Hi Narayana,

I am using a HP Procurve 2650 switch in between the 2 firewalls for failover. Can you help me in configuring spanning tree portfast in the HP switch?

I suspect thats the reason why interfaces are in waiting state.

Thanks,

Pratik

Hi Pratik,

In general the 'portfast' will place the switch port into forwading state quickly thank non portfast configured interface.

So even when the portfast is not enabled on the switch ports,  the FW should exchange hellos in max 40-50Sec when

the interfaces connected to switch. It sounds like it is more than portfast issue.  Check whether the ports on procurve configured as 'edge-ports' and also in same vlan. This should allow the hello.

Here is example for edge port (google ;-)):

spanning-tree 11-30 edge-port

hth

MS

MS,

I made the ports edge ports in the HP switch. But still no luck. I have a few questions just to be sure i did everything right.

I have used straight cable to connect a cisco 3900 router to cisco asa 5520. I assume all cisco routers and firewall ports are now auto sensing.

Below is my show failover.

Failover On     slot 1: empty

Failover unit Primaryecondary - Standby Ready

Failover LAN Interface: failover GigabitEthernet0/2 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 100000    128      Disabled   |

Monitored Interfaces 2 of 250 maximumisabled   |

Version: Ours 8.2(1), Mate 8.2(1)   Disabled   |

Last Failover at: 07:53:22 UTC Oct 25 2011ed   |

  35   1This host: Primary - Active Disabled   |

  36   10/100TX Active time: 12790 (sec)bled   |

  37   10/100TX slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)

  38   10/100TX   Interface outside (10.10.10.1): Normal (Waiting)

  39   10/100TX   Interface management (192.168.6.1): No Link (Waiting)

  40   10/100TX slot 1: empty8      Disabled   |

  41   1Other host: Secondary - Standby Ready  |

  42   10/100TX Active time: 68574 (sec)bled   |

  43   10/100TX slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)

  44   10/100TX   Interface outside (10.10.10.2): Normal (Waiting)

  45   10/100TX   Interface management (192.168.6.2): No Link (Waiting)

  46   10/100TX slot 1: empty8      Disabled   |

  47   10/100TX  200000    128      Disabled   |

Stateful Failover Logical Update Statisticsd   |

  49   1Link : failover GigabitEthernet0/2 (up)

  50   1Stateful Obj 0  xmit       xerr       rcv        rerr

        General         3494       0          2054       0

        sys cmd         1750       0          1750       0

        up time         0          0          0          0

        RPC services    0          0          0          0

        TCP conn        0          0          0          0

        UDP conn        0          0          0          0

        ARP tbl         1745       0          305        0

        Xlate_Timeout   0          0          0          0

        VPN IKE upd     0          0          0          0

        VPN IPSEC upd   0          0          0          0

        VPN CTCP upd    0          0          0          0

        VPN SDI upd     0          0          0          0

        VPN DHCP upd    0          0          0          0

        SIP Session     0          0          0          0

        Logical Update Queue Information

                        Cur     Max     Total

        Recv Q:         0       17      3609

        Xmit Q:         0       1024    17744

I dont know what else to do. I m running out of options now.

Thanks,

Pratik

Pratik,

What exactly mean by "I have used straight cable to connect a cisco 3900 router to cisco asa 5520"?.

Both ASAs failover i/f connected via switch or router?  Please shed some light physical infrastructure and also post the

FW config..

Thx

MS

I meant to say that I used a straight cable between the cisco 3900 router and ASA 5520.

Below is FW's running config,

hostname ciscoasa

enable password Fk/FKoeyrw2FML8Z encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

description LAN/STATE Failover Interface

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 10.10.10.1 255.255.255.0 standby 10.10.10.1

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.6.1 255.255.255.0 standby 192.168.6.2

management-only

!

ftp mode passive

pager lines 24

logging asdm informational

mtu outside 1500

mtu management 1500

failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/2

failover key *****

failover link bds-failover GigabitEthernet0/2

failover interface ip bds-failover 10.10.1.1 255.255.255.0 standby 10.10.1.2

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:3015c118ae16aff18f87064c57f8380e

: end

One cisco 3900 router is connected to each firewall.

Let me know if you require any other details.

Thanks,

Pratik

I doubt if the link comes up without Xover cable or not using auto MDIX / switch module on 3900. Also, please correct the config...

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 10.10.10.1 255.255.255.0 standby 10.10.10.1

!

Standby address showing the same as interface ip.

Thx

MS

Sorry that was a typo. Standby ip is 10.10.10.2.

So you suggest to use a crossover cable between the router and firewall?

Thanks,

Pratik

ASA interface connected to 3900 L3 interface or any switching module. If is it Ip assigned interface, what is the status?

L3-L3 connection should be done thru a Xover cable or place switch between those devices.

Thx

MS

I changed the cable between the router and firewall to a crossover one. but it didnt make a difference. the interfaces are still in the waiting state.

Thanks,

Pratik

Hi Pratik,

I asked to change the cable as the basic connection (ASA<-->router) does not work with a straight cable bet L3-l3 interface. The failover issue is related to hellos between ASAs via procurve. Your config is straight forward.

Does the procurve switch links are up and both ASAs interfaces are in same vlan? if possible can you test by

moving the connections to another switch?

Thx

MS 

MS,

The switch links are up and both asa interfaces are on same vlan. Actually i am using the default vlan.

I dont know if this would help here but the link light on the ASA interfaces which connect to the Cisco 3900 routers are always solid amber.

Thanks,

Pratik

Pratik,

You need to do general doc checkup on LED and any other connection details on ASA. There is lot of useful information Cisco website itself. The Amber basically indicates 1gig link speed.

http://www.cisco.com/en/US/docs/security/asa/hw/maintenance/guide/overview.html

As far as the failover status...

post the both ASAs models, OS version, memory & flash info

I would recommend you swap procurve with another basic switch and see if that helps.

This may sound strange, but try rebooting all the gear (ASAs and switch with proper maintenanace window).

Also, if you have a crossover cable try connecting both ASA failover interfaces directly and see if that works.

Thx

MS

MS,

I have attached 'show version' for both primary and secondary firewalls.

Also, I reloaded primary firewall, hp switch and secondary firewall in sequence. But still no luck.

I also replaced the HP switch with a L3 Gigabit switch and also with a l2 switch. But still no luck.

When I do 'no failover active' on primary, it switches to secondary without any problem and it switches back to primary when i add 'failover active' on primary. But the interfaces still remain in the waiting state.

Thanks,

Pratik