I was wondering how to troubleshoot if failover happens to one of our firewall. Let say we've received alerts from monitoring team. Normally what I'll do is to:
1. ping both firewall (primary & secondary) to make sure both of them are running.
2. try to access to both firewall
3. issue show failover command to check the status of the firewall
4. issue show version command to check uptime
5. issue show log command to check logs message
What else should we do in order to find the root cause of the problem? Why failover happened?
FW01 is alive
no answer from FW01-failover
FW01 up 1 hours 37 mins
FW01# sh fail
Cable status: Other side powered off
Reconnect timeout 0:00:00
Poll frequency 15 seconds
Last Failover at: 13:37:00 UTC Fri Jun 17 2010
This host: Primary - Active
Active time: 28005 (sec)
Interface outside (10.10.10.100): Normal (Waiting)
Interface inside (220.127.116.11): Normal (Waiting)
Interface failover (18.104.22.168): Link Down (Waiting)
Interface vpn (22.214.171.124): Normal (Waiting)
Interface intf4 (0.0.0.0): Link Down (Shutdown)
Interface intf5 (0.0.0.0): Link Down (Shutdown)
Other host: Secondary - Standby
Active time: 0 (sec)
Interface outside (10.10.10.99): Unknown (Waiting)
Interface inside (126.96.36.199): Unknown (Waiting)
Interface failover (188.8.131.52): Unknown (Waiting)
Interface vpn (184.108.40.206): Unknown (Waiting)
Interface intf4 (0.0.0.0): Unknown (Shutdown)
Interface intf5 (0.0.0.0): Unknown (Shutdown)
From what I've checked on this article, (http://www.ciscoarticles.com/CCSP-Cisco-Certified-Security-Professional/Failover-Configuration-with-Failover-Cable.html)
Link Down means Interface line protocol is down
Unknown means IP address isn’t configured for the interface, so it can’t determine the status
Waiting means Monitoring the other unit’s network interface hasn’t started yet
Here is the log message..
FW01# sh log
Syslog logging: enabled
Timestamp logging: enabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level notifications, 25 messages logged
Trap logging: level informational, 9162 messages logged
Logging to inside 220.127.116.11
History logging: level notifications, 25 messages logged
Device ID: disabled
105002: (PIX) Enabling failover.
411001: Line protocol on Interface outside, changed state to up
411001: Line protocol on Interface vpn, changed state to up
502101: New user added to local dbase: Uname: admin Priv: 15 Encpass: xxxxxxxxxxx.
104001: (Primary) Switching to ACTIVE - no power detected from mate.
105007: (Primary) Link status 'Down' on interface intf5
105007: (Primary) Link status 'Down' on interface intf4
105006: (Primary) Link status 'Up' on interface vpn
105007: (Primary) Link status 'Down' on interface failover
105007: (Primary) Link status 'Down' on interface inside
105006: (Primary) Link status 'Up' on interface outside
105003: (Primary) Monitoring on interface vpn waiting
105003: (Primary) Monitoring on interface outside waiting
411001: Line protocol on Interface inside, changed state to up
105006: (Primary) Link status 'Up' on interface inside
105003: (Primary) Monitoring on interface inside waiting
502103: User priv level changed: Uname: adam From: 1 To: 15
111008: User 'adam' executed the 'enable' command.
You can also get the output of the following which provides more detailed information of the failover status:
- show failover state
- show failover history
Here is the detailed explaination for your reference:
It also includes what each link status means for your reference.
Hope it helps.