Apologies for the late

chris · ‎03-09-2016

I recently replaced the cisco pix 515e we had running as a failover pair with a new 5506x pair. I have enabled the configuration as per the 515e setup as far as I am aware and it was working, for a bit. On the initial configuration, the active (called primary) worked fine and the replication worked and the failover seemed to be okay. This is the configuration at present;

failover
failover lan unit primary
failover lan interface folink GigabitEthernet1/8
failover link folink GigabitEthernet1/8
failover interface ip folink 11.0.0.10 255.0.0.0 standby 11.0.0.11

ip address x.x.x.44 255.255.255.248 standby x.x.x.43
ip address 10.0.0.10 255.0.0.0 standby 10.0.0.11

sh failover

Failover On
Failover unit Primary
Failover LAN Interface: folink GigabitEthernet1/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 40 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.5(1), Mate 9.5(1)
Last Failover at: 16:30:14 UTC Mar 9 2016
This host: Primary - Active
Active time: 1510 (sec)
slot 1: ASA5506 hw/sw rev (1.0/9.5(1)) status (Up Sys)
Interface outside (x.x.x.44): Normal (Not-Monitored)
Interface inside (10.0.0.10): Normal (Monitored)
slot 2: SFR5506 hw/sw rev (N/A/5.4.1-211) status (Up/Up)
ASA FirePOWER, 5.4.1-211, Up, (Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 1: ASA5506 hw/sw rev (1.0/9.5(1)) status (Up Sys)
Interface outside (x.x.x.43): Failed (Not-Monitored)
Interface inside (10.0.0.11): Normal (Monitored)
slot 2: SFR5506 hw/sw rev (N/A/5.4.1-211) status (Up/Up)
ASA FirePOWER, 5.4.1-211, Up, (Monitored)

Now, when testing the failover by typing 'failover active' on the secondary device, I can see the IP change and the MAC address change, yet everything goes offline and stays offline.

Each firewall is connected to a switch in VLAN 1 on the inside interface, and in VLAN2 for the outside interface. VLAN 2 also has a link between my 2 switches and a set of redundant links to my ISP, one in each.

I would have assumed that when failing over to the secondary unit, and seeing the IP address, MAC etc move to the secondary unit that things would be up. However, the links to the outside world remain unavailable. Luckily, I have another connection onto this network and am able to access both of the firewalls.

I attempted to run failover active to switch the primary unit back to the active unit, but even this did not work.

In the end, I had to reboot both firewalls, the primary unit first and then shortly after, the secondary unit and things came back up. The only thing I noticed when do 'sh failover' was that it reported the secondary unit, which was now back up as 'failed'. I am currently running on the primary unit, but am concerned that if something goes down, the failover is not working and everything is offline.

As a note, we ahve upgraded the switches recently as well, but the configuration on these is very simple with 2 vlans, 1 for internal and one for external (with links between the 2 on each switch)

Any advice would be appreciated.

sachintambat · ‎03-10-2016

Hi Chris,

What is the fail-over configuration for secondary unit to have given?

-Sachin

chris · ‎03-10-2016

At present, the secondary is current disabled to ensure that the primary stays active, at least I know it works then. The config on the secondary is currently;

failover
failover lan interface folink GigabitEthernet1/8
failover link folink GigabitEthernet1/8
failover interface ip folink 11.0.0.10 255.0.0.0 standby 11.0.0.11
ip address x.x.x.44 255.255.255.248 standby x.x.x.43
ip address 10.0.0.10 255.0.0.0 standby 10.0.0.11

show failover
Failover Off (pseudo-Standby)
Failover unit Secondary
Failover LAN Interface: folink GigabitEthernet1/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 40 maximum
MAC Address Move Notification Interval not set

show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 outside x.x.x.44 255.255.255.248 CONFIG
GigabitEthernet1/2 inside 10.0.0.10 255.0.0.0 CONFIG
GigabitEthernet1/8 folink 11.0.0.10 255.0.0.0 unset
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 outside x.x.x.43 255.255.255.248 CONFIG
GigabitEthernet1/2 inside 10.0.0.11 255.0.0.0 CONFIG
GigabitEthernet1/8 folink 11.0.0.11 255.0.0.0 unset

sachintambat · ‎03-10-2016

Configuration seems to be fine.

Failover cable is directly connected between these firewall or its going via any Switch?

chris · ‎03-11-2016

Connected directly to ge1/8

sachintambat · ‎03-11-2016

ok, As you said,

"I would have assumed that when failing over to the secondary unit, and seeing the IP address, MAC etc move to the secondary unit that things would be up. However, the links to the outside world remain unavailable. Luckily, I have another connection onto this network and am able to access both of the firewalls"

Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 1: ASA5506 hw/sw rev (1.0/9.5(1)) status (Up Sys)
Interface outside (x.x.x.43): Failed (Not-Monitored)
Interface inside (10.0.0.11): Normal (Monitored)
slot 2: SFR5506 hw/sw rev (N/A/5.4.1-211) status (Up/Up)
ASA FirePOWER, 5.4.1-211, Up, (Monitored)

Why this interface is showing failed, Does the cable is connected ? is the Port Coming Up before failover?

It must be connecting between firewall and switch.

chris · ‎03-11-2016

This is something I am working with my ISP to resolve, I have since changed that IP to another (they told me the .43 was reserved for HRSP) yet I am not able to ping the external secondary IP from anywhere.

However, I would have assumed that even without this working in this manner, forcing the secondary host to be active would mean this would have the .44 address, which it does, but no external IPs are visible on the external network if I do that.

I am hoping to get a resolution to the .45 address this morning and will then see if that does have any impact.

Thanks

sachintambat · ‎03-12-2016

Does ISP responded with change in Ip and Did you test after that?

chris · ‎03-14-2016

Apologies for the late response, I had an engineer take a look at this over the weekend and the issue was with the switches and not the firewall. This has led me to having to ask another question on that, but consider this issue resolved.

Thanks for you input.

Akshay Rastogi · ‎03-13-2016

Hi Chris,

Yes, it would work even though your Outside interface is failed on Secondary as you have disabled the monitoring on Outside interface. Also Active unit would take .44 so it fine.

However please check the switch. May be ports are going in some blocking state or something which is not letting new Outside link to send the traffic.

Hope it helps.

Regards,

Akshay Rastogi

Active/Standby Failover not working on 5506x