Solved: Re: active/standby failover

mitang.prajapati · ‎02-27-2011

Hello friends,

I had configure active standby failove on both device i.e below and i seen that once its configure after sometime its take priority 1st to secondary firewall and primanry firewall become standby state.

Also i check on show version command its show me that its active/active .

How can i check that its configure properly.

On Primary

failover
failover lan unit primary
failover lan interface failover Management0/0
failover interface ip failover 192.168.3.1 255.255.255.252 standby 192.168.3.2

On secondary

failover
failover lan unit secondary
failover lan interface failover Management0/0
failover interface ip failover 192.168.3.1 255.255.255.252 standby 192.168.3.2

Jennifer Halim · ‎03-01-2011

1. Active/Standby failover: you can configure either stateless failover or statefull failover. With stateful failover, the replicates the connection states information to the standby unit.

2. If you are not running multiple context mode, you will be running Active/Standby failover. As Active/Active failover is only supported in multiple context mode. I understand that you are running in single context mode.

Here is more information on failover for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html

Active/Standby failover:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html

Active/Active failover:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_active.html

View solution in original post

Jennifer Halim · ‎02-27-2011

Can you please share the output of :

show failover

show failover history

show failover state

from both primary and secondary firewall.

Also in the "show version", it says Active/Active, basically it's just saying that it is capable of being configured as Active/Active failover (this only works in multiple context mode).

mitang.prajapati · ‎02-28-2011

Dear Jennifer,

Thanks for support,

Please find below detail as per your post.

#########################################Primary device###############################

PRAsaOne# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 14:09:58 UTC Feb 27 2011
    This host: Primary - Standby Ready
        Active time: 1686 (sec)
        slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)
          Interface intranet (10.190.0.4): Normal
          Interface outside (59.144.97.50): Normal
          Interface dmz (192.168.1.2): Normal
          Interface INSIDE (192.168.4.2): Normal
        slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)
          IPS, 5.1(6)E1, Up
    Other host: Secondary - Active
        Active time: 63393 (sec)
        slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)
          Interface intranet (10.190.0.1): Normal
          Interface outside (59.144.97.62): Normal
          Interface dmz (192.168.1.1): Normal
          Interface INSIDE (192.168.4.1): Normal
<--- More --->

        slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)
<--- More --->

          IPS, 5.1(6)E1, Up
<--- More --->

<--- More --->

Stateful Failover Logical Update Statistics
Link : Unconfigured.

PRAsaOne#

PRAsaOne# show failover history
==========================================================================
From State To State Reason
==========================================================================
16:45:49 UTC Feb 27 2011
Standby Ready Failed Interface check

16:45:52 UTC Feb 27 2011
Failed Standby Ready Interface check

17:48:00 UTC Feb 27 2011
Standby Ready Failed Interface check

17:48:02 UTC Feb 27 2011
Failed Standby Ready Interface check

17:56:25 UTC Feb 27 2011
Standby Ready Failed Interface check

17:56:27 UTC Feb 27 2011
Failed Standby Ready Interface check

19:33:46 UTC Feb 27 2011
Standby Ready Failed Interface check

19:33:48 UTC Feb 27 2011
<--- More --->

Failed Standby Ready Interface check

20:25:31 UTC Feb 27 2011
Standby Ready Failed Interface check

20:25:34 UTC Feb 27 2011
Failed Standby Ready Interface check

21:14:47 UTC Feb 27 2011
Standby Ready Failed Interface check

21:14:49 UTC Feb 27 2011
Failed Standby Ready Interface check

22:44:22 UTC Feb 27 2011
Standby Ready Failed Interface check

22:44:25 UTC Feb 27 2011
Failed Standby Ready Interface check

01:42:29 UTC Feb 28 2011
Standby Ready Failed Interface check

01:42:32 UTC Feb 28 2011
<--- More --->

Failed Standby Ready Interface check

04:08:45 UTC Feb 28 2011
Standby Ready Failed Interface check

04:08:53 UTC Feb 28 2011
Failed Standby Ready Interface check

11:50:43 UTC Feb 28 2011
Standby Ready Failed Interface check

11:50:45 UTC Feb 28 2011
Failed Standby Ready Interface check

==========================================================================

PRAsaOne# show failover state

               State          Last Failure Reason      Date/Time
This host -   Primary
               Standby Ready Ifc Failure              12:10:33 UTC Feb 28 2011
Other host -   Secondary
               Active         Comm Failure             13:50:52 UTC Feb 27 2011

====Configuration State===
Sync Done
====Communication State===
Mac set
PRAsaOne#

#########################################Secondary device############################

PRAsaOne# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 14:10:02 UTC Feb 27 2011
    This host: Secondary - Active
        Active time: 63294 (sec)
        slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)
          Interface intranet (10.190.0.1): Normal
          Interface outside (59.144.97.62): Normal
          Interface dmz (192.168.1.1): Normal
          Interface INSIDE (192.168.4.1): Normal
        slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)
          IPS, 5.1(6)E1, Up
    Other host: Primary - Standby Ready
        Active time: 1686 (sec)
        slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)
          Interface intranet (10.190.0.4): Normal
          Interface outside (59.144.97.50): Normal
          Interface dmz (192.168.1.2): Normal
          Interface INSIDE (192.168.4.2): Normal
<--- More --->

        slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)
<--- More --->

          IPS, 5.1(6)E1, Up
<--- More --->

<--- More --->

Stateful Failover Logical Update Statistics
<--- More --->

    Link : Unconfigured.
<--- More --->

PRAsaOne# show failover history
==========================================================================
From State To State Reason
==========================================================================
13:52:41 UTC Feb 27 2011
Not Detected Negotiation No Error

13:52:42 UTC Feb 27 2011
Negotiation Cold Standby Detected an Active mate

13:52:43 UTC Feb 27 2011
Cold Standby Sync Config Detected an Active mate

13:52:54 UTC Feb 27 2011
Sync Config Sync File System Detected an Active mate

13:52:54 UTC Feb 27 2011
Sync File System Bulk Sync Detected an Active mate

13:52:54 UTC Feb 27 2011
Bulk Sync Standby Ready Detected an Active mate

14:10:02 UTC Feb 27 2011
Standby Ready Just Active Other unit want me Active

14:10:02 UTC Feb 27 2011
<--- More --->

Just Active Active Drain Other unit want me Active

14:10:02 UTC Feb 27 2011
Active Drain Active Applying Config Other unit want me Active

14:10:02 UTC Feb 27 2011
Active Applying Config Active Config Applied Other unit want me Active

14:10:02 UTC Feb 27 2011
Active Config Applied Active Other unit want me Active

==========================================================================

PRAsaOne# show failover state

               State          Last Failure Reason      Date/Time
This host -   Secondary
               Active         None
Other host -   Primary
               Standby Ready Ifc Failure              11:50:42 UTC Feb 28 2011

====Configuration State===
Sync Done - STANDBY
====Communication State===
Mac set

Jennifer Halim · ‎02-28-2011

Yeah, it seems to be flip floping between the 2 ASAs.

Can you please check that interfaces on both the ASA are OK, ie: duplex/speed is ok, and there is no error on the interfaces.

Also there are a number of bugs with failover on the version of code that you are running. I would suggest that you upgrade the ASA to the latest version of 8.0.5.

mitang.prajapati · ‎02-28-2011

Hello jennifer,

Thanks for support,

we had checked all inerface there are no confiliction on interface and apart on checking IOS, can you suggest me how to check IOS where its working fine or not.

Jennifer Halim · ‎02-28-2011

Here are a couple of failover bugs for your reference:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj46062

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj46729

In general however, 8.0.2 is an early version within the 8.0 train, and I would suggest that you upgrade it to verison 8.0.5 as there has been quite a number of bug fixes in the later version.

I would also like to recommend that you enable stateful failover so when it fails over between primary and secondary, all the connections get replicated to the standby unit, so there are no outage when failover occurs.

mitang.prajapati · ‎02-28-2011

Hello Jennifer,

Thanks for update,

we want to knaow something about firewall.

1. when Active/Standby firewall what are the configuration available on both firewall.

2. where we found that our firewall in active/active or active active standby state.

Jennifer Halim · ‎03-01-2011