Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
4
Replies

ASA 8.4 Active/Standby issue

Go to solution
aconticisco
Level 2
Level 2

‎05-17-2014 05:08 AM - edited ‎03-11-2019 09:12 PM

Hi,

Have configured Active/Standby and configuration has been copied fine from one device to other.

 

All interfaces that have been auto created (to match the original device) are showing IP addresses correctly (UP,UP)

 

The ASA are connected via 2 switches using trunk ports and status is UP for both trunk ports (I have connected to the same ports as in original device)

 

Though it was going to work when the configuration transfer was completed and the same interfaces connected. Let me know if you can suggest why interfaces on the standby ASA when active become (UP, UP) with correct IP Addresses but no traffic passes except on the failover interface. 

 

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to aconticisco

‎05-17-2014 05:14 PM

Are interfaces Fe1/14 and Fe1/15 switch module ports on R1 and R2?

You mentioned you're using trunk ports - do have have subinterfaces defined on the ASA then?

Seeing the configuration file (at least the interface and failover sections) would help.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-17-2014 05:41 AM

The standby unit is not passing traffic because it is standby. If you have a standby IP address configured, you would see it associated with the ports connecting to the standby unit (via mac address tables and or ARP caches).

In the event it becomes active, it will issue a gratuitous ARP so that the hosts needing to communicate via any of the configured interfaces know to associate its connected port(s) with the MAC address(es) that the units establish to associate with the IP address(es).

0 Helpful

Go to solution
aconticisco
Level 2
Level 2
In response to Marvin Rhoads

‎05-17-2014 07:34 AM

in fact this is the problem that even after entering command "no failover active" on the Active ASA and therefore the second ASA becomes the Active one - still no traffic works except between the interfaces of the Failover between the two ASA's. So the second ASA is yes becoming Active but it seems that no device is able to communicate with it even if all its interfaces match the primary one.

Attached is a diagram of the setup.

 

(Update seems that isakmp site to site link is not coming up now - other than that internal communication is working from the ASA on failover)

Preview file
33 KB
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to aconticisco

‎05-17-2014 05:14 PM

Are interfaces Fe1/14 and Fe1/15 switch module ports on R1 and R2?

You mentioned you're using trunk ports - do have have subinterfaces defined on the ASA then?

Seeing the configuration file (at least the interface and failover sections) would help.

0 Helpful

Go to solution
aconticisco
Level 2
Level 2
In response to Marvin Rhoads

‎05-18-2014 03:09 AM

Yes they are Marvin and subinterfaces configured - all is working fine now (at least seems so). Perhaps just a couple of restarts for all devices fixed the issue as failover is working fine including site to site VPN re-connection from failed over ASA. Downtime only lasts around 5 to 10 seconds

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card