10-02-2018 01:51 PM - edited 02-21-2020 08:18 AM
Hi Pros,
I have 2 ASA firewall in multiple context but the first context keep stuck in normal (waiting)
00INFASA05/pri/act# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet1/4 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 516 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(2)38, Mate 9.8(2)38
Serial Number: Ours FCH1234J3CX, Mate FCH56787BCX
Group 1 last failover at: 10:37:30 UTC Oct 2 2018
Group 2 last failover at: 11:10:47 UTC Oct 1 2018
This host: Primary
Group 1 State: Active
Active time: 323 (sec)
Group 2 State: Active
Active time: 84725 (sec)
slot 0: ASA5555 hw/sw rev (3.1/9.8(2)38) status (Up Sys)
admin Interface management (172.27.0.235): Normal (Monitored)
DATACENTER Interface inside (172.16.254.1): Normal (Waiting)
DATACENTER Interface outside (172.16.254.17): Normal (Waiting)
slot 1: SFR5555 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 1: SFR5555 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
Other host: Secondary
Group 1 State: Standby Ready
Active time: 66 (sec)
Group 2 State: Standby Ready
Active time: 5544 (sec)
slot 0: ASA5555 hw/sw rev (1.0/9.8(2)38) status (Up Sys)
admin Interface management (172.27.0.236): Normal (Monitored)
DATACENTER Interface inside (172.16.254.2): Normal (Waiting)
DATACENTER Interface outside (172.16.254.18): Normal (Waiting)
slot 1: SFR5555 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 1: SFR5555 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
Stateful Failover Logical Update Statistics
Link : statelink GigabitEthernet1/5 (up)
ping works fine
00INFASA05/DATACENTER# ping 172.16.254.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.254.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
00INFASA05/DATACENTER# ping 172.16.254.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.254.18, timeout is 2 seconds:
!!!!!
The inside and outside interface are port-channel interfaces connected to N9K (ASA1-N9K1 and ASA2-N9K2)
Po10 inside and Po20 outside
00INFASA05/pri/act# sh port-channel summ
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
U - in use N - not in use, no aggregation/nameif
M - not in use, no aggregation due to minimum links not met
w - waiting to be aggregated
Number of channel-groups in use: 2
Group Port-channel Protocol Span-cluster Ports
------+-------------+---------+------------+------------------------------------
10 Po10(U) LACP No Gi0/0(P) Gi0/1(P) Gi0/2(P) Gi 0/3(P)
20 Po20(U) LACP No Gi0/4(P) Gi0/5(P) Gi0/6(P) Gi 0/7(P)
Port-channel from N9K-2
00INFSWC04(config-if)# sh port-channel summ
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
b - BFD Session Wait
S - Switched R - Routed
U - Up (port-channel)
p - Up in delay-lacp mode (member)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
1 Po1(SU) Eth LACP Eth1/49(P) Eth1/50(P) Eth1/51(P)
Eth1/52(P)
2 Po2(SD) Eth LACP Eth1/53(D) Eth1/54(D)
10 Po10(SU) Eth LACP Eth1/2(P) Eth1/3(P) Eth1/4(P)
Eth1/5(P)
11 Po11(SD) Eth LACP Eth1/10(D)
20 Po20(SU) Eth LACP Eth1/6(P) Eth1/7(P) Eth1/8(P)
Eth1/9(P)
The problem is FHELLO packets from ASA-1 never reach the secondary ASA-2
fover_parse: send_msg_ifc(): 172.16.254.1->172.16.254.2 ifc 131074 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.3->172.16.254.2 ifc 131074 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.4->172.16.254.2 ifc 131074 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.5->172.16.254.2 ifc 131074 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.17->172.16.254.18 ifc 131075 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.19->172.16.254.18 ifc 131075 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.20->172.16.254.18 ifc 131075 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.21->172.16.254.18 ifc 131075 cmd FHELLO
The weird thing: I don´t know why there are 4 ip addresses sending FHello Messages
with capture command
10: 10:48:30.282684 172.16.254.17 > 172.16.254.18: ip-proto-105, length 44
11: 10:48:30.282684 172.16.254.19 > 172.16.254.18: ip-proto-105, length 44
12: 10:48:30.282700 172.16.254.20 > 172.16.254.18: ip-proto-105, length 44
13: 10:48:30.282700 172.16.254.21 > 172.16.254.18: ip-proto-105, length
Never a response from peer.
The configured IP are:
interface Port-channel10
description Interface Inside Contexto DATACENTER
nameif inside
security-level 100
ip address 172.16.254.1 255.255.255.240 standby 172.16.254.2
!
interface Port-channel20
description Interface Outside Contexto DATACENTER
nameif outside
security-level 0
ip address 172.16.254.17 255.255.255.240 standby 172.16.254.18
What I have done
I have shutdown 3 of 4 links int Po10 and Po20
I have configured in N9K
Int Po10
switchport port type edge
int Po20
switchport port type edge
I have removed VLAN 890 and 891 from the peer-link beetwen N9K
I have removed a link from the port-channel peer-link and use this link as a trunk port beetwen N9K1-N9K2 with
switchport trunk allowed vlan 890,891
and N9K-1
spanning-tree vlan 890,891 priority root primary
and N9K-2
spanning-tree vlan 890,891 priority root secondary
No luck!!! failover still normal (waiting)
Management interface in admin context connected to IOS switch, looks fine:
admin Interface management (172.27.0.235): Normal (Monitored)
admin Interface management (172.27.0.236): Normal (Monitored)
Some advise will be appreciated...
Solved! Go to Solution.
10-03-2018 02:48 PM
10-02-2018 02:18 PM
You need consider vPC best practice design with ASA cluster, i have attached presentation which has some good example to understand.
Hope that help you.
10-03-2018 02:48 PM
10-04-2018 12:09 AM
Glad it was resolved by it self.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: