ASA Active/Passive Failed

Michael Wollner · ‎01-13-2012

Hello,

i have a problem with a Failover Pair of 5510. The Boxes run with the software version 8.2.5.

If the Active ASA goes down, the Standby ASA switch to Active.

Now the problem.

If i switch on the old Active ASA, both ASA are Active.

This problem don't solved with the command 'no failover active' on the Standby box.

This problem only solved with the command 'no failover' and then 'failover' on the Standby box.

mfg

Michael Wollner

ajay chauhan · ‎01-13-2012

use the failover active command on the standby unit or the no failover active command on the active. This should work fine if not working then something else might causing some issue.

Michael Wollner · ‎01-13-2012

Hello ajay,

This command have no effect on the Standby unit. Both ASA Primary and Standby are Active after restart the Primary ASA.

Only the command 'no failover' and then 'failover' works.

mfg

ajay chauhan · ‎01-13-2012

Hi Michael,

Can you post failover config for both the Firewalls as well as show failover output attached with them?

Thanks

Ajay

Michael Wollner · ‎01-13-2012

Hello ajay,

the configs are correct.

-- Active --

interface Ethernet0/0

no nameif

no security-level

no ip address

!

interface Ethernet0/0.5

vlan 5

nameif outside

security-level 0

ip address 1x.x.x.210 255.255.255.248 standby 1x.x.x.211

!

interface Ethernet0/0.6

vlan 6

nameif DMZ_01

security-level 2

ip address 10.3.1.10 255.255.255.0 standby 10.3.1.11

!

interface Ethernet0/1.2

vlan 2

nameif DMZ_02

security-level 50

ip address 10.0.1.1 255.255.255.248 standby 10.0.1.2

!

interface Ethernet0/1.10

vlan 10

nameif DMZ_03

security-level 50

ip address 10.0.1.8 255.255.255.248 standby 10.0.1.9

!

interface Ethernet0/2

nameif DMZ_04

security-level 50

ip address 172.16.0.1 255.255.255.0 standby 172.16.0.2

!

interface Ethernet0/3

no nameif

no security-level

no ip address

interface Ethernet0/3.50

description LAN Failover Interface

vlan 50

interface Ethernet0/3.51

description STATE Failover Interface

vlan 51

!

interface Management0/0

nameif Management

security-level 99

ip address 172.31.0.1 255.255.255.0 standby 172.31.0.2

failover

failover lan unit primary

failover lan interface Failover Ethernet0/3.50

failover key xxxxx

failover replication http

failover link Failover Ethernet0/3.50

failover link State Ethernet0/3.51

failover interface ip Failover 172.18.2.1 255.255.255.248 standby 172.18.2.2

failover interface ip State 172.18.3.1 255.255.255.248 standby 172.18.3.2

monitor-interface outside

monitor-interface DMZ_01

monitor-interface DMZ_02

monitor-interface DMZ_03

-- Standby --

failover

failover lan unit secondary

failover lan interface Failover Ethernet0/3.50

failover key xxxxx

failover replication http

failover link Failover Ethernet0/3.50

failover link State Ethernet0/3.51

failover interface ip Failover 172.18.2.1 255.255.255.248 standby 172.18.2.2

failover interface ip State 172.18.3.1 255.255.255.248 standby 172.18.3.2

monitor-interface outside

monitor-interface DMZ_01

monitor-interface DMZ_02

monitor-interface DMZ_03

---

The Standby ASA is now Offline. I can't get a 'show failover' now. I post the logging at Monday.

mfg