09-26-2024 01:08 PM
I have two Secure Firewalls (running ASA code) in a active/standby failover. Failover is working.
These intefaces are present:
Active unit is working as expected. The standby unit has on three interfaces the ip address 0.0.0.0.
This host: Primary - Active
Active time: 911 (sec)
slot 0: FPR-3105 hw/sw rev (1.0/9.20(3)) status (Up Sys)
Interface Management (192.168.200.10): Normal (Not-Monitored)
Interface Transit-Net (192.168.100.1): Normal (Not-Monitored)
Interface WAN1 (10.10.10.10): Normal (Not-Monitored)
Interface WAN2 (20.20.20.20): Normal (Not-Monitored)
Other host: Secondary - Standby Ready
Active time: 562 (sec)
slot 0: FPR-3105 hw/sw rev (1.0/9.20(3)) status (Up Sys)
Interface Management (192.168.200.11): Normal (Not-Monitored)
Interface Transit-Net (0.0.0.0): Normal (Not-Monitored)
Interface WAN1 (0.0.0.0): Normal (Not-Monitored)
Interface WAN2 (0.0.0.0): Normal (Not-Monitored)
Only the management interface has a standby ip address assigned. I guess this is the reason for it.
IP addresses of wan interfaces are public networks (/29) from each ISP (10.10.10.10, 20.20.20.20).
How do I "fix" this issue without needing a standby ip address?
Solved! Go to Solution.
09-27-2024 05:56 AM - edited 09-27-2024 05:56 AM
There is something wrong here,
I will check if you can use subinterface for failover and state-link
Maybe Mr. @Aref Alsouqi can confirm if we can do that.
Can you try use interface not subinterface?
MHM
09-27-2024 06:25 AM
Yeah it doesn't seem to work for some reason. Using subinterfaces for failover links should be fine as long as the physical interface is not being used for any data traffic. Could you please share the output of "sho run int eth1/7" for review? Also, could you please share the secondary firewall failover configs for review?
Interestingly you have configured the subnets 192.168.50.0/30 and 192.168.60.0/30 for the failover links, but the subinterfaces eth1/7.110 and eth1/7.120 are showing totally different IP addresses!
Also, how these firewalls are connected to each other on interface eth1/7? directly or via a switch?
09-26-2024 01:14 PM
At least config inside interface of standby with IP
And the interface in standby without IP disable it monitor.
MHM
09-26-2024 01:26 PM
> At least config inside interface of standby with IP
I don't understand that, sorry.
> And the interface in standby without IP disable it monitor.
But it's already "not monitored". Maybe I don't understand again.
09-26-2024 01:32 PM
Why you not assign IP to interface "Transit-Net"??
For monitor
no monitor-interface <wan interface>
09-26-2024 01:38 PM - edited 09-26-2024 01:44 PM
> Why you not assign IP to interface "Transit-Net"??
Then in a failover case the transit-net i. e. has 192.168.100.3. The static route from the core switch on the other side still points to 192.168.100.1 as this is the gateway to reach 0.0.0.0. In failover the route would fail.
> no monitor-interface <wan interface>
These interfaces are already not monitored. When I issue "no monitor-interface WAN1" nothing changes.
sh run all monitor-interface:
no monitor-interface WAN1
As far as I understand, when interfaces are monitored and one of them fails it will trigger the failover from active to standby unit. But I don't know what his has to do with the missing ip addresses (0.0.0.0). Sub interfaces don't have a standby ip address.
09-26-2024 01:47 PM
> Why you not assign IP to interface "Transit-Net"??
Then in a failover case the transit-net i. e. has 192.168.100.3. The static route from the core switch on the other side still points to 192.168.100.1 as this is the gateway to reach 0.0.0.0. In failover the route would fail. <<- the static route always must point to active interface IP, the standby need IP for monitoring only.
For second point after add command I shared check show failover
MHM
09-26-2024 01:54 PM
<<- the static route always must point to active interface IP, the standby need IP for monitoring only.
So standby ip address can be any and doesn't have to be in the same subnet?
Transit-Net, i. e.
Active: 192.168.100.1; Standby 192.168.200.10 ?
>> For second point after add command I shared check show failover
I don't understand.
09-26-2024 01:59 PM
So standby ip address can be any and doesn't have to be in the same subnet?
Transit-Net, i. e.
Active: 192.168.100.1; Standby 192.168.200.10 ? <<- no it must be in same subnet so use 192.168.100.10
For second point
Share
Show failover status
MHM
09-26-2024 02:06 PM - edited 09-26-2024 02:08 PM
On transit-net that would be possible. But what about the ISP interfaces? On each of them we have 5 useable ip addresses.
If I assign i. e. on WAN1 interface 10.10.10.11 as standby ip address (active is 10.10.10.10), then the address is in use on the standby unit.
For example if we have incoming connections from WAN on 10.10.10.10 then in case of asa failover this ip address isn't useable because it is active on the failed asa and the current active asa would have 10.10.10.11.
09-26-2024 02:11 PM - edited 09-26-2024 02:19 PM
for optimal config you need IP for each standby interface but that not mandatory
so for both Wan (wan1/wan2) interface in standby you can not assign IP to interfaces
MHM
09-26-2024 02:17 PM - edited 09-26-2024 02:20 PM
But when I don't assign a standby ip address on each wan interface then in failover case there is no connection from the inside VLANs through transit-net to 0.0.0.0 (wan). The ISP routers on the switch in front of the firewall are not reachable because both wan interfaces have the ip address 0.0.0.0.
And I guess the same would happen to transit-net. When it has 192.168.100.2 (standby) the earlier mentioned route from the core is still pointing to 192.168.100.1, but this ip address is not available on the new active asa in failover case.
09-26-2024 02:21 PM
The traffic will pass via active and you already have IP in Wan interface in active unit.
MHM
09-26-2024 02:37 PM
I don't think so.
Active ASA unit has 10.10.10.10 on WAN1, 20.20.20.20 on WAN2. When active unit fails the second unit has 0.0.0.0 on WAN1 and WAN2. ISP router of WAN1 is 10.10.10.9, WAN2 20.20.20.9.
SInce both WAN interfaces have 0.0.0.0 in failover case I can't reach 10.10.10.9 and 20.20.20.9. I have already tested that.
Because of that I wrote this posting to find a workaround for 0.0.0.0.
09-26-2024 02:40 PM
When active unit failed the standby use IP of failed active unit so it will have IP
Check show failover status in standby and you will see it have IP
What make issue here is SW not update mac fastly
MHM
09-26-2024 03:40 PM
When standby unit was active these interfaces had 0.0.0.0. I have waited more than 15 minutes. Nothing changed in failover status.
Do you mean the switch in front of firewalls? What does the switch have to do with that?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide