topic ASA failover - 'failover' command caused active to switchover in Network Security

ASA failover - 'failover' command caused active to switchover

marcus.glover — Mon, 11 Mar 2019 21:25:37 GMT

Hey everyone,

I'm setting up an ASA HA pair with active/standby mode.

I had entered the commands below, and the last step was to enable failover on the primay with the 'failover' command.

When I entered this, I lost connectivity to the Primary firewall, and needed to reboot to restore access.

My understanding is that entering 'failover' should only enable the failover service, which should then have proceeded to form a HA pair and copy the config from the Primary to Seondary firewall. Why did it (apparently) cause it to failover?

(Primary)

no failover <<-- Prior to issuing failover command

failover lan unit primary

failover lan interface failover Ethernet0/3

failover link failover Ethernet0/3

failover interface ip failover 192.168.0.1 255.255.255.0 standby 192.168.0.2

(Secondary)

failover

failover lan unit secondary

failover lan interface failover Ethernet0/3

failover link failover Ethernet0/3

failover interface ip failover 192.168.0.1 255.255.255.0 standby 192.168.0.2

ASA failover - 'failover' command caused active to switchover

Jennifer Halim — Fri, 16 Sep 2011 01:29:56 GMT

It really depends on which unit was the Active firewall, and base on the config, secondary unit has failover turns on, and when you turn on the failover on primary unit, it will perform the check on which should be the Active unit, and since the secondary unit has failover enabled and was probably the active unit, by enabling failover on primary unit, the active firewall will become the primary unit, hence you lost connectivity to the "Active" unit. You should be able to reconnect to the "Active" unit again. The interface ip address follows the Active unit, ie: does not stay with Primary unit, so whichever is the Active unit, the interface ip address will follow the unit.

Also, you would need to ensure that ethernet0/3 is not shutdown and synchronization and failover status update is happening between the 2 units.

What is the status of the failover now? which unit is the active unit?

ASA failover - 'failover' command caused active to switchover

marcus.glover — Fri, 16 Sep 2011 01:46:33 GMT

Hi Jennifer,

The secondary firewall had no config apart from what is listed above. That is, it didn't have any IP addresses configured save for the failover interface. Because it hadn't ever formed a HA pair with the Primary, the Secondary unit never received a copy of the config to derive its IP addresses.

So basically I was connected to the Primary (and not Active) unit. What I expected to happen was for the Primary to become Active, and then synch the config with the Secondary. After I had lost connectivity to the Primary for about 5 minutes, however, I realised that something had gone amiss with the Primary.

At the moment, I have the same state as listed in the config above, i.e. the Primary has 'no failover' within its config (After the reboot it reverted to this). The Secondary has a blank config apart from the failover commands also listed above (and a no shut of the e0/3 port). I could also ping between 192.168.0.1 and 192.168.0.2 prior to issuing the failover command.

ASA failover - 'failover' command caused active to switchover

Jennifer Halim — Fri, 16 Sep 2011 02:03:57 GMT

Hi Marcus,

Might be best to console to both primary and secondary when you turn on the failover, and check the status of the failover after it is enabled. It's a little difficult to guess what is happening when you have no access to check the status on the unit. In theory, you are right, the primary should become the Active unit if nothing is configured on the secondary unit. Are any interfaces on secondary unit connected to the network apart from e0/3? And i am also assuming that you have configured standby ip address within your interface configuration? If no standby ip address is configured and secondary unit interfaces are not connected to the network, the failover will declare that secondary unit has failed instead of in standby status.

ASA failover - 'failover' command caused active to switchover

marcus.glover — Sun, 18 Sep 2011 23:46:48 GMT

Hi Jennifer,

The devices are currently in a different geography to me, them being in HK and myself in Sydney - i've asked the local support to connect console access via VNC so I can see what is going on as you suggest.

Regarding the secondary firewall, it has an outside and inside interface like the primary, which are patched into the local LAN on the same VLANS as the primary outside/inside interfaces. There is no configuration on the secondary interfaces apart from a 'no shut' on the interfaces themselves. Regarding the standby ip addresses, these are configured on the primary unit for both inside/outside interfaces.

ASA failover - 'failover' command caused active to switchover

Jennifer Halim — Mon, 19 Sep 2011 07:18:07 GMT

Great, thanks for the update. Let us know how it goes when the local support has console access.

ASA failover - 'failover' command caused active to switchover

marcus.glover — Sat, 24 Sep 2011 02:36:17 GMT

Jennifer,

I made the changes to get this working today, some points of interest

1) When the 'failover' command is issues on a the primary device (configured with 'failover lan unit primary'), if the other device is 'active' then it is the 'active' device config which is copied across. I'm lucky I had console access here, becuase the config was basically copied from the 'standby' ASA to the 'primary' ASA because the 'standby' ASA was considered the 'active' one.

2) I tried entering the 'failover active' command to force the primary to become active, but this did not work

3) To get things working, i need to

Disable failover on the secondary 'no failover'
Enable failover on the primary 'failover'
Re-enable failover on the secondary 'failover'

I suppose the rationale behind this functionality is that the 'active' firewall config is always copied between the firewalls. However, it should then be noted that if you are deploying an active/standby pair for the first time, you should definitely DISABLE failover on the secondary first before connecting them together.