Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1134
Views
0
Helpful
1
Replies

ASA 5516-x failover pair - member replacement

patchsurfer
Level 1
Level 1

‎11-13-2018 06:20 PM - edited ‎02-21-2020 08:28 AM

Morning / evening,

 

One of my ASA 5516-Xs has fallen victim to the timing chip bug and is now a happy boat anchor in the network cabinet.  I have a replacement unit, got it to the same ASA and ASDM versions but running into a little bit of a brick wall when it comes to finding out how to replace this unit in this configuration.  

The difference between my config and what I can find on the interwebs are that my failover interfaces are configured on sub-interfaces:

 

interface GigabitEthernet1/8.88
description LAN Failover Interface
vlan 88
!
interface GigabitEthernet1/8.92
description STATE Failover Interface
vlan 92

 

 

vpn(config)# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER GigabitEthernet1/8.88 (Failed - No Switchover)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 160 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.6(4)5, Mate 9.6(4)5
Serial Number: Ours JAD20380175, Mate JAD19500EC3
Last Failover at: 05:25:47 NZST Jul 5 2018
This host: Secondary - Active
Active time: 11436843 (sec)
slot 1: ASA5516 hw/sw rev (1.1/9.6(4)5) status (Up Sys)
Interface outside (203.97.10.21): Normal (Waiting)
Interface inside (192.168.163.81): Normal (Waiting)
slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)
ASA FirePOWER, 5.4.1-211, Up, (Monitored)
Other host: Primary - Failed
Active time: 10278752 (sec)
slot 1: ASA5516 hw/sw rev (1.0/9.6(4)5) status (Unknown/Unknown)
Interface outside (0.0.0.0): Unknown (Waiting)
Interface inside (192.168.163.82): Unknown (Monitored)
slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Unknown/Unknow n)
ASA FirePOWER, 5.4.1-211, Unknown, (Monitored)

 

I've added the subinterfaces and vlans on the replacement primary unit and assigned the failover address, but I'm pretty sure I'm missing a large chunk of what I need to be doing.

 

Any help very gratefully appreciated.

0 Helpful
1 Reply 1

k.nandakumar
Level 1
Level 1

‎11-13-2018 09:43 PM

Have you configure IP address on the failover interface and failover key if its configured original ?

Once you configured the Primary unit with failover config,

Check 1: On Active (Secondary) Unit, try pinging standby failover IP. 

Check 2: On Standby (Primary) Unit, try ping failover active IP.  

 

Can you share below info for troubleshooting ?

Show run failover  (on both unit output) 

debug failover logs 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card