Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
2
Helpful
34
Replies

Standby-ASA in a failover has no ip address on port-channels

Go to solution
mcgiga
Level 1
Level 1

‎09-26-2024 01:08 PM

I have two Secure Firewalls (running ASA code) in a active/standby failover. Failover is working.

These intefaces are present:

  • E1/5.100 -> Management VLAN
  • Port-Channel1.50 -> Transit Network VLAN to core switch
  • Port-Channel2.150 -> WAN1 VLAN, to a switch in front of the firewall
  • Port-Channel2.155 -> WAN2 VLAN, to a switch in front of the firewall

Active unit is working as expected. The standby unit has on three interfaces the ip address 0.0.0.0.

This host: Primary - Active
Active time: 911 (sec)
slot 0: FPR-3105 hw/sw rev (1.0/9.20(3)) status (Up Sys)
Interface Management (192.168.200.10): Normal (Not-Monitored)
Interface Transit-Net (192.168.100.1): Normal (Not-Monitored)
Interface WAN1 (10.10.10.10): Normal (Not-Monitored)
Interface WAN2 (20.20.20.20): Normal (Not-Monitored)

Other host: Secondary - Standby Ready
Active time: 562 (sec)
slot 0: FPR-3105 hw/sw rev (1.0/9.20(3)) status (Up Sys)
Interface Management (192.168.200.11): Normal (Not-Monitored)
Interface Transit-Net (0.0.0.0): Normal (Not-Monitored)
Interface WAN1 (0.0.0.0): Normal (Not-Monitored)
Interface WAN2 (0.0.0.0): Normal (Not-Monitored)

Only the management interface has a standby ip address assigned. I guess this is the reason for it.

IP addresses of wan interfaces are public networks (/29) from each ISP (10.10.10.10, 20.20.20.20).

How do I "fix" this issue without needing a standby ip address?

Labels:
0 Helpful
34 Replies 34

Go to solution
Aref Alsouqi
VIP
VIP
In response to mcgiga

‎09-27-2024 07:00 AM

The link would use the same name of the LAN interface, so you should use "failover link Failover-Link Ethernet1/7" and remove the "failover interface ip Stateful-Link" command please.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to mcgiga

‎09-27-2024 07:02 AM

Please 

Remove this 

failover link Stateful-Link Ethernet1/7

Do

No Failover active

Check

MHM

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎09-27-2024 07:04 AM

I think if you connect eth1/7 to a switch and you configure the switch ports in trunk this would work without changing any config. However, to simplify this setup as already mentioned you can use a single physical interface. The configs on both firewalls would look like this:

Primary:
failover lan unit primary
failover lan interface Failover-Link Ethernet1/7
failover link Failover-Link Ethernet1/7
failover interface ip Failover-Link 192.168.110.1 255.255.255.252 standby 192.168.110.2
failover

Secondary:
failover lan unit secondary
failover lan interface Failover-Link Ethernet1/7
failover link Failover-Link Ethernet1/7
failover interface ip Failover-Link 192.168.110.1 255.255.255.252 standby 192.168.110.2
failover

Hopefully I didn't miss anything.

Go to solution
MHM Cisco World
VIP
VIP
In response to Aref Alsouqi

‎09-27-2024 07:07 AM

He confirmed he use direct connect, but he use subinterface to make one interface work for both failover and state. 

MHM

0 Helpful

Go to solution
mcgiga
Level 1
Level 1
In response to Aref Alsouqi

‎09-27-2024 08:50 AM - edited ‎09-27-2024 08:50 AM

I have reconfigurated the interface without two subinterfaces and it's working. Standby unit "receives" all ip addresses of the interfaces from the "failed" active unit.

P.S. do you know why subinterfaces cause this issue? Standby sees that it should become active but then "hangs" and doesn't "receive" the ip addresses?

Thank you both for your help!

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card