Solved: Standby-ASA in a failover has no ip address on port-channels

mcgiga · ‎09-26-2024

I have two Secure Firewalls (running ASA code) in a active/standby failover. Failover is working.

These intefaces are present:

E1/5.100 -> Management VLAN
Port-Channel1.50 -> Transit Network VLAN to core switch
Port-Channel2.150 -> WAN1 VLAN, to a switch in front of the firewall
Port-Channel2.155 -> WAN2 VLAN, to a switch in front of the firewall

Active unit is working as expected. The standby unit has on three interfaces the ip address 0.0.0.0.

This host: Primary - Active
Active time: 911 (sec)
slot 0: FPR-3105 hw/sw rev (1.0/9.20(3)) status (Up Sys)
Interface Management (192.168.200.10): Normal (Not-Monitored)
Interface Transit-Net (192.168.100.1): Normal (Not-Monitored)
Interface WAN1 (10.10.10.10): Normal (Not-Monitored)
Interface WAN2 (20.20.20.20): Normal (Not-Monitored)

Other host: Secondary - Standby Ready
Active time: 562 (sec)
slot 0: FPR-3105 hw/sw rev (1.0/9.20(3)) status (Up Sys)
Interface Management (192.168.200.11): Normal (Not-Monitored)
Interface Transit-Net (0.0.0.0): Normal (Not-Monitored)
Interface WAN1 (0.0.0.0): Normal (Not-Monitored)
Interface WAN2 (0.0.0.0): Normal (Not-Monitored)

Only the management interface has a standby ip address assigned. I guess this is the reason for it.

IP addresses of wan interfaces are public networks (/29) from each ISP (10.10.10.10, 20.20.20.20).

How do I "fix" this issue without needing a standby ip address?

MHM Cisco World · ‎09-27-2024

There is something wrong here,

I will check if you can use subinterface for failover and state-link

Maybe Mr. @Aref Alsouqi can confirm if we can do that.

Can you try use interface not subinterface?

MHM

View solution in original post

Aref Alsouqi · ‎09-27-2024

Yeah it doesn't seem to work for some reason. Using subinterfaces for failover links should be fine as long as the physical interface is not being used for any data traffic. Could you please share the output of "sho run int eth1/7" for review? Also, could you please share the secondary firewall failover configs for review?

Interestingly you have configured the subnets 192.168.50.0/30 and 192.168.60.0/30 for the failover links, but the subinterfaces eth1/7.110 and eth1/7.120 are showing totally different IP addresses!

Also, how these firewalls are connected to each other on interface eth1/7? directly or via a switch?

View solution in original post

MHM Cisco World · ‎09-26-2024

At least config inside interface of standby with IP

And the interface in standby without IP disable it monitor.

MHM

mcgiga · ‎09-26-2024

> At least config inside interface of standby with IP

I don't understand that, sorry.

> And the interface in standby without IP disable it monitor.

But it's already "not monitored". Maybe I don't understand again.

MHM Cisco World · ‎09-26-2024

Why you not assign IP to interface "Transit-Net"??

For monitor

no monitor-interface <wan interface>

mcgiga · ‎09-26-2024

> Why you not assign IP to interface "Transit-Net"??

Then in a failover case the transit-net i. e. has 192.168.100.3. The static route from the core switch on the other side still points to 192.168.100.1 as this is the gateway to reach 0.0.0.0. In failover the route would fail.

> no monitor-interface <wan interface>

These interfaces are already not monitored. When I issue "no monitor-interface WAN1" nothing changes.

sh run all monitor-interface:
no monitor-interface WAN1

As far as I understand, when interfaces are monitored and one of them fails it will trigger the failover from active to standby unit. But I don't know what his has to do with the missing ip addresses (0.0.0.0). Sub interfaces don't have a standby ip address.

MHM Cisco World · ‎09-26-2024

> Why you not assign IP to interface "Transit-Net"??

Then in a failover case the transit-net i. e. has 192.168.100.3. The static route from the core switch on the other side still points to 192.168.100.1 as this is the gateway to reach 0.0.0.0. In failover the route would fail. <<- the static route always must point to active interface IP, the standby need IP for monitoring only.

For second point after add command I shared check show failover

MHM

mcgiga · ‎09-26-2024

<<- the static route always must point to active interface IP, the standby need IP for monitoring only.

So standby ip address can be any and doesn't have to be in the same subnet?
Transit-Net, i. e.
Active: 192.168.100.1; Standby 192.168.200.10 ?

>> For second point after add command I shared check show failover

I don't understand.

MHM Cisco World · ‎09-26-2024

So standby ip address can be any and doesn't have to be in the same subnet?
Transit-Net, i. e.
Active: 192.168.100.1; Standby 192.168.200.10 ? <<- no it must be in same subnet so use 192.168.100.10

For second point

Share

Show failover status

MHM

mcgiga · ‎09-26-2024

On transit-net that would be possible. But what about the ISP interfaces? On each of them we have 5 useable ip addresses.
If I assign i. e. on WAN1 interface 10.10.10.11 as standby ip address (active is 10.10.10.10), then the address is in use on the standby unit.

For example if we have incoming connections from WAN on 10.10.10.10 then in case of asa failover this ip address isn't useable because it is active on the failed asa and the current active asa would have 10.10.10.11.

MHM Cisco World · ‎09-26-2024

for optimal config you need IP for each standby interface but that not mandatory
so for both Wan (wan1/wan2) interface in standby you can not assign IP to interfaces
MHM

mcgiga · ‎09-26-2024

But when I don't assign a standby ip address on each wan interface then in failover case there is no connection from the inside VLANs through transit-net to 0.0.0.0 (wan). The ISP routers on the switch in front of the firewall are not reachable because both wan interfaces have the ip address 0.0.0.0.

And I guess the same would happen to transit-net. When it has 192.168.100.2 (standby) the earlier mentioned route from the core is still pointing to 192.168.100.1, but this ip address is not available on the new active asa in failover case.

MHM Cisco World · ‎09-26-2024

The traffic will pass via active and you already have IP in Wan interface in active unit.

MHM

mcgiga · ‎09-26-2024

I don't think so.

Active ASA unit has 10.10.10.10 on WAN1, 20.20.20.20 on WAN2. When active unit fails the second unit has 0.0.0.0 on WAN1 and WAN2. ISP router of WAN1 is 10.10.10.9, WAN2 20.20.20.9.

SInce both WAN interfaces have 0.0.0.0 in failover case I can't reach 10.10.10.9 and 20.20.20.9. I have already tested that.

Because of that I wrote this posting to find a workaround for 0.0.0.0.

MHM Cisco World · ‎09-26-2024

When active unit failed the standby use IP of failed active unit so it will have IP

Check show failover status in standby and you will see it have IP

What make issue here is SW not update mac fastly

MHM

mcgiga · ‎09-26-2024

When standby unit was active these interfaces had 0.0.0.0. I have waited more than 15 minutes. Nothing changed in failover status.

Do you mean the switch in front of firewalls? What does the switch have to do with that?