05-17-2023 09:40 AM
I am looking for help with my Active/Standby failover on 1150 running ASA. As you can see my fo interfaces are up up, but mate's are unknown.
ASA1#
interface Ethernet1/1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.x
!
interface Ethernet1/3
nameif inside
security-level 100
ip address 192.168.16.100 255.255.255.0 standby 192.168.16.101
!
interface Ethernet1/4
description LAN Failover Interface
!
interface Ethernet1/5
description STATE Failover Interface
!
ciscoasa# sh int ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/0 unassigned YES unset up up
Ethernet1/1 x.x.x.x YES manual down down
Ethernet1/2 172.20.16.100 YES manual admin down down
Ethernet1/3 192.168.16.100 YES manual up up
Ethernet1/4 11.1.1.1 YES unset up up
Ethernet1/5 11.1.2.1 YES unset up up
Ethernet1/6 10.1.1.1 YES manual down down
Ethernet1/7 10.2.2.1 YES manual down down
Ethernet1/8 10.3.3.1 YES manual down down
Ethernet1/9 unassigned YES unset admin down down
Ethernet1/10 unassigned YES unset admin down down
Ethernet1/11 unassigned YES unset admin down down
Ethernet1/12 unassigned YES unset admin down down
Internal-Data1/1 169.254.1.1 YES unset up up
Management1/1 unassigned YES unset down down
failover
failover lan unit primary
failover lan interface lanfailover Ethernet1/4
failover link statefailover Ethernet1/5
failover interface ip lanfailover 11.1.1.1 255.255.255.252 standby 11.1.1.2
failover interface ip statefailover 11.1.2.1 255.255.255.252 standby 11.1.2.2
failover ipsec pre-shared-key *****
no failover wait-disable
License mode: Smart Licensing
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 800
AnyConnect Essentials : Disabled
Other VPN Peers : 800
Total VPN Peers : 800
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 800
Cluster : Disabled
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 800
AnyConnect Essentials : Disabled
Other VPN Peers : 800
Total VPN Peers : 800
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 800
Cluster : Disabled
ciscoasa# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: lanfailover Ethernet1/4 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 6 of 1288 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.16(2)3, Mate Unknown
Serial Number: Ours xxxxxxxxxxx, Mate Unknown
Last Failover at: 22:14:55 UTC May 16 2023
This host: Primary - Active
Active time: 417326 (sec)
slot 0: FPR-1150 hw/sw rev (48.46/9.16(2)3) status (Up Sys)
Interface outside (209.193.66.198): No Link (Waiting)
Interface BFPL-CELLULAR (172.20.16.100): Link Down (Shutdown)
Interface inside (192.168.16.100): Unknown (Waiting)
Interface ptpnlv (10.1.1.1): No Link (Waiting)
Interface ptpgtn (10.2.2.1): No Link (Waiting)
Interface ptpbillings (10.3.3.1): No Link (Waiting)
Other host: Secondary - Not Detected
Active time: 0 (sec)
Interface outside (0.0.0.0): Unknown (Waiting)
Interface xxxxxx (0.0.0.0): Unknown (Waiting)
Interface inside (192.168.16.101): Unknown (Waiting)
Interface ptpnlv (0.0.0.0): Unknown (Waiting)
Interface ptpgtn (0.0.0.0): Unknown (Waiting)
Interface ptpbillings (0.0.0.0): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : statefailover Ethernet1/5 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Umbrella Device-ID 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
ciscoasa#
=======================================================================================
ASA2#
interface Ethernet1/1
nameif outside
security-level 0
no ip address
!
interface Ethernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/4
description LAN Failover Interface
!
interface Ethernet1/5
description STATE Failover Interface
!
ciscoasa# sh int ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/0 unassigned YES unset up up
Ethernet1/1 unassigned YES unset up up
Ethernet1/2 192.168.1.1 YES manual down down
Ethernet1/3 unassigned YES unset admin down down
Ethernet1/4 11.1.1.2 YES unset up up
Ethernet1/5 11.1.2.2 YES unset up up
Ethernet1/6 unassigned YES unset admin down down
Ethernet1/7 unassigned YES unset admin down down
Ethernet1/8 unassigned YES unset admin down down
Ethernet1/9 unassigned YES unset admin down down
Ethernet1/10 unassigned YES unset admin down down
Ethernet1/11 unassigned YES unset admin down down
Ethernet1/12 unassigned YES unset admin down down
Internal-Data1/1 169.254.1.1 YES unset up up
Management1/1 unassigned YES unset down down
!
failover
failover lan unit secondary
failover lan interface lanfailover Ethernet1/4
failover link statefailover Ethernet1/5
failover interface ip lanfailover 11.1.1.1 255.255.255.252 standby 11.1.1.2
failover interface ip statefailover 11.1.2.1 255.255.255.252 standby 11.1.2.2
failover ipsec pre-shared-key *****
no failover wait-disable
License mode: Smart Licensing
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 800
AnyConnect Essentials : Disabled
Other VPN Peers : 800
Total VPN Peers : 800
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 800
Cluster : Disabled
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 800
AnyConnect Essentials : Disabled
Other VPN Peers : 800
Total VPN Peers : 800
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 800
Cluster : Disabled
ciscoasa# sh fail
ciscoasa# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: lanfailover Ethernet1/4 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 1288 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.16(2)3, Mate Unknown
Serial Number: Ours xxxxxxxxXP, Mate Unknown
Last Failover at: 22:17:16 UTC May 16 2023
This host: Secondary - Active
Active time: 73428 (sec)
slot 0: FPR-1150 hw/sw rev (48.46/9.16(2)3) status (Up Sys)
Interface management (0.0.0.0): No Link (Waiting)
Interface outside (0.0.0.0): Unknown (Waiting)
Interface inside (192.168.1.1): No Link (Waiting)
Other host: Primary - Failed
Active time: 0 (sec)
Interface management (0.0.0.0): Unknown (Waiting)
Interface outside (0.0.0.0): Unknown (Waiting)
Interface inside (0.0.0.0): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : statefailover Ethernet1/5 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Umbrella Device-ID 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
ciscoasa#
Solved! Go to Solution.
05-17-2023 01:33 PM
try remove the command "failover ipsec pre-shared-key" on standby first and then on the primary unit. looking into you configuration on both units. there is mis-configuration. What I mean is the Primary configuration does not reflect the secondary friewall config. Example E1/3 Primary and E1/2 Secondary.
but once the unit see each other the Primary config will replicate to Secondary.
could you also give the output of show failover history.
05-17-2023 09:45 AM
the failover link config without IP ?
05-17-2023 09:49 AM
I think this is what you're asking? I am fairly certain (and may humbly be wrong) that you do not set the ip on the interface, but let the fo config set it as I have done?
Ethernet1/4 11.1.1.2 YES unset up up
Ethernet1/5 11.1.2.2 YES unset up up
failover interface ip lanfailover 11.1.1.1 255.255.255.252 standby 11.1.1.2
failover interface ip statefailover 11.1.2.1 255.255.255.252 standby 11.1.2.2
05-17-2023 01:33 PM
try remove the command "failover ipsec pre-shared-key" on standby first and then on the primary unit. looking into you configuration on both units. there is mis-configuration. What I mean is the Primary configuration does not reflect the secondary friewall config. Example E1/3 Primary and E1/2 Secondary.
but once the unit see each other the Primary config will replicate to Secondary.
could you also give the output of show failover history.
05-17-2023 01:55 PM
This worked!! I removed the preshared key and they linked up, then I added another preshared Key to the primary and they're good now!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide