ASA 5585 HA failover..

mazhar mahadik · ‎09-25-2012

Hi Guyz,

I have a pair of ASA 5585 configured with 2 contexts, C1 & C2,

C1 is active on ASA-1 & C2 is active on ASA-2

i did failover test, ping was initiated to host residing behind ASA-1 in context C1

i powered of ASA-1 then both context became active on ASA-2, however during this failover.i saw 4 ping packets drop...

Is this normal...shoudnt i see lossless failover?

Thanks in Advance

Mazhar

Harish Balakrishnan · ‎09-25-2012

Hello Mazhar,

Sine the ICMP is not inspected by default in ASA, it is normal to see the ping drops during failover.

you can try below to configure ICMP inspection and test again

policy-map global_policy

class inspection_default

inspect icmp

hope this helps

Harish.

mazhar mahadik · ‎09-25-2012

Thanks for the reply Harish,

i have inspect icmp already configured under global policy.

will there wont be any packet loss for TCP connections during failover?

Harish Balakrishnan · ‎09-25-2012

ideally TCP/ UDP states are transferred to the secodary unit hence you should not see any drops. you can get this tested as follows

1.telnet to a device behind ASA before failover

2. do the failover

3.see whether you have the telnet session still active.

I hope you have both failover and state link confogured between the firewalls and they are active

Harish.