topic Thank you, for all your in Network Security

Newbie Cisco ASA 5515,IPS Failover Test.

LC O — Sun, 10 Mar 2019 13:44:13 GMT

I was wondering if someone can help me with the configuration of the cisco ips for failover we have 2 cisco asa 5515 IPS. I want to test the failover. When i look at this configuration. It appears that it is lan based failover. Correct me if i'm wrong my understanding for this failover operation is if gi0/2 went down the standby gi0/3 interface will be active. Now if i run show failover command it just shows primary standby ready which it doesnt have any ip address and secondary is active with external ip address and internal ip address. If anyone can help with this. I attached a screenshot of the show failover result command. Thank you in advance.

int gi0/2 is 10.0.1.10

int gi0/3 is 10.0.2.10

failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/2
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover replication http
failover link statefulfailover GigabitEthernet0/3
failover interface ip failover 10.0.1.10 255.255.255.0 standby 10.0.1.11
failover interface ip statefulfailover 10.0.2.10 255.255.255.0 standby 10.0.2.11

A couple of questions:

nspasov — Wed, 14 Dec 2016 20:10:07 GMT

A couple of questions:

1. Do you have standby IPs configured on those interfaces?

2. Have you read this ASA Configuration Guide for Failover:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/ha-failover.html

Thank you for rating helpful posts!

In addition to what Neno

Marvin Rhoads — Thu, 15 Dec 2016 08:30:32 GMT

In addition to what Neno correctly pointed out, I would add that standby IP addresses for the production traffic interfaces are optional. It appears they are not setup on your pair, thus the report of "0.0.0.0" addresses on the Standby unit.

We often see this in situations where there are a very limited number of public IP addresses where the customer is unable or unwilling to dedicate an IP address for the sole purpose of monitoring the IP reachability of that particular interface on the standby unit. Fir private subnets I always use a standby IP address.

It works perfectly fine, it just gives the failover cluster one fewer data point in assessing the health of the mate.

Gi0/2 and Gi0/3 in your setup are used strictly for failover cluster monitoring and state replication respectively. They do not backup each other per se but rather handle different aspects of the failover cluster operations. Using a dedicated interface (like your Gi0/3) for stateful failover support is optional. If you do not have stateful failover setup, tcp session state will not be preserved across a failover event and any open sessions must be re-established.

Thank you for quick response.

LC O — Thu, 15 Dec 2016 21:45:48 GMT

Thank you for quick response. Im going to read the failover link document. Apparently I inherit this task. I was told it's working and i need to do a failover. Here's the full configuration

Primary Cisco IPS 5515x

int gi0/2 is 10.0.1.10

int gi0/3 is 10.0.2.10

Secondary Cisco IPS 5515x

int gi0/2 is 10.0.1.11
int gi0/3 is 10.0.2.11

failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/2
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover replication http
failover link statefulfailover GigabitEthernet0/3
failover interface ip failover 10.0.1.10 255.255.255.0 standby 10.0.1.11
failover interface ip statefulfailover 10.0.2.10 255.255.255.0 standby 10.0.2.11

From your first posting, the

Marvin Rhoads — Sat, 17 Dec 2016 05:09:21 GMT

From your first posting, the Secondary is Active and the Primary is Standby Ready state. Simply log into the Secondary-Active in enable mode and type "no failover active".

You will be disconnected from the unit and when you log back in you should be connected to Primary-Active.

you can use the following

ssingh3 — Wed, 11 Jan 2017 05:18:18 GMT

you can use the following command to configure standby IPs to the device

int Gi0/x

ip address <active ip> <subnet> standby <standby ip>

"standby" is the keyword and the IP mentioned after this keyword would be assigned to standby device(doesn't matter which is standby, primary or secondary)

HTH

Thank you, for all your

LC O — Wed, 11 Jan 2017 18:21:23 GMT

Thank you, for all your response. I'm going to try the failover next week and will let you know if it 's successful or not. cross finger.