cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11648
Views
0
Helpful
7
Replies

active/standby failover

Hello friends,

I had configure active standby failove on both device i.e below and i seen that once its configure after sometime its take priority 1st to secondary firewall and primanry firewall become standby state.

Also i check on show version command its show me that its active/active .

How can i check that its configure properly.

On Primary

failover
failover lan unit primary
failover lan interface failover Management0/0
failover interface ip failover 192.168.3.1 255.255.255.252 standby 192.168.3.2

On secondary

failover
failover lan unit secondary
failover lan interface failover Management0/0
failover interface ip failover 192.168.3.1 255.255.255.252 standby 192.168.3.2

1 Accepted Solution

Accepted Solutions

1. Active/Standby failover: you can configure either stateless failover or statefull failover. With stateful failover, the replicates the connection states information to the standby unit.

2. If you are not running multiple context mode, you will be running Active/Standby failover. As Active/Active failover is only supported in multiple context mode. I understand that you are running in single context mode.

Here is more information on failover for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html

Active/Standby failover:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html

Active/Active failover:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_active.html

View solution in original post

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

Can you please share the output of :

show failover

show failover history

show failover state

from both primary and secondary firewall.

Also in the "show version", it says Active/Active, basically it's just saying that it is capable of being configured as Active/Active failover (this only works in multiple context mode).

Dear Jennifer,

Thanks for support,

Please find below detail as per your post.

#########################################Primary device###############################

PRAsaOne# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 14:09:58 UTC Feb 27 2011
    This host: Primary - Standby Ready
        Active time: 1686 (sec)
        slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)
          Interface intranet (10.190.0.4): Normal
          Interface outside (59.144.97.50): Normal
          Interface dmz (192.168.1.2): Normal
          Interface INSIDE (192.168.4.2): Normal
        slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)
          IPS, 5.1(6)E1, Up
    Other host: Secondary - Active
        Active time: 63393 (sec)
        slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)
          Interface intranet (10.190.0.1): Normal
          Interface outside (59.144.97.62): Normal
          Interface dmz (192.168.1.1): Normal
          Interface INSIDE (192.168.4.1): Normal
<--- More --->
             
        slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)
<--- More --->
             
          IPS, 5.1(6)E1, Up
<--- More --->

<--- More --->
             
Stateful Failover Logical Update Statistics
    Link : Unconfigured.


PRAsaOne#

PRAsaOne# show failover history
==========================================================================
From State                 To State                   Reason
==========================================================================
16:45:49 UTC Feb 27 2011
Standby Ready              Failed                     Interface check

16:45:52 UTC Feb 27 2011
Failed                     Standby Ready              Interface check

17:48:00 UTC Feb 27 2011
Standby Ready              Failed                     Interface check

17:48:02 UTC Feb 27 2011
Failed                     Standby Ready              Interface check

17:56:25 UTC Feb 27 2011
Standby Ready              Failed                     Interface check

17:56:27 UTC Feb 27 2011
Failed                     Standby Ready              Interface check

19:33:46 UTC Feb 27 2011
Standby Ready              Failed                     Interface check

19:33:48 UTC Feb 27 2011
<--- More --->
             
Failed                     Standby Ready              Interface check

20:25:31 UTC Feb 27 2011
Standby Ready              Failed                     Interface check

20:25:34 UTC Feb 27 2011
Failed                     Standby Ready              Interface check

21:14:47 UTC Feb 27 2011
Standby Ready              Failed                     Interface check

21:14:49 UTC Feb 27 2011
Failed                     Standby Ready              Interface check

22:44:22 UTC Feb 27 2011
Standby Ready              Failed                     Interface check

22:44:25 UTC Feb 27 2011
Failed                     Standby Ready              Interface check

01:42:29 UTC Feb 28 2011
Standby Ready              Failed                     Interface check

01:42:32 UTC Feb 28 2011
<--- More --->
             
Failed                     Standby Ready              Interface check

04:08:45 UTC Feb 28 2011
Standby Ready              Failed                     Interface check

04:08:53 UTC Feb 28 2011
Failed                     Standby Ready              Interface check

11:50:43 UTC Feb 28 2011
Standby Ready              Failed                     Interface check

11:50:45 UTC Feb 28 2011
Failed                     Standby Ready              Interface check

