topic Re: ASA Failover Issue in Network Security

ASA Failover Issue

Udupikrishna091 — Tue, 12 Mar 2019 00:27:54 GMT

Hellu Guys,

I have got into a peculiar issue, I have 2 5520 ASA firewalls running ASA ver 8.4.2, fe days back we tested ASA failover between the primary and secondary, below is the fail over config,

IMS-BLR-ASA# sh run | inc failover

failover

failover lan unit primary

failover lan interface lanfailover GigabitEthernet0/3.1

failover link statefailover GigabitEthernet0/3.2

failover interface ip lanfailover 10.224.248.41 255.255.255.248 standby 10.224.248.42

failover interface ip statefailover 10.224.248.49 255.255.255.248 standby 10.224.248.50

SECONDARY ASA:

IMS-BLR-ASA# sh run | inc failover

failover

failover lan unit secondary

failover lan interface lanfailover GigabitEthernet0/3.1

failover link statefailover GigabitEthernet0/3.2

failover interface ip lanfailover 10.224.248.41 255.255.255.248 standby 10.224.248.42

failover interface ip statefailover 10.224.248.49 255.255.255.248 standby 10.224.248.50

The problem I am facing is when we manually force failover from the primay to secondary the traffic flows as expected everything is fine, but when we revert back and check the sh failover my ASA1 was supposed to become the Primary still shows as secondary even though it has become the active unit. Not sure whether this is a config issue or a bug issue any suggestion would be helful.

Thnx

Krishna

ASA Failover Issue

Jouni Forss — Mon, 26 Nov 2012 09:41:43 GMT

Hi,

Do you have any "show failover" command outputs from the all of the different phases you mention in your post that we could go through?

but when we revert back and check the sh failover my ASA1 was supposed  to become the Primary still shows as secondary even though it has become  the active unit

You mean the "show failover" output shows for the Primary ASA (hardware) that its Active after returning to the original setup and it also shows "secondary" with the command "show run failover"?

I guess the best situation would be if you could give "show failover" command output from the different phases of the failover test.

- Jouni

ASA Failover Issue

Udupikrishna091 — Mon, 26 Nov 2012 09:47:25 GMT

Hi Jouni,

Thnx for the reply, sorry but currently I cannot give the sh failover of the diff phases, but I can put across through this post

Scenario 1

ASA1 - Primary and active unit, ASA2 - Secondary and Standby Unit

force the failover, ASA1 became secondary and stand by unit, ASA2 becamse Primary and active

Now we reverted back to original setup

ASA1 - still secondary but active, ASA2 still primary but in stand by mode

Regards

Krishna

Re: ASA Failover Issue

Jouni Forss — Mon, 26 Nov 2012 09:54:20 GMT

Hi,

To my understanding if at the moment your ASA (Active ASA that is passing the traffic) shows the output of "failover lan unit secondary" when issuing the command "show run failover" but the output of "show failover" shows that its Active, the Active unit is the ASA you originally configured as the Secondary Hardware.

Can you copy paste here the output of the "show run failover" and "show failover" of the unit that is Active at the moment?

- Jouni

Re: ASA Failover Issue

Udupikrishna091 — Mon, 26 Nov 2012 10:16:02 GMT

Hi Jouni,

Well I did cross verify the config during this phase what I observed even though we had configured the ASA1 as "failover lan unit primary" after we forced the failover and reverted back the config had changed to "failover lan unit secondary
" not sure how this happened but it was the Active unit at this moment. The config was precise we double checked the config before starting the activity.

- Krishna

Re: ASA Failover Issue

Jouni Forss — Tue, 27 Nov 2012 09:52:11 GMT

Hi,

Can't say I've ever had this kind of problem.

Only problems related to Failover have been some odd situation where the configuration Sync doesnt go through the the Failover stops working. But nothing like this.

To my understanding no matter how many times you issue "failover active" and/or "no failover active" (if these were the commands) the configuration line "failover lan unit primary/secondary" should not change between the devices.

Also with Active/Standby Failover the configuration "pimary" / "secondary" dont have much use. To my understanding they only define the firewall that will take the active role WHEN both boot up at the same time.

With Active/Active Failover you will configure failover groups where you can then define a preempt timer which would change back to the original primary after the timer when the primary was back up.

Still, could you post the output of "show run failover" and "show failover" from both units at the moment? Remove any IP address or names if you need to.

- Jouni

Re: ASA Failover Issue

Udupikrishna091 — Tue, 27 Nov 2012 10:20:02 GMT

Hi Jouni,

Well I know what u meant, I would love to share the logs but unfortunately the ASAs are of my customer, so they won't provide the logs currently

- Krishna