topic What license do you have in Network Security

ASA 5505 Active Standby Failover Configuration Issue

joshabts — Tue, 12 Mar 2019 03:55:13 GMT

Hello:

I am trying to setup active/standby failover on a pair of ASA 5505's that have the security plus license on them. Whenever I enable failover though, they seem to not want to talk to each other and I am at a loss as to why.

In terms of setup of connections, ASA01 port 0/4 connects to Switch01 port 1/0/21 and ASA02 port 0/4 connects to Switch01 port 1/0/22. For all ports they are set as switchport access and have the appropriate vlan.

From the switch, I can ping the interface on ASA01 but not ASA02.

Attached are the three configuration and some diagnostic configuration printouts.

Can anyone advise on what I am missing to make this work?

Thanks!
Josh

What license do you have

Marius Gunnerud — Mon, 10 Mar 2014 12:04:44 GMT

What license do you have installed on your ASAs? You need to have a security plus license for failover to work.

You can also issue the command show failover history to get more info on what is going on.

Have you check the logs to see if there is anything that might point to the issue?

Please remember to rate and select a correct answer

Yes, as I mentioned, I have

joshabts — Mon, 10 Mar 2014 12:32:45 GMT

Yes, as I mentioned, I have the security plus license on both ASAs.

I am not seeing much in terms of logs which is why I am a little stuck. From the show failover history on ASA01 I get the following which the 10:07 is roughly when I enabled it again this morning in my testing attempt:

01:19:15 UTC Mar 10 2014
Active Disabled Set by the config command

10:07:47 UTC Mar 10 2014
Disabled Negotiation Set by the config command

10:08:33 UTC Mar 10 2014
Negotiation Just Active No Active unit found

10:08:33 UTC Mar 10 2014
Just Active Active Drain No Active unit found

10:08:33 UTC Mar 10 2014
Active Drain Active Applying Config No Active unit found

10:08:33 UTC Mar 10 2014
Active Applying Config Active Config Applied No Active unit found

10:08:33 UTC Mar 10 2014
Active Config Applied Active No Active unit found

10:47:17 UTC Mar 10 2014
Active Disabled Set by the config command

==========================================================================

Hi,

Julio Carvajal — Mon, 10 Mar 2014 12:37:42 GMT

Hi,

Actually the secondary Unit looks good in regards to failover:

Failover unit Secondary
Failover LAN Interface: FAILOVER_LAN Vlan50 (up)

But The primary ASA failover link is still down

Failover LAN Interface: FAILOVER_LAN Vlan50 (Failed - No Switchover)

Can you check status on the Switch for ports connecting to the ASA, change cables as well.

Note: when you ping from the switch the ARP table pointing to the primary ASA IP address belongs to which Firewal. ASA Primary or Secondary?

Have you tried changing the

Marius Gunnerud — Mon, 10 Mar 2014 12:42:22 GMT

Have you tried changing the cable between the ASAs?

Have you tested connectivity between the ASAs? set an IP address on the interface and ping between them. Please let me know the results.

Please remember to rate and select a correct answer

That is what I thought too

joshabts — Mon, 10 Mar 2014 12:44:21 GMT

That is what I thought too Julio, and that is why I got more confused, because the primary (the one showing down) is the only one I *can* ping from the switch....

You can see the interface status in my sw01.txt file attached where I ran a sh int gi1/0/21. It is showing up/up. I have also verified by changing the vlan that port accesses and am able to communicate over it, so it isn't a bad cable/port...and I can ping it as noted.

The arp table on the switch for the 10.0.50.1 (primary failover interface ip) shows the mac address of the primary asa vlan 50 interface. I would think that is as expected then.

So I am at a loss as to why from the switch I can't ping the secondary (unless that makes sense since it hasn't brought up the secondary address since it hasn't joined the primary yet) but it shows link up, yet I can ping the primary but it shows link down.

*Puzzled*.

I can ping between the ASAs

joshabts — Mon, 10 Mar 2014 12:45:45 GMT

I can ping between the ASAs using another interface/vlan. The failover interface I cannot ping as it seems to not have brought up the addresses yet on the secondary since it hasn't joined the primary.

From the switch I can ping either on an alternate vlan and on the failover vlan I can only ping the primary asa.

Remove the failover

Marius Gunnerud — Mon, 10 Mar 2014 12:57:25 GMT

Remove the failover configuration. then set an IP on the failover interface of both ASAs and see if you can ping between them.

Please remeber to rate and select a correct answer

Hi, can you please paste me

khalid.meraj — Tue, 18 Mar 2014 11:43:24 GMT

Hi,

can you please paste me your swtich sh vlan output.

it looks like you vlan doesn't exist.