topic Re: Tracking Route from a Standby unit in a Active/Standby ASA array in Network Security

Tracking Route from a Standby unit in a Active/Standby ASA array

obadillaa — Fri, 21 Feb 2020 17:00:30 GMT

We have configured in an Active/standby array of ASAs a route tracking service to some destinations, each destination has a main and a secondary link.

Tracking service is not the issue, we found in our syslog server events from our active unit saying it is denying inbound icmp packets going to our standby unit. These icmp packets are coming from the destinations configured in our tracking service.

So, as we see it, our Active unit (as excepted) as well as our Standby unit (weird) are executing the route tracking service, and Active unit is rejecting replies sent to Standby.

Following log is from Active unit (values were changed for privacy):

Apr 03 2019 11:18:36: %ASA-3-106014: Deny inbound icmp src {Interface-Name}:{TrackingDestination-IP1} dst {Interface-Name}:{StandbyUnit-IP} (type 0, code 0)
Apr 03 2019 11:18:36: %ASA-3-106014: Deny inbound icmp src {Interface-Name}:{TrackingDestination-IP2} dst {Interface-Name}:{StandbyUnit-IP} (type 0, code 0)
Apr 03 2019 11:18:36: %ASA-3-106014: Deny inbound icmp src {Interface-Name}:{TrackingDestination-IP3} dst {Interface-Name}:{StandbyUnit-IP} (type 0, code 0)
Apr 03 2019 11:18:36: %ASA-3-106014: Deny inbound icmp src {Interface-Name}:{TrackingDestination-IP4} dst {Interface-Name}:{StandbyUnit-IP} (type 0, code 0)
Apr 03 2019 11:18:36: %ASA-3-106014: Deny inbound icmp src {Interface-Name}:{TrackingDestination-IP5} dst {Interface-Name}:{StandbyUnit-IP} (type 0, code 0)
Apr 03 2019 11:18:36: %ASA-3-106014: Deny inbound icmp src {Interface-Name}:{TrackingDestination-IP6} dst {Interface-Name}:{StandbyUnit-IP} (type 0, code 0)
Apr 03 2019 11:18:36: %ASA-3-106014: Deny inbound icmp src {Interface-Name}:{TrackingDestination-IP7} dst {Interface-Name}:{StandbyUnit-IP} (type 0, code 0)

Standby unit should not be tracking routes (unless it become Active). Is there a way to stop this tracking process in the standby unit?

Re: Tracking Route from a Standby unit in a Active/Standby ASA array

Julio E. Moisa — Wed, 03 Apr 2019 17:46:44 GMT

Could you please share the failover configuration and the show failover output?

Thank you

Re: Tracking Route from a Standby unit in a Active/Standby ASA array

obadillaa — Wed, 03 Apr 2019 18:07:51 GMT

{hostname}/pri/act# sho failover
Failover On
Failover unit Primary
Failover LAN Interface: fo_st_link Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 9 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours x.x(x)xx, Mate x.x(x)xx
Last Failover at: 18:37:44 CST Mar 29 2019
This host: Primary - Active
Active time: 407617 (sec)
slot 0: ASA5525 hw/sw rev (1.0/x.x(x)xx) status (Up Sys)
Interface OUTSIDE (a.a.a.251): Normal (Monitored)
Interface INSIDE (b.b.b.34): Normal (Monitored)
Interface {Interface-Name} (c.c.c.49): Normal (Monitored) <----Interface used for tracking service
Interface management (0.0.0.0): No Link (Waiting)
Other host: Secondary - Standby Ready
Active time: 6421 (sec)
slot 0: ASA5525 hw/sw rev (1.0/x.x(x)xx) status (Up Sys)
Interface OUTSIDE (a.a.a.252): Normal (Monitored)
Interface INSIDE (b.b.b.35): Normal (Monitored)
Interface {Interface-Name} (c.c.c.50): Normal (Monitored) <----Interface used for tracking service
Interface management (0.0.0.0): No Link (Waiting)

Stateful Failover Logical Update Statistics
Link : fo_st_link Port-channel1 (up)
Stateful Obj xmit xerr rcv rerr
General 39867278 0 432424 822
sys cmd 215458 0 215455 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 5044678 0 26521 28
UDP conn 34514537 0 189973 771
ARP tbl 86698 0 401 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 619 0 10 0
VPN IKEv1 P2 2146 0 31 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Route Session 913 0 0 23
Router ID 0 0 0 0
User-Identity 2229 0 33 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 30 453276
Xmit Q: 0 158 44626509

--- Failover Cfg ---

failover
failover lan unit primary
failover lan interface fo_st_link Port-channel1
failover link fo_st_link Port-channel1
failover interface ip fo_st_link d.d.d.253 255.255.255.252 standby d.d.d.254
failover ipsec pre-shared-key *****