Solved: Re: Standby-ASA in a failover has no ip address on port-channels - Page 2

mcgiga · ‎09-26-2024

I have two Secure Firewalls (running ASA code) in a active/standby failover. Failover is working.

These intefaces are present:

E1/5.100 -> Management VLAN
Port-Channel1.50 -> Transit Network VLAN to core switch
Port-Channel2.150 -> WAN1 VLAN, to a switch in front of the firewall
Port-Channel2.155 -> WAN2 VLAN, to a switch in front of the firewall

Active unit is working as expected. The standby unit has on three interfaces the ip address 0.0.0.0.

This host: Primary - Active
Active time: 911 (sec)
slot 0: FPR-3105 hw/sw rev (1.0/9.20(3)) status (Up Sys)
Interface Management (192.168.200.10): Normal (Not-Monitored)
Interface Transit-Net (192.168.100.1): Normal (Not-Monitored)
Interface WAN1 (10.10.10.10): Normal (Not-Monitored)
Interface WAN2 (20.20.20.20): Normal (Not-Monitored)

Other host: Secondary - Standby Ready
Active time: 562 (sec)
slot 0: FPR-3105 hw/sw rev (1.0/9.20(3)) status (Up Sys)
Interface Management (192.168.200.11): Normal (Not-Monitored)
Interface Transit-Net (0.0.0.0): Normal (Not-Monitored)
Interface WAN1 (0.0.0.0): Normal (Not-Monitored)
Interface WAN2 (0.0.0.0): Normal (Not-Monitored)

Only the management interface has a standby ip address assigned. I guess this is the reason for it.

IP addresses of wan interfaces are public networks (/29) from each ISP (10.10.10.10, 20.20.20.20).

How do I "fix" this issue without needing a standby ip address?

MHM Cisco World · ‎09-27-2024

test and it work
but return to your post are you config the failover link with IP?

MHM

Aref Alsouqi · ‎09-27-2024

I skimmed through this thread quickly so apologies if I missed anything that was already discussed. The 0.0.0.0 values you see would be expected as you don't have the standby IP addresses configured for any of the Transit, WAN1, or WAN2 interfaces. In fact, as you already mentioned that is not the case with the management interface because you assigned a standby IP for it.

The standby addresses are not a pre-requisites for the failover to work as you could see, however, they are good if you want to be able to jump on the secondary device through its data interfaces, or if you want to monitor those interfaces via an external monitoring tool that would most likely rely on ICMP messages, or even to allow the failover peer to check the full readiness of the other peer before triggering the failover, but again, it is not mandatory to have them.

In your initial post you mentioned that the failover worked as expected, how did you simulate the failure? the reason why I'm asking this is because from the output you shared you don't seem to have any of the interfaces monitored, which means if any of those interfaces should fail for any reason the failover won't be triggered.

mcgiga · ‎09-27-2024

I did no failover active on the active unit. SSH connection to the active ip address was dropped after executing the command.

Then I tried to reach 1.1.1.1 from one of the internal VLANs and couldn't reach any of the ISP gateways. Then I did failover active on the standby unit and was able to reach the ISP gateways again.

MHM Cisco World · ‎09-27-2024

If that so why you mention I wait for long time and standby interface not get IP?

From your last post it seem work and it proved stabdby not need IP.

MHM

mcgiga · ‎09-27-2024

Unfortunately I don't understand what you are trying to tell me.

My guess is when I execute no failover active on the active unit, it will failover to the second standby unit. That unit will become active and will take control of the IP addresses from the other unit. But that is not the case. Gateways are not reachable.

I can provide more output from CLI if needed.

MHM Cisco World · ‎09-27-2024

Can you shut down all interface in active unit a d check standby state

Dot use

Failover active/ no failover active

And check

MHM

Aref Alsouqi · ‎09-27-2024

That is not the expected behaviour because as you mentioned when you issue the "no failover active" command on the active/primary device, the active role should move to the secondary firewall which is not happening in your case for some reason.

Also, I wouldn't recommend shutting down the active/primary interfaces from the firewall itself, because if the two firewalls sync between each other, those interfaces will also be shut down the standby device.

I would review the failover config, maybe there is something missing. Please check out this link for some configuration examples:

Cisco ASA Active/Passive Failover Configuration Example (packetswitch.co.uk)

mcgiga · ‎09-27-2024

I have executed no failover active on the active unit. The following output is from the secondary unit which was the standby unit before. It doesn't seem to become active.

Last Failover at: 14:06:54 CEST Sep 27 2024
This host: Primary - Standby Ready
Active time: 8135 (sec)
slot 0: FPR-3105 hw/sw rev (1.0/9.20(3)) status (Up Sys)
Interface Management (192.168.200.11): Normal (Monitored)
Interface Transit-Net (0.0.0.0): Normal (Waiting)
Interface WAN1 (0.0.0.0): Normal (Not-Monitored)
Interface WAN2 (0.0.0.0): Normal (Not-Monitored)
Interface WAN3 (0.0.0.0): Normal (Not-Monitored)
slot 1: empty
Other host: Secondary - Active
Active time: 45 (sec)
slot 0: FPR-3105 hw/sw rev (1.0/9.20(3)) status (Up Sys)
Interface Management (192.168.200.10): Normal (Monitored)
Interface Transit-Net (192.168.100.1): Normal (Waiting)
Interface WAN1 (10.10.10.10): Normal (Not-Monitored)
Interface WAN2 (20.20.20.20.): Normal (Not-Monitored)
Interface WAN3 (30.30.30.30): Normal (Not-Monitored)
slot 1: empty

------

asa/pri/stby# sh failover state

State Last Failure Reason Date/Time
This host - Primary
Standby Ready None
Other host - Secondary
Active None

====Configuration State===
Sync Skipped - STANDBY
====Communication State===
Mac set

------

Config for failover:

failover
failover lan unit primary
failover lan interface Failover-Link Ethernet1/7.110
failover link Stateful-Link Ethernet1/7.120
failover interface ip Failover-Link 192.168.50.1 255.255.255.252 standby 192.168.50.2
failover interface ip Stateful-Link 192.168.60.1 255.255.255.252 standby 192.168.60.2
no failover wait-disable
monitor-interface Management
monitor-interface Transit-Net

MHM Cisco World · ‎09-27-2024

Show interface IP brief

Check if failover and state-link is UP or not

Check that in both FW

MHM

mcgiga · ‎09-27-2024

show interface IP brief

primary unit / active
......
Ethernet1/7.110 192.168.110.2 YES unset up up
Ethernet1/7.120 192.168.120.2 YES unset up up
......

secondary unit / standby
......
Ethernet1/7.110 192.168.110.1 YES unset up up
Ethernet1/7.120 192.168.120.1 YES unset up up

MHM Cisco World · ‎09-27-2024

There is something wrong here,

I will check if you can use subinterface for failover and state-link

Maybe Mr. @Aref Alsouqi can confirm if we can do that.

Can you try use interface not subinterface?

MHM

Aref Alsouqi · ‎09-27-2024

Yeah it doesn't seem to work for some reason. Using subinterfaces for failover links should be fine as long as the physical interface is not being used for any data traffic. Could you please share the output of "sho run int eth1/7" for review? Also, could you please share the secondary firewall failover configs for review?

Interestingly you have configured the subnets 192.168.50.0/30 and 192.168.60.0/30 for the failover links, but the subinterfaces eth1/7.110 and eth1/7.120 are showing totally different IP addresses!

Also, how these firewalls are connected to each other on interface eth1/7? directly or via a switch?

mcgiga · ‎09-27-2024

asa/sec/act# sho run int eth1/7
!
interface Ethernet1/7

> Interestingly you have configured the subnets 192.168.50.0/30 and 192.168.60.0/30 for the failover links, but the subinterfaces eth1/7.110 and eth1/7.120 are showing totally different IP addresses!

Sorry my fault. I have changed the ip addresses before posting them here.

> Also, how these firewalls are connected to each other on interface eth1/7? directly or via a switch?

Directly via patchcable.

Config output from standby unit:

failover
failover lan unit primary
failover lan interface Failover-Link Ethernet1/7.110
failover link Stateful-Link Ethernet1/7.120
failover interface ip Failover-Link 192.168.110.1 255.255.255.252 standby 192.168.110.2
failover interface ip Stateful-Link 192.168.120.1 255.255.255.252 standby 192.168.120.2
no failover wait-disable
monitor-interface Management
monitor-interface Transit-Net

MHM Cisco World · ‎09-27-2024

If directly

Then no need subinterface

Failover and state link can use same interface.

Remove subinterface config one interface

failover lan interface Failover-Link

assign IP to both FW

And check again

MHM

mcgiga · ‎09-27-2024

failover lan interface Failover-Link Ethernet1/7
failover link Stateful-Link Ethernet1/7

ERROR: interface already in use as failover interface
Failed to update LU link information

Stateful link can't be the same interface. That was the reason I created VLANs.