cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1924
Views
5
Helpful
3
Replies

ASA Multiple context failover normal (waiting)

erickflamenco
Level 1
Level 1

Hi Pros,

 

I have 2 ASA firewall in multiple context but the first context keep stuck in normal (waiting)

00INFASA05/pri/act# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet1/4 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 516 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(2)38, Mate 9.8(2)38
Serial Number: Ours FCH1234J3CX, Mate FCH56787BCX
Group 1 last failover at: 10:37:30 UTC Oct 2 2018
Group 2 last failover at: 11:10:47 UTC Oct 1 2018

This host: Primary
Group 1 State: Active
Active time: 323 (sec)
Group 2 State: Active
Active time: 84725 (sec)

slot 0: ASA5555 hw/sw rev (3.1/9.8(2)38) status (Up Sys)
admin Interface management (172.27.0.235): Normal (Monitored)
DATACENTER Interface inside (172.16.254.1): Normal (Waiting)
DATACENTER Interface outside (172.16.254.17): Normal (Waiting)
slot 1: SFR5555 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 1: SFR5555 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)

Other host: Secondary
Group 1 State: Standby Ready
Active time: 66 (sec)
Group 2 State: Standby Ready
Active time: 5544 (sec)

slot 0: ASA5555 hw/sw rev (1.0/9.8(2)38) status (Up Sys)
admin Interface management (172.27.0.236): Normal (Monitored)
DATACENTER Interface inside (172.16.254.2): Normal (Waiting)
DATACENTER Interface outside (172.16.254.18): Normal (Waiting)
slot 1: SFR5555 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 1: SFR5555 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)

Stateful Failover Logical Update Statistics
Link : statelink GigabitEthernet1/5 (up)

 

ping works fine

00INFASA05/DATACENTER# ping 172.16.254.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.254.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
00INFASA05/DATACENTER# ping 172.16.254.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.254.18, timeout is 2 seconds:
!!!!!

 

The inside and outside interface are port-channel interfaces connected to N9K (ASA1-N9K1 and ASA2-N9K2)

 

Po10 inside and Po20 outside

 

00INFASA05/pri/act# sh port-channel summ
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
U - in use N - not in use, no aggregation/nameif
M - not in use, no aggregation due to minimum links not met
w - waiting to be aggregated
Number of channel-groups in use: 2
Group Port-channel Protocol Span-cluster Ports
------+-------------+---------+------------+------------------------------------
10 Po10(U) LACP No Gi0/0(P) Gi0/1(P) Gi0/2(P) Gi 0/3(P)
20 Po20(U) LACP No Gi0/4(P) Gi0/5(P) Gi0/6(P) Gi 0/7(P)

 

Port-channel from N9K-2

00INFSWC04(config-if)# sh port-channel summ
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
b - BFD Session Wait
S - Switched R - Routed
U - Up (port-channel)
p - Up in delay-lacp mode (member)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
1 Po1(SU) Eth LACP Eth1/49(P) Eth1/50(P) Eth1/51(P)
Eth1/52(P)
2 Po2(SD) Eth LACP Eth1/53(D) Eth1/54(D)
10 Po10(SU) Eth LACP Eth1/2(P) Eth1/3(P) Eth1/4(P)
Eth1/5(P)
11 Po11(SD) Eth LACP Eth1/10(D)
20 Po20(SU) Eth LACP Eth1/6(P) Eth1/7(P) Eth1/8(P)
Eth1/9(P)

 

The problem is FHELLO packets from ASA-1 never reach the secondary ASA-2

 

fover_parse: send_msg_ifc(): 172.16.254.1->172.16.254.2 ifc 131074 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.3->172.16.254.2 ifc 131074 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.4->172.16.254.2 ifc 131074 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.5->172.16.254.2 ifc 131074 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.17->172.16.254.18 ifc 131075 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.19->172.16.254.18 ifc 131075 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.20->172.16.254.18 ifc 131075 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.21->172.16.254.18 ifc 131075 cmd FHELLO

 

The weird thing: I don´t know why there are 4 ip addresses sending FHello Messages

with capture command

10: 10:48:30.282684 172.16.254.17 > 172.16.254.18: ip-proto-105, length 44
11: 10:48:30.282684 172.16.254.19 > 172.16.254.18: ip-proto-105, length 44
12: 10:48:30.282700 172.16.254.20 > 172.16.254.18: ip-proto-105, length 44
13: 10:48:30.282700 172.16.254.21 > 172.16.254.18: ip-proto-105, length

Never a response from peer.

The configured IP are:

interface Port-channel10
description Interface Inside Contexto DATACENTER
nameif inside
security-level 100
ip address 172.16.254.1 255.255.255.240 standby 172.16.254.2
!
interface Port-channel20
description Interface Outside Contexto DATACENTER
nameif outside
security-level 0
ip address 172.16.254.17 255.255.255.240 standby 172.16.254.18

 

What I have done

I have shutdown 3 of 4 links int Po10 and Po20

I have configured in N9K

Int Po10

switchport port type edge

int Po20

switchport port type edge

 

I have removed VLAN 890 and 891 from the peer-link beetwen N9K

I have removed a link from the port-channel peer-link and use this link as a trunk port beetwen N9K1-N9K2 with 

switchport trunk allowed vlan 890,891

and N9K-1

spanning-tree vlan 890,891 priority root primary

and N9K-2

spanning-tree vlan 890,891 priority root secondary

No luck!!! failover still normal (waiting)

Management interface in admin context connected to IOS switch, looks fine:

 

admin Interface management (172.27.0.235): Normal (Monitored)

admin Interface management (172.27.0.236): Normal (Monitored)

 

Some advise will be appreciated...

 

 

 

1 Accepted Solution

Accepted Solutions

erickflamenco
Level 1
Level 1
Hi Community,

Problem was solved reloading both ASAs.
Now looks fine!!!
Group 1 last failover at: 08:34:44 UTC Oct 3 2018
Group 2 last failover at: 08:36:21 UTC Oct 3 2018

This host: Primary
Group 1 State: Active
Active time: 1418 (sec)
Group 2 State: Standby Ready
Active time: 96 (sec)

slot 0: ASA5555 hw/sw rev (3.1/9.8(2)38) status (Up Sys)
admin Interface management (172.27.0.235): Normal (Monitored)
DATACENTER Interface inside (172.16.254.1): Normal (Monitored)
DATACENTER Interface outside (172.16.254.17): Normal (Monitored)
slot 1: SFR5555 hw/sw rev (N/A/6.2.2-81) status (Up/Up)

Best Regards

View solution in original post

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

You need consider vPC best practice design with ASA cluster, i have attached presentation which has some good example to understand.

 

Hope that help you.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

erickflamenco
Level 1
Level 1
Hi Community,

Problem was solved reloading both ASAs.
Now looks fine!!!
Group 1 last failover at: 08:34:44 UTC Oct 3 2018
Group 2 last failover at: 08:36:21 UTC Oct 3 2018

This host: Primary
Group 1 State: Active
Active time: 1418 (sec)
Group 2 State: Standby Ready
Active time: 96 (sec)

slot 0: ASA5555 hw/sw rev (3.1/9.8(2)38) status (Up Sys)
admin Interface management (172.27.0.235): Normal (Monitored)
DATACENTER Interface inside (172.16.254.1): Normal (Monitored)
DATACENTER Interface outside (172.16.254.17): Normal (Monitored)
slot 1: SFR5555 hw/sw rev (N/A/6.2.2-81) status (Up/Up)

Best Regards

Glad it was resolved by it self.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: