ASA 5520 Failover

estelamathew · ‎03-09-2011

Hello,

I have configured the failover for ASA 5520. The configs are pefect and failover is triggering properly except DMZ interface. The problem i m facing is when i shut the interface for DMZ on primary ASA the failover does'nt happen but when i shut the inside or outside interface the failover works perfectly.I have applied monitor-interface command for all interface of ASA still i m facing the issue

Thanks

rgreville666 · ‎03-09-2011

There’s only 2 things you need to do (assuming failover is working)

monitor-interface <if_name>

failover interface-policy 1

This explains all….

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

If that doesn’t do the trick send over a “sh failover”

estelamathew · ‎03-10-2011

Hello Dear,

I have written the failover is working perfect with inside and outside interface not with DMZ , U have suggest failover interface-policy command BYdefault the number is 1 why we need this command.when any 1 of the interface fails the failover should happen.

In my previous mail i have applied the monitor interface command for DMZ also still failover doesnt works with DMZ interface.

Thanks

Yudong Wu · ‎03-10-2011

can you post your full configuration here?

estelamathew · ‎03-10-2011

Hello,

failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/0
failover link failover GigabitEthernet0/0
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

ON SECONDARY:

failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/0
failover link failover GigabitEthernet0/0
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

PRIMARY:

PrimaryASA# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 16:34:00 GMT Mar 6 2011
        This host: Primary - Active
                Active time: 684799 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface inside (192.168.20.100): Normal
                  Interface dmz (192.168.100.100): Normal (Waiting)
                  Interface outside (85.154.250.93): Normal (Waiting)
                  Interface managment (0.0.0.0): Link Down (Waiting)
                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
                  IPS, 7.0(1)E3, Up
        Other host: Secondary - Standby Ready
                Active time: 1891 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface inside (192.168.20.110): Normal
                  Interface dmz (192.168.100.150): Link Down
                  Interface outside (0.0.0.0): Normal (Waiting)
                  Interface managment (0.0.0.0): Link Down (Waiting)
                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
                  IPS, 7.0(1)E3, Up

Stateful Failover Logical Update Statistics
        Link : failover GigabitEthernet0/0 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         3554055    0          55656      0
        sys cmd         55054      0          55054      0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        1038622    0          111        0
        UDP conn        2275832    0          409        0
        ARP tbl         183575     0          61         0
        Xlate_Timeout   0          0          0          0
        VPN IKE upd     427        0          0          0
        VPN IPSEC upd   545        0          21         0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       7       57020
        Xmit Q:         0       36      5991922

SECONDARY:

PrimaryASA# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 16:34:00 GMT Mar 6 2011
        This host: Secondary - Standby Ready
                Active time: 1891 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface inside (192.168.20.110): Normal
                  Interface dmz (192.168.100.150): Link Down
                  Interface outside (0.0.0.0): Normal (Waiting)
                  Interface managment (0.0.0.0): Link Down (Waiting)
                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
                  IPS, 7.0(1)E3, Up
        Other host: Primary - Active
                Active time: 684838 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface inside (192.168.20.100): Normal
                  Interface dmz (192.168.100.100): Normal (Waiting)
                  Interface outside (85.154.250.93): Normal (Waiting)
                  Interface managment (0.0.0.0): Link Down (Waiting)
                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
                  IPS, 7.0(1)E3, Up

Stateful Failover Logical Update Statistics
        Link : failover GigabitEthernet0/0 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         56282      0          2460973    10655
        sys cmd         55059      0          55059      0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        479        0          413991     251
        UDP conn        662        0          1817674    94
        ARP tbl         61         0          173277     10310
        Xlate_Timeout   0          0          0          0
        VPN IKE upd     0          0          427        0
        VPN IPSEC upd   21         0          545        0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       16      4909246
        Xmit Q:         0       6       57646

mirober2 · ‎03-11-2011

Hello,

The reason there is no failover event when you shutdown the DMZ interface of the Primary unit is because the DMZ interface is also down on the Secondary unit already:

This host: Primary - Active
                 Interface dmz (192.168.100.100): Normal (Waiting)
Other host: Secondary - Standby Ready
                 Interface dmz (192.168.100.150): Link Down

Since both units would have an equal number of active interfaces, the Primary unit understands he is still just as healthy as the Secondary unit, so no failover occurs. If you bring up the link the Secondary unit's DMZ interface first, a failover event will happen next time you shut down the Primary unit's DMZ interface.

Here is more information on the different failover triggers:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html#wp1079547

Hope that helps.

-Mike

estelamathew · ‎03-11-2011

Hello Dear,

Very nice observation, i also saw this but when i shut the outside interface on the primary unit the failover happen and users are able to access the WEB server in DMZ by secondary unit.

When the primary unit is UP the DMZ link on secondary shown as down, but when the primary unit is down the link on the DMZ is working fine.WHY?????????

Thanks

mirober2 · ‎03-11-2011

Hello,

I would check the configuration of the switch/device that the DMZ interfaces are connected to. Perhaps there is a STP or port configuration that causes this link to go down for the Standby unit.

-Mike

estelamathew · ‎03-13-2011

Hello,

This host: Primary - Active
                Active time: 902787 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface inside (192.168.20.100): Link Down (Waiting)
                  Interface dmz (192.168.100.100): Normal (Waiting)
                  Interface outside (85.154.250.93): No Link (Waiting)
                  Interface managment (0.0.0.0): Link Down (Waiting)
                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
                  IPS, 7.0(1)E3, Up
        Other host: Secondary - Failed
                Active time: 2454 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Unknown/Unknown)
                  Interface inside (192.168.20.110): Link Down (Waiting)
                  Interface dmz (192.168.100.150): Unknown
                  Interface outside (0.0.0.0): Unknown (Waiting)
                  Interface managment (0.0.0.0): Link Down (Waiting)
                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(1)E3) status (Unknown/Unknown)
                  IPS, 7.0(1)E3, Unknown

Hello Mike,

Secondary firewall is OFF why it is showing me the below output for the priamary firewall.All links are down why ?????

this host: Primary - Active
                 Active time: 902787 (sec)
                 slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                   Interface inside (192.168.20.100): Link Down (Waiting)
                   Interface dmz (192.168.100.100): Normal (Waiting)
                   Interface outside (85.154.250.93): No Link (Waiting)
                   Interface managment (0.0.0.0): Link Down (Waiting)
                 slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
                   IPS, 7.0(1)E3, Up