Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1630
Views
0
Helpful
8
Replies

ASA 5520 Failover

estelamathew
Level 2
Level 2

‎03-09-2011 11:59 AM - edited ‎03-11-2019 01:03 PM

Hello,

I have configured the failover for ASA 5520. The configs are pefect and failover is triggering properly except DMZ interface. The problem i m facing is when i shut the interface for DMZ on primary ASA the failover does'nt happen but when i shut the inside or outside interface the failover works perfectly.I have applied monitor-interface command for all interface of ASA still i m facing the issue

Thanks

Labels:
0 Helpful
8 Replies 8

rgreville666
Level 1
Level 1

‎03-09-2011 12:33 PM

There’s only 2 things you need to do (assuming failover is working)

monitor-interface <if_name>

failover interface-policy 1

This explains all….

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

If that doesn’t do the trick send over a “sh failover” 

0 Helpful

estelamathew
Level 2
Level 2
In response to rgreville666

‎03-10-2011 10:35 AM

Hello Dear,

I have written the failover is working perfect with inside and outside interface not with DMZ , U have suggest failover interface-policy  command BYdefault the number is 1 why we need this command.when any 1 of the interface fails the failover should happen.

In my previous mail i have applied the monitor interface command for DMZ also still failover doesnt works with DMZ interface.

Thanks

0 Helpful

Yudong Wu
Level 7
Level 7
In response to estelamathew

‎03-10-2011 01:10 PM

can you post your full configuration here?

0 Helpful

estelamathew
Level 2
Level 2
In response to Yudong Wu

‎03-10-2011 10:57 PM

Hello,

failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/0
failover link failover GigabitEthernet0/0
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

ON SECONDARY:

failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/0
failover link failover GigabitEthernet0/0
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

PRIMARY:

PrimaryASA# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 16:34:00 GMT Mar 6 2011
        This host: Primary - Active
                Active time: 684799 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface inside (192.168.20.100): Normal
                  Interface dmz (192.168.100.100): Normal (Waiting)
                  Interface outside (85.154.250.93): Normal (Waiting)
                  Interface managment (0.0.0.0): Link Down (Waiting)
                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
                  IPS, 7.0(1)E3, Up
        Other host: Secondary - Standby Ready
                Active time: 1891 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface inside (192.168.20.110): Normal
                  Interface dmz (192.168.100.150): Link Down
                  Interface outside (0.0.0.0): Normal (Waiting)
                  Interface managment (0.0.0.0): Link Down (Waiting)
                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
                  IPS, 7.0(1)E3, Up

Stateful Failover Logical Update Statistics
        Link : failover GigabitEthernet0/0 (up)
        Stateful Obj    xmit       xerr       rcv        rerr     
        General         3554055    0          55656      0        
        sys cmd         55054      0          55054      0        
        up time         0          0          0          0        
        RPC services    0          0          0          0        
        TCP conn        1038622    0          111        0        
        UDP conn        2275832    0          409        0        
        ARP tbl         183575     0          61         0        
        Xlate_Timeout   0          0          0          0        
        VPN IKE upd     427        0          0          0        
        VPN IPSEC upd   545        0          21         0        
        VPN CTCP upd    0          0          0          0        
        VPN SDI upd     0          0          0          0        
        VPN DHCP upd    0          0          0          0        
        SIP Session     0          0          0          0       

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       7       57020
        Xmit Q:         0       36      5991922

SECONDARY:

PrimaryASA# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 16:34:00 GMT Mar 6 2011
        This host: Secondary - Standby Ready
                Active time: 1891 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface inside (192.168.20.110): Normal
                  Interface dmz (192.168.100.150): Link Down
                  Interface outside (0.0.0.0): Normal (Waiting)
                  Interface managment (0.0.0.0): Link Down (Waiting)
                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
                  IPS, 7.0(1)E3, Up
        Other host: Primary - Active
                Active time: 684838 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface inside (192.168.20.100): Normal
                  Interface dmz (192.168.100.100): Normal (Waiting)
                  Interface outside (85.154.250.93): Normal (Waiting)
                  Interface managment (0.0.0.0): Link Down (Waiting)
                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
                  IPS, 7.0(1)E3, Up

Stateful Failover Logical Update Statistics
        Link : failover GigabitEthernet0/0 (up)
        Stateful Obj    xmit       xerr       rcv        rerr     
        General         56282      0          2460973    10655    
        sys cmd         55059      0          55059      0        
        up time         0          0          0          0        
        RPC services    0          0          0          0        
        TCP conn        479        0          413991     251      
        UDP conn        662        0          1817674    94       
        ARP tbl         61         0          173277     10310    
        Xlate_Timeout   0          0          0          0        
        VPN IKE upd     0          0          427        0        
        VPN IPSEC upd   21         0          545        0        
        VPN CTCP upd    0          0          0          0        
        VPN SDI upd     0          0          0          0        
        VPN DHCP upd    0          0          0          0        
        SIP Session     0          0          0          0       

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       16      4909246
        Xmit Q:         0       6       57646

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to estelamathew

‎03-11-2011 09:29 AM

Hello,

The reason there is no failover event when you shutdown the DMZ interface of the Primary unit is because the DMZ interface is also down on the Secondary unit already:

This host: Primary - Active
                 Interface dmz (192.168.100.100): Normal (Waiting)
Other host: Secondary - Standby Ready
                 Interface dmz (192.168.100.150): Link Down

Since both units would have an equal number of active interfaces, the Primary unit understands he is still just as healthy as the Secondary unit, so no failover occurs. If you bring up the link the Secondary unit's DMZ interface first, a failover event will happen next time you shut down the Primary unit's DMZ interface.

Here is more information on the different failover triggers:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html#wp1079547

Hope that helps.

-Mike

0 Helpful

estelamathew
Level 2
Level 2
In response to mirober2

‎03-11-2011 12:07 PM

Hello Dear,

Very nice observation, i also saw this but when i shut the outside interface on the primary unit the failover happen and users are able to access the WEB server in DMZ by secondary unit.

When the primary unit is UP the DMZ link on secondary shown as down, but when the primary unit is down the link on the DMZ is working fine.WHY?????????

Thanks

0 Helpful

mirober2
Cisco Employee
Cisco Employee

‎03-11-2011 12:10 PM

Hello,

I would check the configuration of the switch/device that the DMZ interfaces are connected to. Perhaps there is a STP or port configuration that causes this link to go down for the Standby unit.

-Mike

0 Helpful

estelamathew
Level 2
Level 2
In response to mirober2

‎03-13-2011 01:23 PM

Hello,

This host: Primary - Active
                Active time: 902787 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface inside (192.168.20.100): Link Down (Waiting)
                  Interface dmz (192.168.100.100): Normal (Waiting)
                  Interface outside (85.154.250.93): No Link (Waiting)
                  Interface managment (0.0.0.0): Link Down (Waiting)
                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
                  IPS, 7.0(1)E3, Up
        Other host: Secondary - Failed
                Active time: 2454 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Unknown/Unknown)
                  Interface inside (192.168.20.110): Link Down (Waiting)
                  Interface dmz (192.168.100.150): Unknown
                  Interface outside (0.0.0.0): Unknown (Waiting)
                  Interface managment (0.0.0.0): Link Down (Waiting)
                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(1)E3) status (Unknown/Unknown)
                  IPS, 7.0(1)E3, Unknown

Hello Mike,

Secondary  firewall is OFF  why it is showing me the below output for the priamary firewall.All links are down why ?????

this host: Primary - Active
                 Active time: 902787 (sec)
                 slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                   Interface inside (192.168.20.100): Link Down (Waiting)
                   Interface dmz (192.168.100.100): Normal (Waiting)
                   Interface outside (85.154.250.93): No Link (Waiting)
                   Interface managment (0.0.0.0): Link Down (Waiting)
                 slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
                   IPS, 7.0(1)E3, Up

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card