05-22-2012 10:02 PM - edited 03-11-2019 04:10 PM
I'm attempting to configure two ASA 5520 for active/standby failover.
When I enter the “failover” command to enable the config on the primary ASA, the entire routing table disappears.
There is no routing process running, only static routes are configured.
Is this an expected behavior of the failover process and if so, how long should I wait for the routes to come back?
Is there a document somewhere explaining this behavior?
I’ve searched all day but couldn’t find anything that came close to explain this.
If this is not normal, what could be causing this to happen?
Thanks
05-23-2012 01:17 AM
Yes, dynamic routing protocol is supported in Active/Standby failover.
Here is the document to confirm that it is supported:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_overview.html#wp1097614
Once you turn on the failover, the configuration will get synchronized between the 2 ASAs. Can you please confirm that the failover is working fine however routing table disappears? To check the failover status: show failover
What version of ASA are you running?
05-23-2012 10:13 AM
The ASA are running 8.4.3.
We only use static routes and have no need for Dynamic routing.
The config don't get synchronized as the entire routing table is cleared when failover is turned on, including locally connected interfaces so the primary can't find the standby unit.
05-23-2012 11:57 PM
Did you enable failover on both the primary and the secondary ASA?
Can you please send us the output of "show failover" from both ASA before and after enabling the failover.
05-24-2012 06:10 PM
Originally, both primary and secondary were configured for failover.
At this point I'm only trying to understand why the rounting table is cleared so the secondary is turned off.
Is it an expected result to have your routing cleared when you enable failover?
I've waited only ~30 seconds for the routes to come back. Maybe I'm not waiting long enough, but I haven't seen in all the documents I've read that lost of traffic should be expected when Failover is enabled.
hfn-asa5520-01# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 62.117.51.1 to network 0.0.0.0
S 172.26.0.0 255.255.0.0 [1/0] via 172.26.1.252, inside
S 172.26.30.30 255.255.255.255 [1/0] via 62.117.51.1, outside
C 172.26.1.0 255.255.255.0 is directly connected, inside
S 172.26.30.31 255.255.255.255 [1/0] via 62.117.51.1, outside
C 62.117.51.0 255.255.255.0 is directly connected, outside
C 10.1.1.0 255.255.255.0 is directly connected, dmz
S 10.21.21.0 255.255.255.0 [1/0] via 172.26.1.250, inside
C 10.255.255.0 255.255.255.252 is directly connected, Failover
C 192.168.168.0 255.255.255.0 is directly connected, Flora
S* 0.0.0.0 0.0.0.0 [1/0] via 62.117.51.1, outside
hfn-asa5520-01# sh failover
Failover Off
Failover unit Primary
Failover LAN Interface: Failover Management0/0 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
hfn-asa5520-01# sh failover
Failover Off
Failover unit Primary
Failover LAN Interface: Failover Management0/0 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
hfn-asa5520-01# conf t
hfn-asa5520-01(config)# failover
hfn-asa5520-01(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: Failover Management0/0 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.4(3), Mate Unknown
Last Failover at: 12:23:12 PDT May 21 2012
This host: Primary - Negotiation
Active time: 116 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.4(3)) status (Up Sys)
Interface outside (62.117.51.100): No Link (Waiting)
Interface inside (172.26.1.251): No Link (Waiting)
Interface dmz (10.1.1.1): No Link (Waiting)
Interface Flora (192.168.168.1): No Link (Not-Monitored)
slot 1: empty
Other host: Secondary - Not Detected
Active time: 0 (sec)
slot 0: empty
Interface outside (62.117.51.99): Unknown (Waiting)
Interface inside (172.26.1.249): Unknown (Waiting)
Interface dmz (10.1.1.2): Unknown (Waiting)
Interface Flora (192.168.168.2): Unknown (Not-Monitored)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : Failover Management0/0 (Failed)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
hfn-asa5520-01(config)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 10.255.255.0 255.255.255.252 is directly connected, Failover
hfn-asa5520-01(config)# no failover
05-24-2012 10:34 PM
Looks like the failover LAN interface failed according to the output from show failover.
Since you are using the management interface as the failover lan interface, can you please check if you have turned off "management-only" command on that interface?
Also, you copy the output of show failover twice, so i am not sure if you are copying it by mistake, or it is actually from primary ASA once and the second output was from secondary ASA because both is showing that the unit is Primary unit.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide