topic Are the interfaces excluded in Network Security

ASA 8.4(4) failover issue

bruno.fernandes — Tue, 12 Mar 2019 04:09:56 GMT

Hi guys,

I'm having a strange behaviour in an ASA cluster running 8.4(4) regarding failover feature, from the Active node standpoint if I issue a "show failover" I have the following result

------------------ show failover ------------------

Failover On
Failover unit Primary
Failover LAN Interface: dmz_failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 1 seconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 2 of 160 maximum
failover replication http
Version: Ours 8.4(4), Mate 8.4(4)
Last Failover at: 13:12:39 UTC May 6 2014
   This host: Primary - Active
       Active time: 1247 (sec)
       slot 0: ASA5520 hw/sw rev (2.0/8.4(4)) status (Up Sys)
       Interface internetwork.wan (192.168.236.99): Normal (Monitored)
       Interface A.dmz (192.168.236.33): Link Down (Not-Monitored)
       Interface B.dmz (192.168.236.1): Link Down (Not-Monitored)
       Interface C.dmz (192.168.236.65): Link Down (Not-Monitored)
       Interface xerox.network (192.168.1.20): Normal (Monitored)
       Interface management (0.0.0.0): Link Down (Not-Monitored)
       slot 1: empty
   Other host: Secondary - Standby Ready
       Active time: 0 (sec)
       slot 0: ASA5520 hw/sw rev (2.0/8.4(4)) status (Up Sys)
       Interface internetwork.wan (192.168.236.100): Normal (Monitored)
       Interface A.dmz (192.168.236.34): Normal (Not-Monitored)
       Interface B.dmz (192.168.236.2): Normal (Not-Monitored)
       Interface C.dmz (192.168.236.66): Normal (Not-Monitored)
       Interface xerox.network (192.168.1.21): Normal (Monitored)
       Interface management (0.0.0.0): Normal (Not-Monitored)
       slot 1: empty

Regarding the following interfaces:

--> A.dmz

--> B.dmz

--> C.dmz

This dmz's are sub-interfaces associated to the same physical interface, that are in shutdown mode, from the switching interface they are also in shutdown mode.

So I understand from the active node standpoint we have a "Link Down" situation, but I don'e understand how can this be in "normal" state from the failover node stand point

Regards,

Bruno Fernandes

Hi Bruno, Its look to be L2

Abhirajsingh yadav — Wed, 07 May 2014 13:43:37 GMT

Hi Bruno,

Its look to be L2 issue. Please check the vlan is created and extended in the switches

Hi Yadav, The physical

bruno.fernandes — Wed, 07 May 2014 14:30:31 GMT

Hi Yadav,

The physical interfaces associated with those dmz's/sub-intf is in shutdown mode…..so that's not the reason from my point of view

Regards,

Bruno

Are the interfaces excluded

Marvin Rhoads — Wed, 07 May 2014 15:45:47 GMT

Are the interfaces excluded from failover monitoring in the config? ("no monitor-interface dmz")

Hi Marvin, Yes does

bruno.fernandes — Wed, 07 May 2014 20:59:52 GMT

Hi Marvin,

Yes does interfaces are not monitored, has a side note does dmz's are not being use now….also I don't have a specific "no monitor dmz" in the config !!!! but I'm 100% positive that I have uncheck the box regarding the monitoring option for does dmz's (in ASDM) ……but I will try

Regards,

I haven't a spare pair to try

Marvin Rhoads — Wed, 07 May 2014 22:50:54 GMT

I haven't a spare pair to try it on but I suspect your earlier comment about them being shutdown will exclude them from monitoring - even without the "no monitor-interface ___" command. That would make sense since if they are configured shutdown there's no way they will be up on either the active or standby unit.

...so bottom line would be that what you see in "show failover" is completely normal.