cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13518
Views
0
Helpful
10
Replies

ASA 5515 Failover: Interface Unknow (Waiting)

Hi all,

I have two ASA 5515 configured as active / standby.

I configured the failover and I checked for proper operation. But when I configured access rules and NAT, I realized that the failover does not work anymore: two interfaces, inside and outside, are "Unknow (Waiting)". The other LAN interface and management are "Normal (Monitored)."

Here is the show failover command output.

Failover On

Failover unit Primary

Failover LAN Interface: Failover GigabitEthernet0/5 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 4 of 114 maximum

failover replication http

Version: Ours 8.6(1), Mate 8.6(1)

Last Failover at: 13:35:07 CEDT Aug 10 2012

        This host: Primary - Active

                Active time: 241180 (sec)

                slot 0: ASA5515 hw/sw rev (1.0/8.6(1)) status (Up Sys

                  Interface Internal (192.168.10.251): Unknown (Waiti

                  Interface WAN-Infostrada (151.14.163.181): Unknown

                  Interface Radio (193.168.1.148): Normal (Waiting)

                  Interface management (192.168.1.1): Normal (Monitor

                slot 1: IPS5515 hw/sw rev (N/A/) status (Unresponsive

        Other host: Secondary - Standby Ready

                Active time: 443 (sec)

                slot 0: ASA5515 hw/sw rev (1.0/8.6(1)) status (Up Sys

                  Interface Internal (0.0.0.0): Unknown (Waiting)

                  Interface WAN-Infostrada (0.0.0.0): Unknown (Waitin

                  Interface Radio (0.0.0.0): Unknown (Waiting)

                  Interface management (0.0.0.0): Normal (Monitored)

                slot 1: IPS5515 hw/sw rev (N/A/) status (Unresponsive

Stateful Failover Logical Update Statistics

        Link : Failover GigabitEthernet0/5 (up)

        Stateful Obj    xmit       xerr       rcv        rerr

        General         9319463    0          46801      1

        sys cmd         32215      0          32215      0

        up time         0          0          0          0

        RPC services    0          0          0          0

        TCP conn        1977416    0          2878       1

        UDP conn        4913767    0          6891       0

        ARP tbl         2396065    0          4817       0

        Xlate_Timeout   0          0          0          0

        IPv6 ND tbl     0          0          0          0

        VPN IKEv1 SA    0          0          0          0

        VPN IKEv1 P2    0          0          0          0

        VPN IKEv2 SA    0          0          0          0

        VPN IKEv2 P2    0          0          0          0

        VPN CTCP upd    0          0          0          0

        VPN SDI upd     0          0          0          0

        VPN DHCP upd    0          0          0          0

        SIP Session     0          0          0          0

        Route Session   0          0          0          0

        User-Identity   0          0          0          0

        Logical Update Queue Information

                        Cur     Max     Total

        Recv Q:         0       19      47330

        Xmit Q:         0       30      9602866

It is possible that some access rule deny the communication between the two asa?

What other reason could I try?

Thanks in advance for your answer

1 Accepted Solution

Accepted Solutions

Hi Bro

I believe there are 3 reasons as to why you've facing this issue

a) you standby ip address configuration is all wrong.

b) both the lan switches connected to the various interfaces you've mentioned above, perhaps not configured properly.

If you could paste your latest config here, and a physical diagram of the FWs and switches, I guess everyone here can help

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

10 Replies 10

Hi Bro

I believe there are 3 reasons as to why you've facing this issue

a) you standby ip address configuration is all wrong.

b) both the lan switches connected to the various interfaces you've mentioned above, perhaps not configured properly.

If you could paste your latest config here, and a physical diagram of the FWs and switches, I guess everyone here can help

Warm regards,
Ramraj Sivagnanam Sivajanam

NAT and ACLs don't have any influence on the failover-functionality. Have you configured the standby-ip-addresses in the interface-config? And paste at least the interface-configs and the output of "show run failover".

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

When I performed the tests I didn't configured the secondary ip on any interface and the failover worked.

I  configured the failover interface using the same dedicated interface  for "LAN Failover" and "State Failover" (connected with a Crossover  Cable).

Here is the diagram of connections.

This is the result of the sh run failover:

failover

failover lan unit primary

failover lan interface Failover GigabitEthernet0/5

failover key *****

failover replication http

failover link Failover GigabitEthernet0/5

failover interface ip Failover 172.16.254.1 255.255.255.0 standby 172.16.254.2

This is the result of the sh run interface:

interface GigabitEthernet0/0

nameif Internal

security-level 100

ip address 192.168.10.251 255.255.255.0

!

interface GigabitEthernet0/1

nameif WAN-Infostrada

security-level 0

ip address

!

interface GigabitEthernet0/2

nameif Radio

security-level 50

ip address 193.168.1.148 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

security-level 0

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

description LAN/STATE Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

The management interface and the interface named "Radio" don't have a secondary ip but the status is "Normal".

I  try to configure a secondary IP on all interfaces? For the internal  interface there isn't problem, but the WAN interface has configured  public ip, how do I set a secondary ip on this interface?

If you dont have a secondary IP from the ISP, you can leave it as it is. Failover will work properly unless you are using dynamic routing protocol on the ASA. Regarding the Unknown State, it is normal becuase the other ASA does not have an IP address to source the failover packets from.

Hope that helps

Zubair

Dear ,

   when your turn on failover on ASA devices , by default it montior all physical  interface

By default, monitoring physical interfaces is enabled and monitoring subinterfaces is disabled.

Monitored failover interfaces can have the following status:

Unknown—Initial status. This status can also mean the status cannot be determined.

Normal—The interface is receiving traffic.

Testing—Hello messages are not heard on the interface for five poll times.

Link Down—The interface or VLAN is administratively down.

No Link—The physical link for the interface is down.

Failed—No traffic is received on the interface, yet traffic is heard on the peer interface

to disable montoring on specific interface , you can configure below command on your asa device

syntax

no monitor-interface if_name

over our scenario : no monitor-interface WAN-Infostrada

look into below link for more detail

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html

HTH

Thks

Santhosh Sarav

HTH Regards Santhosh Saravanan

Thanks to all.

I'm trying to free the ip that I need.

Why the management interface and the interface "Radio" are normal even without the secondary IP?

I put the secondary IP on the internal and management. Now are Normal (Monitored).

Here is the output of sh failover.

Failover On

Failover unit Primary

Failover LAN Interface: Failover GigabitEthernet0/5 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 4 of 114 maximum

failover replication http

Version: Ours 8.6(1), Mate 8.6(1)

Last Failover at: 13:35:07 CEDT Aug 10 2012

    This host: Primary - Active

        Active time: 319708 (sec)

        slot 0: ASA5515 hw/sw rev (1.0/8.6(1)) status (Up Sys)

          Interface Internal (192.168.10.251): Normal (Monitored)

          Interface WAN-Infostrada (151.X.X.X): Normal (Waiting)   //here is the correct ip

          Interface Radio (193.168.1.148): Normal (Waiting)

          Interface management (192.168.1.1): Normal (Monitored)

        slot 1: IPS5515 hw/sw rev (N/A/) status (Unresponsive/Up)

    Other host: Secondary - Standby Ready

        Active time: 443 (sec)

        slot 0: ASA5515 hw/sw rev (1.0/8.6(1)) status (Up Sys)

          Interface Internal (192.168.10.252): Normal (Monitored)

          Interface WAN-Infostrada (0.0.0.0): Normal (Waiting)

          Interface Radio (0.0.0.0): Normal (Waiting)

          Interface management (192.168.1.2): Normal (Monitored)

        slot 1: IPS5515 hw/sw rev (N/A/) status (Unresponsive/Up)

After disabling and re-enabled WAN interfaces and Radio are their "Normal (Waiting)".

What can I do to the interface where I can not put a secondary ip (WAN and Radio)?

What can I do to the interface where I can not put a secondary ip (WAN and Radio)?

just leave it that way. Failover will still work, but you won't detect link-problems between your two ASAs on that particular interface.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

I did some tests and everything works great!

Unfortunately I can not monitor the status of the WAN interface because I can not set a secondary ip.

Thanks to all.

dear friend.

ok i understand , but its works fine without configurin stn bye ip add too right ??

whtas the benefit to put stand by address ??

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: