Are the interfaces excluded

bruno.fernandes · ‎05-06-2014

Hi guys,

I'm having a strange behaviour in an ASA cluster running 8.4(4) regarding failover feature, from the Active node standpoint if I issue a "show failover" I have the following result

------------------ show failover ------------------

Failover On
Failover unit Primary
Failover LAN Interface: dmz_failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 1 seconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 2 of 160 maximum
failover replication http
Version: Ours 8.4(4), Mate 8.4(4)
Last Failover at: 13:12:39 UTC May 6 2014
   This host: Primary - Active
       Active time: 1247 (sec)
       slot 0: ASA5520 hw/sw rev (2.0/8.4(4)) status (Up Sys)
       Interface internetwork.wan (192.168.236.99): Normal (Monitored)
       Interface A.dmz (192.168.236.33): Link Down (Not-Monitored)
       Interface B.dmz (192.168.236.1): Link Down (Not-Monitored)
       Interface C.dmz (192.168.236.65): Link Down (Not-Monitored)
       Interface xerox.network (192.168.1.20): Normal (Monitored)
       Interface management (0.0.0.0): Link Down (Not-Monitored)
       slot 1: empty
   Other host: Secondary - Standby Ready
       Active time: 0 (sec)
       slot 0: ASA5520 hw/sw rev (2.0/8.4(4)) status (Up Sys)
       Interface internetwork.wan (192.168.236.100): Normal (Monitored)
       Interface A.dmz (192.168.236.34): Normal (Not-Monitored)
       Interface B.dmz (192.168.236.2): Normal (Not-Monitored)
       Interface C.dmz (192.168.236.66): Normal (Not-Monitored)
       Interface xerox.network (192.168.1.21): Normal (Monitored)
       Interface management (0.0.0.0): Normal (Not-Monitored)
       slot 1: empty

Regarding the following interfaces:

--> A.dmz

--> B.dmz

--> C.dmz

This dmz's are sub-interfaces associated to the same physical interface, that are in shutdown mode, from the switching interface they are also in shutdown mode.

So I understand from the active node standpoint we have a "Link Down" situation, but I don'e understand how can this be in "normal" state from the failover node stand point

Regards,

Bruno Fernandes

Abhirajsingh yadav · ‎05-07-2014

Hi Bruno,

Its look to be L2 issue. Please check the vlan is created and extended in the switches

bruno.fernandes · ‎05-07-2014

Hi Yadav,

The physical interfaces associated with those dmz's/sub-intf is in shutdown mode…..so that's not the reason from my point of view

Regards,

Bruno

Marvin Rhoads · ‎05-07-2014

Are the interfaces excluded from failover monitoring in the config? ("no monitor-interface dmz")

bruno.fernandes · ‎05-07-2014

Hi Marvin,

Yes does interfaces are not monitored, has a side note does dmz's are not being use now….also I don't have a specific "no monitor dmz" in the config !!!! but I'm 100% positive that I have uncheck the box regarding the monitoring option for does dmz's (in ASDM) ……but I will try

Regards,

BF

Marvin Rhoads · ‎05-07-2014

I haven't a spare pair to try it on but I suspect your earlier comment about them being shutdown will exclude them from monitoring - even without the "no monitor-interface ___" command. That would make sense since if they are configured shutdown there's no way they will be up on either the active or standby unit.

...so bottom line would be that what you see in "show failover" is completely normal.

ASA 8.4(4) failover issue