topic Failover is triggered by any in Network Security

Cisco ASA 5510 Active/Standby config

George Rodriguez — Tue, 12 Mar 2019 04:57:46 GMT

I have configured failover using the management port. When I unplug the LAN interface the Primary goes into standby and the stanby unit goes into Primary state.
But when I plug the LAN interface on ASA1 back the Secondary stays as Active UNLESS I unplug the LAN interface o the Secondary unit. Is this normal?

I'm pretty sure you can't use

davebornack — Mon, 20 Oct 2014 20:37:18 GMT

I'm pretty sure you can't use the MGMT port for failover functions.

I would recommend that you use LAN-based failover using one of the "inline" interfaces that passes traffic, or if you have enough ports available, configure one just for failover operations.

Yes, this is normal.ASA high

Marvin Rhoads — Mon, 20 Oct 2014 22:50:41 GMT

Yes, this is normal.

ASA high availability failover cluster units have no concept of preemption. Whichever unit has been healthy most recently will be active unless you initiate a manual failover to force the system back to the desired state.

@ Dave - yes the management port can be used for failover - as long as you don't want to also use it for management. From the configuration guide:

"You can use any unused interface on the device as the failover link; however, you cannot specify an interface that is currently configured with a name. The failover link interface is not configured as a normal networking interface; it exists for failover communication only. This interface should only be used for the failover link (and optionally for the Stateful Failover link)"

That's what I figured on the

George Rodriguez — Tue, 21 Oct 2014 13:17:54 GMT

That's what I figured on the management port. I combed through the internet searching and most state it can be used. My plan is to use it for both failover and stateful failover. I just wasn't sure about the failback when the primary comes back online.

My setup is using all 4 ports (2 WAN's, 1 LAN, 1 DMZ). Do I need to configure a standby for each interface?

Also, is there any way around not having to force a failback?

Thanks.

You can run an HA pair

Marvin Rhoads — Tue, 21 Oct 2014 13:24:24 GMT

You can run an HA pair without standby IP addresses but the interface monitoring capability is somewhat compromised as the primary unit cannot positively verify the standby unit's is reachable on those interfaces via IP and instead has to rely on the communication from the standby via the failover link that the interfaces are up.

I always recommend you use standby IP addresses if possible. The only times I've not done it is when the available public IP addresses are severely constrained and the client can't afford to give up even 1 address on that interface.

Actually that is an issue

George Rodriguez — Tue, 21 Oct 2014 13:35:04 GMT

Actually that is an issue right now with one of the WAN's (no available IP's). So if I create only one standby IP for the LAN, one for the DMZ & one for the Primary WAN it will still function properly? What will I lose?

I thought the LAN links going down triggers the failover?

Failover is triggered by any

Marvin Rhoads — Tue, 21 Oct 2014 13:42:18 GMT

Failover is triggered by any of several things - monitored interface on active peer going down, active peer not reachable, service module on active peer going down, etc.

A failover pair can operate properly with one of the interfaces not having a configured standby IP address. You will lose a slight degree of assurance that the standby peer is "really" ready on that interface since your are relying on its self-reporting that the interface is up with line protocol up.

One can posit scenarios in which that is the case yet traffic will not flow due to IP reachability (e.g., if it was plugged into an active port on an upstream switch and the port was in the wrong VLAN).

Great Feedback. Thanks Marvin

George Rodriguez — Tue, 21 Oct 2014 14:22:42 GMT

Great Feedback. Thanks Marvin!!!

You're welcome.Please mark

Marvin Rhoads — Tue, 21 Oct 2014 14:25:10 GMT

You're welcome.

Please mark your question as answered if it has been. Rating improves the community quality. 🙂

No problem

George Rodriguez — Tue, 21 Oct 2014 14:28:13 GMT

No problem

Is there any way for the

George Rodriguez — Tue, 21 Oct 2014 14:56:24 GMT

Is there any way for the admin for the ASA to be notified when it goes into standby?

Yes. There is a syslog

Marvin Rhoads — Tue, 21 Oct 2014 15:06:54 GMT

Yes. There is a syslog message created. If you're using an external log destination, you can typically set that up to notify you upon receipt of specified messages.

If you don't have an external syslog server, you can create a logging message list and direct the ASA to email the admin when that list receives an event. You will have to relay via an internal mail server and may need to add the ASA to the whitelist on that server if it's locked down.

Here's a link to the config guide section describing how to set that up on the ASA.

I'll take a look. One last

George Rodriguez — Tue, 21 Oct 2014 15:17:30 GMT

I'll take a look. One last thing (I think), I'm working on this with 2 5510's as I type. I noticed that if I only have the standby IP configured for the LAN interface only (no WAN's or DMZ) and I unplug the WAN's or DMZ the ASA goes into the standby state. Normal?

Yes, that's normal.Unless you

Marvin Rhoads — Tue, 21 Oct 2014 15:23:23 GMT

Yes, that's normal.

Unless you have specifically excluded a configured interface from monitoring (or set a threshold of number of monitored interfaces to trigger a failover), unplugging an interface will result in the line protocol going down and the unit will know that whether or not it has a standby IP address.

again, thanks for the help. I

George Rodriguez — Tue, 21 Oct 2014 15:47:09 GMT

again, thanks for the help. I continue to work on this lab to fine tune it.