cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2077
Views
40
Helpful
21
Replies

ASA 5525 , what exactly is the failover link used for?

Hello.

"ciscoasa(config)# failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2"

The above is the Cisco literature config for a failover link for a one of two 5525s in a high-availability setup.

What exactly is this link used for? What traverses the link? 

Thank you.

21 Replies 21

All interfaces on both ASA are up. On both ASAs I can ping all interfaces except Default gateway

Gateway of last resort (! obfuscated !) is 7.7.7.1 to network 0.0.0.0

This symptom occurred after when i executed "failover active" on the currently active ASA.

 

 

@jmaxwellUSAF clear arp on the upstream switch that your next hop gateway is connected to.

In short, I currently have Anyconnect VPN connectivity. I have confirmed access through the VPN to the enterprise internal LAN.

It is true that I just executed "failover active" from both devices.

Now the first symptom exists in which the VPN takes about 1 minute to join from the client.

The intended primary FW is listing as: FW/sec/act#
The intended secondary FW is listing as: FW/pri/stby#

What is the procedure to correctly set these ASAs to their proper active/standby setup? I expect it is to execute "failover active" on FW/sec/act . May you please confirm or advise?

Thank you.

@jmaxwellUSAF the correct procedure to perform failover is, execute the no failover active command on the active unit or the failover active command is run on the standby unit.

What was the issue when there was no connectivity? It sounds like there is some other underlying issue.

I successfully executed failover for the ASA HA setup. The Anyconnect "long join time" symptom is remediated.

This entire task is complete.

I am unsure why I briefly lost connectivity. I expect it has something to do with my confusing workstation NIC situation. Both my ethernet and wifi are active. Sometimes I'm connected to the VPN through WiFi, sometimes not. I get confused with the active network paths from my workstation.

Rob, clearly your help was invaluable here. Thank you, and please enjoy your weekend!

 I will run lab and capture the traffic between two ASA FW HA, and share here. 

Thank you MHM. I am strongly suspecting this root cause was a human mistakenly disconnecting a monitored link. Unless new conclusions are suggested in the thread, you may cease your lab effort. Thank you sir.

Review Cisco Networking for a $25 gift card