==========================================================================


PRAsaOne# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Standby Ready  Ifc Failure              12:10:33 UTC Feb 28 2011
Other host -   Secondary
               Active         Comm Failure             13:50:52 UTC Feb 27 2011

====Configuration State===
    Sync Done
====Communication State===
    Mac set
PRAsaOne#

#########################################Secondary device############################

PRAsaOne# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 14:10:02 UTC Feb 27 2011
    This host: Secondary - Active
        Active time: 63294 (sec)
        slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)
          Interface intranet (10.190.0.1): Normal
          Interface outside (59.144.97.62): Normal
          Interface dmz (192.168.1.1): Normal
          Interface INSIDE (192.168.4.1): Normal
        slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)
          IPS, 5.1(6)E1, Up
    Other host: Primary - Standby Ready
        Active time: 1686 (sec)
        slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)
          Interface intranet (10.190.0.4): Normal
          Interface outside (59.144.97.50): Normal
          Interface dmz (192.168.1.2): Normal
          Interface INSIDE (192.168.4.2): Normal
<--- More --->
             
        slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)
<--- More --->
             
          IPS, 5.1(6)E1, Up
<--- More --->

<--- More --->
             
Stateful Failover Logical Update Statistics
<--- More --->
             
    Link : Unconfigured.
<--- More --->

PRAsaOne# show failover history
==========================================================================
From State                 To State                   Reason
==========================================================================
13:52:41 UTC Feb 27 2011
Not Detected               Negotiation                No Error

13:52:42 UTC Feb 27 2011
Negotiation                Cold Standby               Detected an Active mate

13:52:43 UTC Feb 27 2011
Cold Standby               Sync Config                Detected an Active mate

13:52:54 UTC Feb 27 2011
Sync Config                Sync File System           Detected an Active mate

13:52:54 UTC Feb 27 2011
Sync File System           Bulk Sync                  Detected an Active mate

13:52:54 UTC Feb 27 2011
Bulk Sync                  Standby Ready              Detected an Active mate

14:10:02 UTC Feb 27 2011
Standby Ready              Just Active                Other unit want me Active

14:10:02 UTC Feb 27 2011
<--- More --->
             
Just Active                Active Drain               Other unit want me Active

14:10:02 UTC Feb 27 2011
Active Drain               Active Applying Config     Other unit want me Active

14:10:02 UTC Feb 27 2011
Active Applying Config     Active Config Applied      Other unit want me Active

14:10:02 UTC Feb 27 2011
Active Config Applied      Active                     Other unit want me Active

==========================================================================


PRAsaOne# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Secondary
               Active         None
Other host -   Primary
               Standby Ready  Ifc Failure              11:50:42 UTC Feb 28 2011

====Configuration State===
    Sync Done - STANDBY
====Communication State===
    Mac set

Yeah, it seems to be flip floping between the 2 ASAs.

Can you please check that interfaces on both the ASA are OK, ie: duplex/speed is ok, and there is no error on the interfaces.

Also there are a number of bugs with failover on the version of code that you are running. I would suggest that you upgrade the ASA to the latest version of 8.0.5.

Hello jennifer,

Thanks for support,

we had checked all inerface there are no confiliction on interface and apart on checking IOS, can you suggest me how to check IOS where its working fine or not.

Here are a couple of failover bugs for your reference:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj46062

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj46729

In general however, 8.0.2 is an early version within the 8.0 train, and I would suggest that you upgrade it to verison 8.0.5 as there has been quite a number of bug fixes in the later version.

I would also like to recommend that you enable stateful failover so when it fails over between primary and secondary, all the connections get replicated to the standby unit, so there are no outage when failover occurs.

Hello Jennifer,

Thanks for update,

we want to knaow something about firewall.

1. when Active/Standby firewall what are the configuration available on both firewall.

2. where we found that  our firewall in active/active or active active standby state.

1. Active/Standby failover: you can configure either stateless failover or statefull failover. With stateful failover, the replicates the connection states information to the standby unit.

2. If you are not running multiple context mode, you will be running Active/Standby failover. As Active/Active failover is only supported in multiple context mode. I understand that you are running in single context mode.

Here is more information on failover for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html

Active/Standby failover:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html

Active/Active failover:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_active.html

Review Cisco Networking for a $25 gift card