Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
0
Helpful
5
Replies

ASA 5580 with 4*10 GB module act/act failover not working

Alfred Berberich
Level 1
Level 1

‎07-12-2012 03:31 AM - edited ‎03-11-2019 04:30 PM

If we switch from primary to secondary firewall the interfaces on the secondary  go to state waitung than to failed.

after awhile the secondary gives the control to the primary.

it seem that traffic passes the secondary firewall during this short failover time .

we have several context created  on the firewall, Switch Ports checked , cabeling check everythink checked

blackhole Interface inside (10.255.102.134): Normal (Waiting)

blackhole Interface shared (10.255.102.134): Normal (Waiting)

               

blackhole Interface inside (10.255.102.133): Failed (Waiting)

blackhole Interface shared (10.255.102.133): Normal

blackhole Interface inside (10.255.102.133): Normal (Waiting)

blackhole Interface shared (10.255.102.133): Normal

any idea

Thanks in advanced

Labels:
0 Helpful
5 Replies 5

Luis Silva Benavides
Cisco Employee
Cisco Employee

‎07-13-2012 03:41 PM

Alfred,

You will see this behavior when the monitoring packets between interface are getting lost. You can try to capture the traffic between the two units and you will notice if the packets the packets are actually getting lost.

Luis Silva

Luis Silva
0 Helpful

Alfred Berberich
Level 1
Level 1
In response to Luis Silva Benavides

‎07-16-2012 03:09 AM

Hi Luis

You mean capture only from the failover interface or all interfaces ?

sincereley

0 Helpful

Luis Silva Benavides
Cisco Employee
Cisco Employee
In response to Alfred Berberich

‎07-16-2012 06:24 AM

Alfred,

I mean regular interfaces, since the ASA also tries those interfaces.

Luis

Luis Silva
0 Helpful

Alfred Berberich
Level 1
Level 1
In response to Luis Silva Benavides

‎08-31-2012 04:48 AM

Hi

Solution (  as Luis mentioned )

configured the captures on the inside interfaces of the contextDid a test and noticed a delay between the hello packets sent from the active unit and the replies
from the peer :

e.g. no response from 2.2.2.2

52: 07:40:57.019591 802.1Q vlan#715 P0 1.1.1.1 > 2.2.2.2 :  ip-proto-105, length 44

53: 07:40:57.119561 802.1Q vlan#715 P0 1.1.1.1> 2.2.2.2 ip-proto-105, length 44

54: 07:40:57.219501 802.1Q vlan#715 P0 1.1.1.1> 2.2.2.2 ip-proto-105, length 44

55: 07:40:57.319472 802.1Q vlan#715 P0 1.1.1.1> 2.2.2.2 vip-proto-105, length 44

56: 07:40:57.419503 802.1Q vlan#715 P0 1.1.1.1> 2.2.2.2 ip-proto-105, length 44

57: 07:40:57.519840 802.1Q vlan#715 P0 1.1.1.1> 2.2.2.2 ip-proto-105, length 48

Increased the polltime/holdtime under failover group 1, did the test, and noticed that all started to work fine with no issues.

0 Helpful

Luis Silva Benavides
Cisco Employee
Cisco Employee
In response to Alfred Berberich

‎08-31-2012 06:29 PM

Glad to hear that my suggestion gave you a bettter idea of how to solve the issue.

Luis Silva
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card