Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
1
Helpful
4
Replies

1150 Active/Standby failover issues

Go to solution
Saul T Bear
Level 1
Level 1

‎05-17-2023 09:40 AM

I am looking for help with my Active/Standby failover on 1150 running ASA.  As you can see my fo interfaces are up up, but mate's are unknown.

ASA1#

interface Ethernet1/1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.x
!
interface Ethernet1/3
nameif inside
security-level 100
ip address 192.168.16.100 255.255.255.0 standby 192.168.16.101
!
interface Ethernet1/4
description LAN Failover Interface
!
interface Ethernet1/5
description STATE Failover Interface
!

ciscoasa# sh int ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/0 unassigned YES unset up up
Ethernet1/1 x.x.x.x YES manual down down
Ethernet1/2 172.20.16.100 YES manual admin down down
Ethernet1/3 192.168.16.100 YES manual up up
Ethernet1/4 11.1.1.1 YES unset up up
Ethernet1/5 11.1.2.1 YES unset up up
Ethernet1/6 10.1.1.1 YES manual down down
Ethernet1/7 10.2.2.1 YES manual down down
Ethernet1/8 10.3.3.1 YES manual down down
Ethernet1/9 unassigned YES unset admin down down
Ethernet1/10 unassigned YES unset admin down down
Ethernet1/11 unassigned YES unset admin down down
Ethernet1/12 unassigned YES unset admin down down
Internal-Data1/1 169.254.1.1 YES unset up up
Management1/1 unassigned YES unset down down

failover
failover lan unit primary
failover lan interface lanfailover Ethernet1/4
failover link statefailover Ethernet1/5
failover interface ip lanfailover 11.1.1.1 255.255.255.252 standby 11.1.1.2
failover interface ip statefailover 11.1.2.1 255.255.255.252 standby 11.1.2.2
failover ipsec pre-shared-key *****
no failover wait-disable

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 800
AnyConnect Essentials : Disabled
Other VPN Peers : 800
Total VPN Peers : 800
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 800
Cluster : Disabled


Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 800
AnyConnect Essentials : Disabled
Other VPN Peers : 800
Total VPN Peers : 800
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 800
Cluster : Disabled

ciscoasa# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: lanfailover Ethernet1/4 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 6 of 1288 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.16(2)3, Mate Unknown
Serial Number: Ours xxxxxxxxxxx, Mate Unknown
Last Failover at: 22:14:55 UTC May 16 2023
This host: Primary - Active
Active time: 417326 (sec)
slot 0: FPR-1150 hw/sw rev (48.46/9.16(2)3) status (Up Sys)
Interface outside (209.193.66.198): No Link (Waiting)
Interface BFPL-CELLULAR (172.20.16.100): Link Down (Shutdown)
Interface inside (192.168.16.100): Unknown (Waiting)
Interface ptpnlv (10.1.1.1): No Link (Waiting)
Interface ptpgtn (10.2.2.1): No Link (Waiting)
Interface ptpbillings (10.3.3.1): No Link (Waiting)
Other host: Secondary - Not Detected
Active time: 0 (sec)
Interface outside (0.0.0.0): Unknown (Waiting)
Interface xxxxxx (0.0.0.0): Unknown (Waiting)
Interface inside (192.168.16.101): Unknown (Waiting)
Interface ptpnlv (0.0.0.0): Unknown (Waiting)
Interface ptpgtn (0.0.0.0): Unknown (Waiting)
Interface ptpbillings (0.0.0.0): Unknown (Waiting)

Stateful Failover Logical Update Statistics
Link : statefailover Ethernet1/5 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Umbrella Device-ID 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
ciscoasa#


=======================================================================================
ASA2#

interface Ethernet1/1
nameif outside
security-level 0
no ip address
!
interface Ethernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/4
description LAN Failover Interface
!
interface Ethernet1/5
description STATE Failover Interface
!

ciscoasa# sh int ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/0 unassigned YES unset up up
Ethernet1/1 unassigned YES unset up up
Ethernet1/2 192.168.1.1 YES manual down down
Ethernet1/3 unassigned YES unset admin down down
Ethernet1/4 11.1.1.2 YES unset up up
Ethernet1/5 11.1.2.2 YES unset up up
Ethernet1/6 unassigned YES unset admin down down
Ethernet1/7 unassigned YES unset admin down down
Ethernet1/8 unassigned YES unset admin down down
Ethernet1/9 unassigned YES unset admin down down
Ethernet1/10 unassigned YES unset admin down down
Ethernet1/11 unassigned YES unset admin down down
Ethernet1/12 unassigned YES unset admin down down
Internal-Data1/1 169.254.1.1 YES unset up up
Management1/1 unassigned YES unset down down

!

failover
failover lan unit secondary
failover lan interface lanfailover Ethernet1/4
failover link statefailover Ethernet1/5
failover interface ip lanfailover 11.1.1.1 255.255.255.252 standby 11.1.1.2
failover interface ip statefailover 11.1.2.1 255.255.255.252 standby 11.1.2.2
failover ipsec pre-shared-key *****
no failover wait-disable

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 800
AnyConnect Essentials : Disabled
Other VPN Peers : 800
Total VPN Peers : 800
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 800
Cluster : Disabled


Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 800
AnyConnect Essentials : Disabled
Other VPN Peers : 800
Total VPN Peers : 800
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 800
Cluster : Disabled

ciscoasa# sh fail
ciscoasa# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: lanfailover Ethernet1/4 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 1288 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.16(2)3, Mate Unknown
Serial Number: Ours xxxxxxxxXP, Mate Unknown
Last Failover at: 22:17:16 UTC May 16 2023
This host: Secondary - Active
Active time: 73428 (sec)
slot 0: FPR-1150 hw/sw rev (48.46/9.16(2)3) status (Up Sys)
Interface management (0.0.0.0): No Link (Waiting)
Interface outside (0.0.0.0): Unknown (Waiting)
Interface inside (192.168.1.1): No Link (Waiting)
Other host: Primary - Failed
Active time: 0 (sec)
Interface management (0.0.0.0): Unknown (Waiting)
Interface outside (0.0.0.0): Unknown (Waiting)
Interface inside (0.0.0.0): Unknown (Waiting)

Stateful Failover Logical Update Statistics
Link : statefailover Ethernet1/5 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Umbrella Device-ID 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
ciscoasa#

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP
In response to Saul T Bear

‎05-17-2023 01:33 PM

try remove the command "failover ipsec pre-shared-key" on standby first and then on the primary unit. looking into you configuration on both units. there is mis-configuration. What I mean is the Primary configuration does not reflect the secondary friewall config. Example E1/3 Primary and E1/2 Secondary. 

but once the unit see each other the Primary config will replicate to Secondary.

 

could you also give the output of show failover history.

please do not forget to rate.

View solution in original post

4 Replies 4

Go to solution
MHM Cisco World
VIP
VIP

‎05-17-2023 09:45 AM

the failover link  config without IP ?

0 Helpful

Go to solution
Saul T Bear
Level 1
Level 1
In response to MHM Cisco World

‎05-17-2023 09:49 AM

I think this is what you're asking?  I am fairly certain (and may humbly be wrong) that you do not set the ip on the interface, but let the fo config set it as I have done?

Ethernet1/4 11.1.1.2 YES unset up up
Ethernet1/5 11.1.2.2 YES unset up up

 

failover interface ip lanfailover 11.1.1.1 255.255.255.252 standby 11.1.1.2
failover interface ip statefailover 11.1.2.1 255.255.255.252 standby 11.1.2.2

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to Saul T Bear

‎05-17-2023 01:33 PM

try remove the command "failover ipsec pre-shared-key" on standby first and then on the primary unit. looking into you configuration on both units. there is mis-configuration. What I mean is the Primary configuration does not reflect the secondary friewall config. Example E1/3 Primary and E1/2 Secondary. 

but once the unit see each other the Primary config will replicate to Secondary.

 

could you also give the output of show failover history.

please do not forget to rate.

Go to solution
Saul T Bear
Level 1
Level 1
In response to Sheraz.Salim

‎05-17-2023 01:55 PM

This worked!!  I removed the preshared key and they linked up, then I added another preshared Key to the primary and they're good now!!  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card