Solved: Active/Standby Failover

nagabhushana.k · ‎09-29-2009

Hi all,

I have following questions about Active/Standby failover between 2 ASA firewalls.

Question 1: Can we monitor interfaces' failure of active firewall, so that failover happens and standby takes over.

What i mean is, if HSRP is configured on two routers and an interface is being tracked for failure and that interface fails, then priority of the router decremented so that the secondary router takes over.

In similar way, is it possible to track interfaces of active firewall, so that as soon as interface(s) fail, standby can take over.

Question 2: What is the use of monitor-interface {interface name} command? Is this command used for above mentioned purpose?

Question 3: What does "Interface failure on active unit above threshold" means?

Saurabh Kishore · ‎10-06-2009

Hi,

As per the attached diagram you seem to have configured 2 interfaces on the firewall.

Monitoring of physical interfaces is enabled by default when you enable failover.

However if there are logical interfaces in your configuration then if you wish to enable monitoring for logical interfaces then you need to manually enable it.

By default failover interface-policy has value 1

failover interface-policy num%

num Specifies a number from 1 to 100 when used as a percentage, or 1 to the maximum number of interfaces when used as a number.

so if you use

failover interface-policy 50%

or by default : failover interface-policy 1

it is one and the same thing

you can get the detailed information about this command in the link below:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/ef.html#wp1927458

View solution in original post

Jon Marshall · ‎09-29-2009

Q1 - yes you can. although you don't track another interface in the same way

Q2 - failover occurs for a number of reasons. One of the reasons could be failure of an interface. The monitor-interface command is how you keep track of an interface. So you monitor those interfaces that if they fail you want the firewall to failover. You can set a % of failed interfaces that must occur before failing over.

Q3 - the % mentioned above is the the threshold set above which the firewall will failover.

Jon

nagabhushana.k · ‎09-30-2009

Thank you very much for your reply.

I have couple of more questions to ask. In order to make the scenario little bit clear, I am attaching a simple network diagram along with this post.

I have configured active/standby failover between 2 ASAs. Ethernet 0 being named as â€œoutsideâ€ and Ethernet 1 as â€œinsideâ€. Everything is working fine.

If I issue a command â€œshow running-config monitor-interfaceâ€, the output displays that both outside and inside interfaces are being monitored on active as well as standby firewall.

Question 1: If I use the command â€œfailover interface-policy 50%â€ in configuration mode, what will be its effect on the failover? Does it mean that if one interface out of two fails (which makes 50%), then failover should happen?

Question 2: Does command â€œfailover interface-policy 1â€ instead of â€œfailover interface-policy 50%â€ will perform the same operation, considering the network diagram attached with this post.

Saurabh Kishore · ‎10-06-2009

Hi,