08-13-2012 06:14 AM - edited 03-11-2019 04:41 PM
Hi all,
I have two ASA 5515 configured as active / standby.
I configured the failover and I checked for proper operation. But when I configured access rules and NAT, I realized that the failover does not work anymore: two interfaces, inside and outside, are "Unknow (Waiting)". The other LAN interface and management are "Normal (Monitored)."
Here is the show failover command output.
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet0/5 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
failover replication http
Version: Ours 8.6(1), Mate 8.6(1)
Last Failover at: 13:35:07 CEDT Aug 10 2012
This host: Primary - Active
Active time: 241180 (sec)
slot 0: ASA5515 hw/sw rev (1.0/8.6(1)) status (Up Sys
Interface Internal (192.168.10.251): Unknown (Waiti
Interface WAN-Infostrada (151.14.163.181): Unknown
Interface Radio (193.168.1.148): Normal (Waiting)
Interface management (192.168.1.1): Normal (Monitor
slot 1: IPS5515 hw/sw rev (N/A/) status (Unresponsive
Other host: Secondary - Standby Ready
Active time: 443 (sec)
slot 0: ASA5515 hw/sw rev (1.0/8.6(1)) status (Up Sys
Interface Internal (0.0.0.0): Unknown (Waiting)
Interface WAN-Infostrada (0.0.0.0): Unknown (Waitin
Interface Radio (0.0.0.0): Unknown (Waiting)
Interface management (0.0.0.0): Normal (Monitored)
slot 1: IPS5515 hw/sw rev (N/A/) status (Unresponsive
Stateful Failover Logical Update Statistics
Link : Failover GigabitEthernet0/5 (up)
Stateful Obj xmit xerr rcv rerr
General 9319463 0 46801 1
sys cmd 32215 0 32215 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 1977416 0 2878 1
UDP conn 4913767 0 6891 0
ARP tbl 2396065 0 4817 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 19 47330
Xmit Q: 0 30 9602866
It is possible that some access rule deny the communication between the two asa?
What other reason could I try?
Thanks in advance for your answer
Solved! Go to Solution.
08-13-2012 07:05 AM
Hi Bro
I believe there are 3 reasons as to why you've facing this issue
a) you standby ip address configuration is all wrong.
b) both the lan switches connected to the various interfaces you've mentioned above, perhaps not configured properly.
If you could paste your latest config here, and a physical diagram of the FWs and switches, I guess everyone here can help
08-13-2012 07:05 AM
Hi Bro
I believe there are 3 reasons as to why you've facing this issue
a) you standby ip address configuration is all wrong.
b) both the lan switches connected to the various interfaces you've mentioned above, perhaps not configured properly.
If you could paste your latest config here, and a physical diagram of the FWs and switches, I guess everyone here can help
08-13-2012 08:03 AM
NAT and ACLs don't have any influence on the failover-functionality. Have you configured the standby-ip-addresses in the interface-config? And paste at least the interface-configs and the output of "show run failover".
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-13-2012 08:20 AM
When I performed the tests I didn't configured the secondary ip on any interface and the failover worked.
I configured the failover interface using the same dedicated interface for "LAN Failover" and "State Failover" (connected with a Crossover Cable).
Here is the diagram of connections.
This is the result of the sh run failover:
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/5
failover key *****
failover replication http
failover link Failover GigabitEthernet0/5
failover interface ip Failover 172.16.254.1 255.255.255.0 standby 172.16.254.2
This is the result of the sh run interface:
interface GigabitEthernet0/0
nameif Internal
security-level 100
ip address 192.168.10.251 255.255.255.0
!
interface GigabitEthernet0/1
nameif WAN-Infostrada
security-level 0
ip address
!
interface GigabitEthernet0/2
nameif Radio
security-level 50
ip address 193.168.1.148 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
The management interface and the interface named "Radio" don't have a secondary ip but the status is "Normal".
I try to configure a secondary IP on all interfaces? For the internal interface there isn't problem, but the WAN interface has configured public ip, how do I set a secondary ip on this interface?
08-13-2012 06:59 PM
If you dont have a secondary IP from the ISP, you can leave it as it is. Failover will work properly unless you are using dynamic routing protocol on the ASA. Regarding the Unknown State, it is normal becuase the other ASA does not have an IP address to source the failover packets from.
Hope that helps
Zubair
08-13-2012 09:30 PM
Dear ,
when your turn on failover on ASA devices , by default it montior all physical interface
By default, monitoring physical interfaces is enabled and monitoring subinterfaces is disabled.
Monitored failover interfaces can have the following status:
•Unknown—Initial status. This status can also mean the status cannot be determined.
•Normal—The interface is receiving traffic.
•Testing—Hello messages are not heard on the interface for five poll times.
•Link Down—The interface or VLAN is administratively down.
•No Link—The physical link for the interface is down.
•Failed—No traffic is received on the interface, yet traffic is heard on the peer interface
to disable montoring on specific interface , you can configure below command on your asa device
syntax
no monitor-interface if_name
over our scenario : no monitor-interface WAN-Infostrada
look into below link for more detail
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html
HTH
Thks
Santhosh Sarav
08-14-2012 12:07 AM
Thanks to all.
I'm trying to free the ip that I need.
Why the management interface and the interface "Radio" are normal even without the secondary IP?
08-14-2012 03:59 AM
I put the secondary IP on the internal and management. Now are Normal (Monitored).
Here is the output of sh failover.
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet0/5 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
failover replication http
Version: Ours 8.6(1), Mate 8.6(1)
Last Failover at: 13:35:07 CEDT Aug 10 2012
This host: Primary - Active
Active time: 319708 (sec)
slot 0: ASA5515 hw/sw rev (1.0/8.6(1)) status (Up Sys)
Interface Internal (192.168.10.251): Normal (Monitored)
Interface WAN-Infostrada (151.X.X.X): Normal (Waiting) //here is the correct ip
Interface Radio (193.168.1.148): Normal (Waiting)
Interface management (192.168.1.1): Normal (Monitored)
slot 1: IPS5515 hw/sw rev (N/A/) status (Unresponsive/Up)
Other host: Secondary - Standby Ready
Active time: 443 (sec)
slot 0: ASA5515 hw/sw rev (1.0/8.6(1)) status (Up Sys)
Interface Internal (192.168.10.252): Normal (Monitored)
Interface WAN-Infostrada (0.0.0.0): Normal (Waiting)
Interface Radio (0.0.0.0): Normal (Waiting)
Interface management (192.168.1.2): Normal (Monitored)
slot 1: IPS5515 hw/sw rev (N/A/) status (Unresponsive/Up)
After disabling and re-enabled WAN interfaces and Radio are their "Normal (Waiting)".
What can I do to the interface where I can not put a secondary ip (WAN and Radio)?
08-14-2012 06:21 AM
What can I do to the interface where I can not put a secondary ip (WAN and Radio)?
just leave it that way. Failover will still work, but you won't detect link-problems between your two ASAs on that particular interface.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-17-2012 12:04 AM
I did some tests and everything works great!
Unfortunately I can not monitor the status of the WAN interface because I can not set a secondary ip.
Thanks to all.
07-12-2016 12:57 PM
dear friend.
ok i understand , but its works fine without configurin stn bye ip add too right ??
whtas the benefit to put stand by address ??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide