Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2071
Views
0
Helpful
3
Replies

my ASA5540 8.2.4(4) can not monitor and failover on certain interfaces

yao yu jiang
Level 1
Level 1

‎11-25-2011 12:16 PM - edited ‎03-11-2019 02:55 PM

the story is

we configure the

monitor interface  inside

monitor interface  outside

monitor interface  partner

and save configue

but when i show run monitor-interface

the configure do not show the 3 montitor interfaces, it only show other monitor interfaces,which can failover , but not the above 3 interfaces,  however they are all showed  interface monitor in the ASDM configure

here is the show version

==================================

Cisco Adaptive Security Appliance Software Version 8.2(4)4
Device Manager Version 6.4(5)

Compiled on Thu 03-Mar-11 17:18 by builders
System image file is "disk0:/asa824-4-k8.bin"
Config file at boot was "startup-config"

dcm-lidc-fw1 up 9 days 18 hours
failover cluster up 16 days 20 hours

Hardware:   ASA5540, 2048 MB RAM, CPU Pentium 4 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: GigabitEthernet0/0  : address is 30e4.db7b.6f82, irq 9
1: Ext: GigabitEthernet0/1  : address is 30e4.db7b.6f83, irq 9
2: Ext: GigabitEthernet0/2  : address is 30e4.db7b.6f84, irq 9
3: Ext: GigabitEthernet0/3  : address is 30e4.db7b.6f85, irq 9
4: Ext: Management0/0       : address is 30e4.db7b.6f86, irq 11
5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
6: Int: Not used            : irq 5
7: Ext: GigabitEthernet1/0  : address is 30e4.db02.1f96, irq 255
8: Ext: GigabitEthernet1/1  : address is 30e4.db02.1f97, irq 255
9: Ext: GigabitEthernet1/2  : address is 30e4.db02.1f98, irq 255
10: Ext: GigabitEthernet1/3  : address is 30e4.db02.1f99, irq 255
11: Int: Internal-Data1/0    : address is 0000.0003.0002, irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 200      
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled  
VPN-3DES-AES                   : Enabled  
Security Contexts              : 2        
GTP/GPRS                       : Disabled 
SSL VPN Peers                  : 2        
Total VPN Peers                : 5000     
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled 
AnyConnect for Cisco VPN Phone : Disabled 
AnyConnect Essentials          : Enabled  
Advanced Endpoint Assessment   : Disabled 
UC Phone Proxy Sessions        : 2        
Total UC Proxy Sessions        : 2        
Botnet Traffic Filter          : Disabled 

This platform has an ASA 5540 VPN Premium license.

==========here is the show monitor interface, it does not show outside/inside/partner====================

-fw1# sh run monitor-interface
monitor-interface app
monitor-interface dmz
monitor-interface data
monitor-interface dev-app
monitor-interface dev-data
no monitor-interface management
-fw1#


-fw1(config)# sh run all | in monitor
banner motd *  This is a private and monitored system.      *
monitor-interface app
monitor-interface dmz
monitor-interface data
monitor-interface dev-app
monitor-interface dev-data
no monitor-interface management

===============failover test =============

- unplug the outside interface cable on primary , led go off, but failover does not happen-

- upplug the cable on inside, or parner , it still do not failover

- only unplug the cable on other monitor interface , it failover. 

=======clear config monitor-interface, and enter monitor-interface command for all the interface, re test, again, same result=======

Labels:
Preview file
92 KB
0 Helpful
3 Replies 3

yao yu jiang
Level 1
Level 1

‎11-25-2011 12:19 PM

more information

the outside, inside, and partner interface are all physical interfaces.

0 Helpful

yao yu jiang
Level 1
Level 1
In response to yao yu jiang

‎11-25-2011 12:22 PM

even after I enter 

failover monitor-interface outside

failover monitor-interface inside

failover monitor-interface partner

when i show run

the above 3 command is not show in the configure.

but also, there is no warnning mesage when I enter the command....

this is so weird.

in the ASDM, it again show all 3 interface are monitored.

but it just won't failover when monitor those 3 interface link-down.

0 Helpful

yao yu jiang
Level 1
Level 1
In response to yao yu jiang

‎11-25-2011 12:25 PM

fw1# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet1/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 8 of 210 maximum
Version: Ours 8.2(4)4, Mate 8.2(4)4
Last Failover at: 15:44:00 EST Nov 24 2011
        This host: Secondary - Standby Ready
                Active time: 767625 (sec)
                slot 0: ASA5540 hw/sw rev (2.0/8.2(4)4) status (Up Sys)
                  Interface outside (209.202.65.132): Normal
                  Interface inside (10.100.161.2): Normal
                  Interface app (10.100.171.2): Normal
                  Interface dmz (10.100.172.2): Normal
                  Interface data (10.100.173.2): Normal
                  Interface dev-app (10.100.174.2): Normal
                  Interface dev-data (10.100.175.2): Normal
                  Interface management (10.7.4.9): Failed (Not-Monitored)
                  Interface partner (10.100.160.14): Normal
                slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
        Other host: Primary - Active
                Active time: 77823 (sec)
                slot 0: ASA5540 hw/sw rev (2.0/8.2(4)4) status (Up Sys)
                  Interface outside (209.202.65.131): Normal
                  Interface inside (10.100.161.1): Normal
                  Interface app (10.100.171.1): Normal
                  Interface dmz (10.100.172.1): Normal
                  Interface data (10.100.173.1): Normal
                  Interface dev-app (10.100.174.1): Normal
                  Interface dev-data (10.100.175.1): Normal
                  Interface management (10.7.4.8): Normal (Not-Monitored)
                  Interface partner (10.100.160.13): Normal
                slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)

Stateful Failover Logical Update Statistics
        Link : failover GigabitEthernet1/3 (up)
        Stateful Obj    xmit       xerr       rcv        rerr     
        General         1001073    0          443701     25       
        sys cmd         194284     0          194283     0        
        up time         0          0          0          0        
        RPC services    0          0          0          0        
        TCP conn        262196     0          45389      2        
        UDP conn        342196     0          47480      3        
        ARP tbl         202397     0          156529     20       
        Xlate_Timeout   0          0          0          0        
        IPv6 ND tbl     0          0          0          0        
        VPN IKE upd     0          0          10         0        

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card