switchport settings on the primary unit for the interface is exactly the same . Tried bouncing the switchport which the inside interface connects to, to no avail.

Is there anything that I may be missing?

TPPASAFW-5525/sec/stby# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover-interface GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(3)4, Mate 9.2(3)4
Last Failover at: 18:38:51 AEST May 12 2015
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.2(3)4) status (Up Sys)
Interface firewall-internal (192.168.103.3): Normal (Monitored)
Interface firewall-dmz (192.168.101.2): Normal (Monitored)
Interface firewall-ext-apnic (x): Normal (Waiting)
Interface logs (192.168.205.8): Normal (Monitored)
Interface management (192.168.109.3): Normal (Monitored)
slot 1: IPS5525 hw/sw rev (N/A/7.1(9)E4) status (Up/Up)
IPS, 7.1(9)E4, Up
Other host: Primary - Active
Active time: 10962400 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.2(3)4) status (Up Sys)
Interface firewall-internal (192.168.103.2): Normal (Monitored)
Interface firewall-dmz (192.168.101.1): Normal (Monitored)
Interface firewall-ext-apnic (x): Normal (Monitored)
Interface logs (192.168.205.7): Normal (Monitored)
Interface management (192.168.109.2): Normal (Monitored)
slot 1: IPS5525 hw/sw rev (N/A/7.1(9)E4) status (Up/Up)
IPS, 7.1(9)E4, Up

Thanks loads!

>> Are you able to ping the

Rishabh Seth — Wed, 16 Sep 2015 07:46:11 GMT

>> Are you able to ping the across the two units on the active IP and Stand by IP configuraed on interface "firewall-ext-apnic" ?

>> Make sure that interfaces on switch connected to ASA's "firewall-ext-apnic" interface is present in same VLAN on the switch.

>> Is ip verify reverse-path interface firewall-ext-apnic present in your configuration? If present try removing it and test it?

>> Are you able to ping the

Chin — Thu, 17 Sep 2015 00:58:15 GMT

>> Are you able to ping the across the two units on the active IP and Stand by IP configuraed on interface "firewall-ext-apnic" ? No, not able to ping to interface ip on from the primary unit.

>> Make sure that interfaces on switch connected to ASA's "firewall-ext-apnic" interface is present in same VLAN on the switch. Theyre both on the same vlan

>> Is ip verify reverse-path interface firewall-ext-apnic present in your configuration? If present try removing it and test it? It is, and it seems to have packet dropping and the count keeps increasing, how do i check the source and destination of the packets that are being dropped ?

TPPASAFW-5525/sec/stby# show ip verify statis
interface firewall-internal: 0unicast

rpf drops
interface firewall-dmz: 0 unicast rpf drops
interface firewall-ext-apnic: 4411598 unicast rpf drops
interface logs: 0 unicastrpf drops
interface management: 0 unicastrpf drops

TPPASAFW-5525/sec/stby# show asp drop frame rpf-violated
Reverse-pathverify failed (rpf-violated) 4411557

Last clearing: Never

TPPASAFW-5525/sec/stby# show asp drop frame rpf-violated
Reverse-path

verify failed (rpf-violated) 4411557

Last clearing: Never

I checked the firewall log files and did not see any logs that show reverse-path checks/drops. How do I ensure the logging captures the logs since i see an incrementing value when i do the show asp drop command?

Logging is enabled :

logging enable
logging timestamp
logging buffer-size 512000
loggingasdm-buffer-size 500
logging monitor informational
logging buffered debugging
logging trap informational
loggingasdm informational

Thanks so much !

Hi,>> You can try running

Rishabh Seth — Thu, 17 Sep 2015 06:22:57 GMT

Hi,

>> You can try running packet-tracer on both the ASAs to check the reason of packet drop.

>> Apply packet captures on each unit with specific source IP and destination IP and initiate ICMP. This would let us know if the traffic is reaching the other unit or not.

>> Also ensure you have Primary and secondary IP configured for interface irewall-ext-apnic.

>> From the rpf output i see that there are multiple interfaces with rpf enabled and their status is monitored. You may try removing the rpf check for testing purpose. If removing rpf check works then we might be hitting the defect: https://tools.cisco.com/bugsearch/bug/CSCut29589/?reffering_site=dumpcr

Thanks,

R.Seth

Thanks Risseth. Will try the

AdamAlphonz — Wed, 30 Sep 2015 00:13:00 GMT

Thanks Risseth. Will try the options out.