10-30-2009 09:10 AM - edited 02-21-2020 03:46 AM
hi
Have two 5540's setup in a failover scenario. Doing both LAN Failover and State Failover. **see attached**
The LAN Failover is using 192.168.2.1 as the active and 192.168.2.2 as the standby, with subnet mask of /30. On both devices LAN Failover is using G0/2 and there is a crossover cable connecting them.
The State Failover is using 192.168.3.1 as the active and 192.168.3.2 as the standby, with subnet mask of /30. With âenable HTTP replicationâ checked in ASDM. On both devices State Failover is using G0/3 and there is a crossover cable connecting them.
The ASDM syslog is logging errors every 10 seconds or so that say:
SOURCE IP: 192.168.3.1
DESTINATION IP: 192.168.3.2
Description:
âRouting failed to locate next hop for igrp from NP identity 192.168.3.1/0 to statefull:192.168.3.2/0â
The ASA's are using static routes to talk back to the network, of those routes there are two and both are in the 10.x.x.x network. No routing protocol is in use.
I am not sure why these errors are spamming my syslog and would love to get rid of them.
Solved! Go to Solution.
10-30-2009 12:25 PM
Glad to hear it's working, that's the most important thing. I'm not trying to preach, but Cisco recommends not using cross-over cables for fail over. The devices can't always tell who the master should be and usually causes more issues than just a link down.
10-30-2009 10:17 AM
Can you post the results of show run failover? From the active ASA can you ping 192.168.3.1 & .2?
10-30-2009 11:30 AM
sure.
act/sec/ASAUFirewall# show fail
Failover On
Failover unit Secondary
Failover LAN Interface: fail GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 250 maximum
failover replication http
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 16:35:59 UTC Oct 30 2009
This host: Secondary - Active
Active time: 6585 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface inside (10.0.0.2): Normal
Interface outside (0.0.0.0): No Link (Not-Monitored)
Interface management (management): No Link (Not-Monitored)
slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
IPS, 7.0(1)E3, Up
Other host: Primary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface inside (10.0.0.3): Normal
Interface outside (0.0.0.0): Normal (Not-Monitored)
Interface management (0.0.0.0): Normal (Not-Monitored)
slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
IPS, 7.0(1)E3, Up
Stateful Failover Logical Update Statistics
Link : statefull GigabitEthernet0/3 (Failed)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
10-30-2009 11:32 AM
...and yes the secondary is currently active, only cause I booted the primary when I was trying to troubleshoot the issue.
10-30-2009 11:46 AM
Link : statefull GigabitEthernet0/3 (Failed) Can you ping the failover IP's from the ASA? Do both show the above failed? Can you run a LAN-based failover?
10-30-2009 12:01 PM
Crap, you asked for that and I completely didnt do it. Sorry, here it is.
act/sec/ASAUFirewall# ping 192.168.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:
No route to host 192.168.3.2
Success rate is 0 percent (0/1)
and the lan based fail, the primary ip is being monitored on the inside interface, so I shut the switchport the ASA is plugged into. And as you can imagine while that port is in shut state I see this...
act/pri/ASAUFirewall# show fail
Failover On
Failover unit Primary
Failover LAN Interface: fail GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 250 maximum
failover replication http
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 18:51:54 UTC Oct 30 2009
This host: Primary - Active
Active time: 102 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface inside (10.0.0.2): Normal (Waiting)
Interface outside (0.0.0.0): No Link (Not-Monitored)
Interface management (management): No Link (Not-Monitored)
slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
IPS, 7.0(1)E3, Up
Other host: Secondary - Failed
Active time: 8154 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface inside (10.0.0.3): No Link (Waiting)
Interface outside (0.0.0.0): Normal (Not-Monitored)
Interface management (0.0.0.0): Normal (Not-Monitored)
slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
IPS, 7.0(1)E3, Up
and then I no shut the interface, now connecting the standby shows ready...
act/pri/ASAUFirewall# show fail
Failover On
Failover unit Primary
Failover LAN Interface: fail GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 250 maximum
failover replication http
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 18:51:54 UTC Oct 30 2009
This host: Primary - Active
Active time: 259 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface inside (10.0.0.2): Normal (Waiting)
Interface outside (0.0.0.0): No Link (Not-Monitored)
Interface management (management): No Link (Not-Monitored)
slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
IPS, 7.0(1)E3, Up
Other host: Secondary - Standby Ready
Active time: 8154 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface inside (10.0.0.3): Normal (Waiting)
Interface outside (0.0.0.0): Normal (Not-Monitored)
Interface management (0.0.0.0): Normal (Not-Monitored)
slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
IPS, 7.0(1)E3, Up
thanks
e-
**also checked the show asp table routing and both 192.168.2.1 and 192.168.3.1 are in there as "identity" but no specific routes for either.
Maybe a bad cable? aww wouldnt that be a kicker.
10-30-2009 12:08 PM
I was thinking it could be a bad cable! Does the physical failover interface show down? Can you swap the cable?
10-30-2009 12:19 PM
I should have remember the rule "always check layer 1 first". It was the cable.
The odd thing is the interfaces on g0/3 showed link, showed activity, and showed up. I just swapped the cable and bounced both devices and now the routing errors are gone.
act/pri/ASAUFirewall# ping 192.168.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
thanks for working through it with me, sorry to waste your time on a "physical" problem.
e-
10-30-2009 12:25 PM
Glad to hear it's working, that's the most important thing. I'm not trying to preach, but Cisco recommends not using cross-over cables for fail over. The devices can't always tell who the master should be and usually causes more issues than just a link down.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide