07-12-2012 03:31 AM - edited 03-11-2019 04:30 PM
If we switch from primary to secondary firewall the interfaces on the secondary go to state waitung than to failed.
after awhile the secondary gives the control to the primary.
it seem that traffic passes the secondary firewall during this short failover time .
we have several context created on the firewall, Switch Ports checked , cabeling check everythink checked
blackhole Interface inside (10.255.102.134): Normal (Waiting)
blackhole Interface shared (10.255.102.134): Normal (Waiting)
blackhole Interface inside (10.255.102.133): Failed (Waiting)
blackhole Interface shared (10.255.102.133): Normal
blackhole Interface inside (10.255.102.133): Normal (Waiting)
blackhole Interface shared (10.255.102.133): Normal
any idea
Thanks in advanced
07-13-2012 03:41 PM
Alfred,
You will see this behavior when the monitoring packets between interface are getting lost. You can try to capture the traffic between the two units and you will notice if the packets the packets are actually getting lost.
Luis Silva
07-16-2012 03:09 AM
Hi Luis
You mean capture only from the failover interface or all interfaces ?
sincereley
07-16-2012 06:24 AM
Alfred,
I mean regular interfaces, since the ASA also tries those interfaces.
Luis
08-31-2012 04:48 AM
Hi
Solution ( as Luis mentioned )
configured the captures on the inside interfaces of the contextDid a test and noticed a delay between the hello packets sent from the active unit and the replies
from the peer :
e.g. no response from 2.2.2.2
52: 07:40:57.019591 802.1Q vlan#715 P0 1.1.1.1 > 2.2.2.2 : ip-proto-105, length 44
53: 07:40:57.119561 802.1Q vlan#715 P0 1.1.1.1> 2.2.2.2 ip-proto-105, length 44
54: 07:40:57.219501 802.1Q vlan#715 P0 1.1.1.1> 2.2.2.2 ip-proto-105, length 44
55: 07:40:57.319472 802.1Q vlan#715 P0 1.1.1.1> 2.2.2.2 vip-proto-105, length 44
56: 07:40:57.419503 802.1Q vlan#715 P0 1.1.1.1> 2.2.2.2 ip-proto-105, length 44
57: 07:40:57.519840 802.1Q vlan#715 P0 1.1.1.1> 2.2.2.2 ip-proto-105, length 48
Increased the polltime/holdtime under failover group 1, did the test, and noticed that all started to work fine with no issues.
08-31-2012 06:29 PM
Glad to hear that my suggestion gave you a bettter idea of how to solve the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide