Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
498
Views
0
Helpful
4
Replies

Abnormal behaviour of failover firewalls

l.buschi
Level 2
Level 2

‎09-04-2015 08:37 AM - edited ‎03-11-2019 11:32 PM

Hello,

i have my failover pairs which behave this way:

ASA# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER-LINK GigabitEthernet0/5 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 114 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(3)4, Mate 9.2(3)4
Last Failover at: 04:33:55 UTC Sep 3 2015
        This host: Primary - Active
                Active time: 99615 (sec)
                slot 0: ASA5515 hw/sw rev (1.0/9.2(3)4) status (Up Sys)
                  Interface outside (X.Y.Z.W): Normal (Monitored)
                  Interface inside (192.168.0.200): Normal (Waiting)
                  Interface management (0.0.0.0): No Link (Not-Monitored)
                slot 1: CXSC5515 hw/sw rev (N/A/) status (Unresponsive/Up)
        Other host: Secondary - Standby Ready
                Active time: 0 (sec)
                slot 0: ASA5515 hw/sw rev (1.0/9.2(3)4) status (Up Sys)
                  Interface outside (X.Y.Z.H): Normal (Monitored)
                  Interface inside (192.168.0.201): Normal (Monitored)
                  Interface management (0.0.0.0): Normal (Not-Monitored)
                slot 1: CXSC5515 hw/sw rev (N/A/) status (Unresponsive/Up)

Stateful Failover Logical Update Statistics
        Link : Unconfigured.

 

 

 

ASA# sh run failover
failover
failover lan unit primary
failover lan interface FAILOVER-LINK GigabitEthernet0/5
failover interface ip FAILOVER-LINK 1.1.1.1 255.255.255.0 standby 1.1.1.2
failover ipsec pre-shared-key *****

 

ASA#sh ver

Cisco Adaptive Security Appliance Software Version 9.2(3)4
Device Manager Version 7.4(3)

 

the 2 firewall are connected to different switch with a reserved VLAN for failover.

 

Why is my primary active unit is in normal (waiting) state and not in Normal (monitored) ?

 

What did I configure wrong?

 

Tks

Johnny

 

Labels:
0 Helpful
4 Replies 4

rodrigog
Level 1
Level 1

‎09-04-2015 09:00 AM

Hello 

By any means do you have ip verify reverse-path applied to the inside interface?

ip verify reverse-path interface interface_name

If so remove it 

no ip verify reverse-path interface interface_name

 

 

 

0 Helpful

l.buschi
Level 2
Level 2
In response to rodrigog

‎09-07-2015 02:47 AM

there is no ip very reverse-path configured.

 

Both inside interfaces are connected to access-port on the right vlan with portfast enabled.

 


 

0 Helpful

rodrigog
Level 1
Level 1
In response to l.buschi

‎09-07-2015 08:29 AM

Try checking if there is any 192.168.0.200 duplicate ip address that may be creating the issue 

If that is not the case proceed open a TAC case to take a closer look into it

0 Helpful

Marius Gunnerud
VIP
VIP

‎09-04-2015 03:41 PM

Check the switch interface configuration for the Normal (waiting) interfaces and make sure they are in the correct VLANs.  If they are subinterfaces make sure the switch port is a trunk and the relevant VLAN is allowed on the trunk.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card