https://community.cisco.com/t5/network-security/asa-active-standby-configuration/m-p/1968083#M434814 <P>Hi Guys,</P><P></P><P>I currently have a LAN-based failover setup between two 5510s. The failover link is a crossover cable. In the current setup, if I unplug the crossover cable both units become active. From what I understood from Cisco documentation, each unit should mark the failover interface as down and there shouldn't be any failover. That's exactly how I want this setup to work. </P><P></P><P>1) Can someone please help me clarify/fix this?</P><P>2) Will a second failover link fix my problem?</P><P>3) How can I configure a second failover link? </P><P></P><P>Thank you for your time!</P><P></P><P>Cheers,</P><P></P><P>Ranil</P><P></P><P>Sent from Cisco Technical Support iPhone App</P> Mon, 11 Mar 2019 23:15:41 GMT Ranil Herath 2019-03-11T23:15:41Z https://community.cisco.com/t5/network-security/asa-active-standby-configuration/m-p/1968083#M434814 <P>Hi Guys,</P><P></P><P>I currently have a LAN-based failover setup between two 5510s. The failover link is a crossover cable. In the current setup, if I unplug the crossover cable both units become active. From what I understood from Cisco documentation, each unit should mark the failover interface as down and there shouldn't be any failover. That's exactly how I want this setup to work. </P><P></P><P>1) Can someone please help me clarify/fix this?</P><P>2) Will a second failover link fix my problem?</P><P>3) How can I configure a second failover link? </P><P></P><P>Thank you for your time!</P><P></P><P>Cheers,</P><P></P><P>Ranil</P><P></P><P>Sent from Cisco Technical Support iPhone App</P> Mon, 11 Mar 2019 23:15:41 GMT https://community.cisco.com/t5/network-security/asa-active-standby-configuration/m-p/1968083#M434814 Ranil Herath 2019-03-11T23:15:41Z https://community.cisco.com/t5/network-security/asa-active-standby-configuration/m-p/1968084#M434815 <HTML><HEAD></HEAD><BODY><P>If you unplug the failover cable, both units will definitely become active because they can't communicate with each other, hence both resume the active role.</P><P></P><P>It is recommended to connect the failover link to switch instead of using crossover cable because it is more difficult to troubleshoot if you are using crossover cable when it fails.</P><P></P><P>You can configure redundant interface to have a standby physical link for your failover link.</P><P>Here is the configuration guide for your reference:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1062296">http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1062296</A></P></BODY></HTML> Tue, 05 Jun 2012 14:58:56 GMT https://community.cisco.com/t5/network-security/asa-active-standby-configuration/m-p/1968084#M434815 Jennifer Halim 2012-06-05T14:58:56Z https://community.cisco.com/t5/network-security/asa-active-standby-configuration/m-p/1968085#M434816 <HTML><HEAD></HEAD><BODY><P>Thank you for the reply Jennifer.</P><P></P><P>I was reffering to the following document:</P><P><A class="active_link" href="http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091405">http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091405</A></P><P></P><P></P><TABLE border="1" cellpadding="3" cellspacing="0" id="wp1091405table1091399" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; background-color: rgb(255, 255, 255); width: 80%; "><TBODY><TR align="left" valign="bottom"><TH scope="col" style="font-size: 14px;"><P style="color: #336666; margin: 0em; text-indent: 0em;">Failure Event</P></TH><TH scope="col" style="font-size: 14px;"><A name="wp1091417"></A><P style="color: #336666; margin: 0em; text-indent: 0em;">Policy</P></TH><TH scope="col" style="font-size: 14px;"><A name="wp1091419"></A><P style="color: #336666; margin: 0em; text-indent: 0em;">Active Action</P></TH><TH scope="col" style="font-size: 14px;"><A name="wp1091421"></A><P style="color: #336666; margin: 0em; text-indent: 0em;">Standby Action</P></TH><TH scope="col" style="font-size: 14px;"><A name="wp1091423"></A><P style="color: #336666; margin: 0em; text-indent: 0em;">Notes</P></TH> </TR><TR align="left" valign="top"><TD><A name="wp1091456"></A><P style="font-size: 12px; margin: 1px 0em 6px; text-indent: 0em;">Failover link failed during operation</P></TD><TD><A name="wp1091458"></A><P style="font-size: 12px; margin: 1px 0em 6px; text-indent: 0em;">No failover</P></TD><TD><A name="wp1091460"></A><P style="font-size: 12px; margin: 1px 0em 6px; text-indent: 0em;">Mark failover interface as failed</P></TD><TD><A name="wp1091462"></A><P style="font-size: 12px; margin: 1px 0em 6px; text-indent: 0em;">Mark failover interface as failed</P></TD><TD><A name="wp1091464"></A><P style="font-size: 12px; margin: 1px 0em 6px; text-indent: 0em;">You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.</P></TD></TR><TR align="left" valign="top"><TD><A name="wp1091476"></A><P style="font-size: 12px; margin: 1px 0em 6px; text-indent: 0em;">Stateful Failover link failed</P></TD><TD><A name="wp1091478"></A><P style="font-size: 12px; margin: 1px 0em 6px; text-indent: 0em;">No failover</P></TD><TD><A name="wp1091480"></A><P style="font-size: 12px; margin: 1px 0em 6px; text-indent: 0em;">No action</P></TD><TD><A name="wp1091482"></A><P style="font-size: 12px; margin: 1px 0em 6px; text-indent: 0em;">No action</P></TD><TD><A name="wp1091484"></A><P style="font-size: 12px; margin: 1px 0em 6px; text-indent: 0em;">State information becomes out of date, and sessions are terminated if a failover occurs.</P></TD></TR></TBODY></TABLE><P></P><P><SPAN style="color: #336666; font-size: 14px; font-family: Arial, Helvetica, sans-serif; "><STRONG><BR /></STRONG></SPAN></P><P></P><P>I think I should rephrase question 2) If I have two seperate links for Failover and Stateful failover, will that fix my problem?</P><P>How can I configure seperate Failover and Stateful failover links? If I understand correctly, they are more than just redundant links.</P><P></P><P>Sorry I didn't accurately phrase my original post.</P><P></P><P>Thank you</P></BODY></HTML> Tue, 05 Jun 2012 15:43:33 GMT https://community.cisco.com/t5/network-security/asa-active-standby-configuration/m-p/1968085#M434816 Ranil Herath 2012-06-05T15:43:33Z https://community.cisco.com/t5/network-security/asa-active-standby-configuration/m-p/1968086#M434817 <HTML><HEAD></HEAD><BODY><P>No, it won't fix your problem because the 2 are actually passing different types of information.</P><P>The failover link is to ensure that all the interfaces are up and there is no failure on either of the ASA.</P><P>The stateful failover link is to pass the firewall connection table, xlate table, VPN session, etc.</P><P></P><P>So if the failover link fails, then you are at the same stage as when you use just 1 interface for both failover and stateful failover link.</P><P></P><P>If you would like to separate the 2 anyway, you can configure it, just assign different interface and ip address for each failover links:</P><P>eg:</P><P>failover link <STATEFUL-LINK-INT-NAME> eth2</STATEFUL-LINK-INT-NAME></P><P>failover lan interface <FAILOVER-LINK-INT-NAME> eth3</FAILOVER-LINK-INT-NAME></P><P>failover interface ip <STATEFUL-LINK-INT-NAME> <IPADDRESS> <MASK> standby <STANDBYIP></STANDBYIP></MASK></IPADDRESS></STATEFUL-LINK-INT-NAME></P><P>failover interface ip <FAILOVER-LINK-INT-NAME> <IPADDRESS> <MASK> standby <STANDBYIP></STANDBYIP></MASK></IPADDRESS></FAILOVER-LINK-INT-NAME></P></BODY></HTML> Wed, 06 Jun 2012 02:55:46 GMT https://community.cisco.com/t5/network-security/asa-active-standby-configuration/m-p/1968086#M434817 Jennifer Halim 2012-06-06T02:55:46Z https://community.cisco.com/t5/network-security/asa-active-standby-configuration/m-p/1968087#M434818 <HTML><HEAD></HEAD><BODY><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Thank you Jennifer. I configured a Stateful link using the commands you mentioned.</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Thought you might be interested to know that everything is now working as I expected! The ASAs do not failover when I unplug,</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">1) The Failover link</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">2) The Stateful failover link</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">3) Both Failover and Stateful failover links</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">I had to reconfigure the Active and Standby IPs of the INSIDE and OUTSIDE interfaces. Now I can see the standby IPs assigned on the Standby ASA. Whereas earlier there were no IPs assigned to the INSIDE and OUTSIDE interfaces on the Standby ASA. This might have been a config replication problem over the Failover link.</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">For anyone interested, the failover scenarios in<A href="http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091405" rel="nofollow" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681; text-decoration: none;">http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091405</A>should work absolutely fine in an Active/Standby ASA HA config.</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Cheers</P></BODY></HTML> Wed, 06 Jun 2012 12:15:13 GMT https://community.cisco.com/t5/network-security/asa-active-standby-configuration/m-p/1968087#M434818 Ranil Herath 2012-06-06T12:15:13Z https://community.cisco.com/t5/network-security/asa-active-standby-configuration/m-p/1968088#M434819 <HTML><HEAD></HEAD><BODY><P>Great, thanks for the update.</P></BODY></HTML> Wed, 06 Jun 2012 12:51:40 GMT https://community.cisco.com/t5/network-security/asa-active-standby-configuration/m-p/1968088#M434819 Jennifer Halim 2012-06-06T12:51:40Z