cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
837
Views
5
Helpful
2
Replies

A/S ASAs with a 3850 stack

Boris Simunko
Level 1
Level 1

Hello!

I am having some issues in an ASA active/standby pair (5516, 9.8), connected to a 3850 stack. The primary ASA is connected to switch 1 of the stack, the secondary to switch 2.

What I am facing are the interfaces on the secondary ASA being in a FAILED state, except one interface (inside).

I have checked all that I could, the cables are OK, the config on the switchports are the same.

Below are some show outputs, and I have included a debug from the primary unit while shut/no shut the switchports connected to the secondary ASA.


###############################################################################

 

ASA/pri/act# show run fail
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet1/8
failover link FAILOVER GigabitEthernet1/8
failover interface ip FAILOVER 10.254.254.253 255.255.255.252 standby 10.254.254.254

 

###############################################################################

 

ASA/pri/act# show fail
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet1/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 160 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(1), Mate 9.8(1)
Serial Number: Ours JAD21360B9E, Mate JAD213401KV
Last Failover at: 13:13:57 CEST Jan 22 2018
This host: Primary - Active
Active time: 1390912 (sec)
slot 1: ASA5516 hw/sw rev (3.0/9.8(1)) status (Up Sys)
Interface inside (192.168.20.251): Normal (Monitored)
Interface transf (10.220.64.200): Normal (Waiting)
Interface telemed (192.168.200.253): Normal (Waiting)
Interface outside (a.b.c.70): Normal (Waiting)
slot 2: SFR5516 hw/sw rev (N/A/6.2.0.4-85) status (Up/Up)
ASA FirePOWER, 6.2.0.4-85, Up, (Not-Monitored)
slot 2: SFR5516 hw/sw rev (N/A/6.2.0.4-85) status (Up/Up)
ASA FirePOWER, 6.2.0.4-85, Up, (Not-Monitored)
Other host: Secondary - Failed
Active time: 0 (sec)
slot 1: ASA5516 hw/sw rev (3.0/9.8(1)) status (Up Sys)
Interface inside (192.168.20.250): Normal (Monitored)
Interface transf (10.220.64.201): Failed (Waiting)
Interface telemed (192.168.200.254): Failed (Waiting)
Interface outside (a.b.c.69): Failed (Waiting)
slot 2: SFR5516 hw/sw rev (N/A/6.2.0-362) status (Up/Up)
ASA FirePOWER, 6.2.0-362, Up, (Not-Monitored)
slot 2: SFR5516 hw/sw rev (N/A/6.2.0-362) status (Up/Up)
ASA FirePOWER, 6.2.0-362, Up, (Not-Monitored)

Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet1/8 (up)
Stateful Obj xmit xerr rcv rerr
General 59828407 0 185453 0
sys cmd 185453 0 185453 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 35147229 0 0 0
UDP conn 18573036 0 0 0
ARP tbl 5920132 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 594 0 0 0
VPN IKEv1 P2 643 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 187 0 0 0
Router ID 0 0 0 0
User-Identity 1133 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 7 185457
Xmit Q: 0 30 60746844

 

###############################################################################

 

ASA/pri/act# show fail descriptor
inside send: 00020101ffff0000 receive: 00020101ffff0000
transf send: 000203010f000000 receive: 000203010f000000
telemed send: 00020301c8000000 receive: 00020301c8000000
outside send: 00020401ffff0000 receive: 00020401ffff0000

 

###############################################################################

 

ASA/pri/act# show fail his
==========================================================================
From State To State Reason
==========================================================================
13:13:54 CEST Jan 22 2018
Not Detected Negotiation No Error

13:13:57 CEST Jan 22 2018
Negotiation Just Active No Active unit found

13:13:57 CEST Jan 22 2018
Just Active Active Drain No Active unit found

13:13:57 CEST Jan 22 2018
Active Drain Active Applying Config No Active unit found

13:13:57 CEST Jan 22 2018
Active Applying Config Active Config Applied No Active unit found

13:13:57 CEST Jan 22 2018
Active Config Applied Active No Active unit found

==========================================================================

 

###############################################################################

 

ASA/pri/act# show fail int
interface FAILOVER GigabitEthernet1/8
System IP Address: 10.254.254.253 255.255.255.252
My IP Address : 10.254.254.253
Other IP Address : 10.254.254.254

###############################################################################

 

ASA/pri/act# show fail state

State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Ifc Failure 14:43:19 CEST Feb 7 2018
inside: Failed
transf: Failed
telemed: Failed
outside: Failed

====Configuration State===
Sync Done
====Communication State===
Mac set

###############################################################################

ASA/pri/act# show monitor-interface
This host: Primary - Active
Interface inside (192.168.20.251): Normal (Monitored)
Interface transf (10.220.64.200): Normal (Waiting)
Interface telemed (192.168.200.253): Normal (Waiting)
Interface outside (a.b.c.70): Normal (Waiting)
Other host: Secondary - Failed
Interface inside (192.168.20.250): Normal (Monitored)
Interface transf (10.220.64.201): Failed (Waiting)
Interface telemed (192.168.200.254): Failed (Waiting)
Interface outside (a.b.c.69): Failed (Waiting)

###############################################################################

 

 

Besides the failed interfaces, I can not connect to the secondary unit in any way, even though I can ping the inside interface (on the primary unit the inside interface is for management).


Could the stack be causing issues?

1 Accepted Solution

Accepted Solutions

Ajay Saini
Level 7
Level 7

Hello,

 

All we have to ensure is that the interfaces- inside, dmz etc are connected in their specific vlans on the stack with portfast enabled on the interfaces. 

Check the switch port configuration to ensure we have correct config and ports are up. 

Try to ping from ASA active to standby ip address and vice versa and see if that works. Its like 2 machines connected to the switch in same vlan. 

 

Check if the switch has mac entry registered for both interfaces in same vlans. 

 

HTH

AJ

View solution in original post

2 Replies 2

Ajay Saini
Level 7
Level 7

Hello,

 

All we have to ensure is that the interfaces- inside, dmz etc are connected in their specific vlans on the stack with portfast enabled on the interfaces. 

Check the switch port configuration to ensure we have correct config and ports are up. 

Try to ping from ASA active to standby ip address and vice versa and see if that works. Its like 2 machines connected to the switch in same vlan. 

 

Check if the switch has mac entry registered for both interfaces in same vlans. 

 

HTH

AJ

so...... I was checking things again and realized the customer connected the cables on the secondary unit wrong :(

 

Failover is now OK, and I can ping the interfaces on the standby unit, but I am still unable to ASDM into it

 

EDIT: all is working fine now!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: