06-05-2012 04:17 AM - edited 03-11-2019 04:15 PM
Hi Guys,
I currently have a LAN-based failover setup between two 5510s. The failover link is a crossover cable. In the current setup, if I unplug the crossover cable both units become active. From what I understood from Cisco documentation, each unit should mark the failover interface as down and there shouldn't be any failover. That's exactly how I want this setup to work.
1) Can someone please help me clarify/fix this?
2) Will a second failover link fix my problem?
3) How can I configure a second failover link?
Thank you for your time!
Cheers,
Ranil
Sent from Cisco Technical Support iPhone App
06-05-2012 07:58 AM
If you unplug the failover cable, both units will definitely become active because they can't communicate with each other, hence both resume the active role.
It is recommended to connect the failover link to switch instead of using crossover cable because it is more difficult to troubleshoot if you are using crossover cable when it fails.
You can configure redundant interface to have a standby physical link for your failover link.
Here is the configuration guide for your reference:
06-05-2012 08:43 AM
Thank you for the reply Jennifer.
I was reffering to the following document:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091405
I think I should rephrase question 2) If I have two seperate links for Failover and Stateful failover, will that fix my problem?
How can I configure seperate Failover and Stateful failover links? If I understand correctly, they are more than just redundant links.
Sorry I didn't accurately phrase my original post.
Thank you
06-05-2012 07:55 PM
No, it won't fix your problem because the 2 are actually passing different types of information.
The failover link is to ensure that all the interfaces are up and there is no failure on either of the ASA.
The stateful failover link is to pass the firewall connection table, xlate table, VPN session, etc.
So if the failover link fails, then you are at the same stage as when you use just 1 interface for both failover and stateful failover link.
If you would like to separate the 2 anyway, you can configure it, just assign different interface and ip address for each failover links:
eg:
failover link
failover lan interface
failover interface ip
failover interface ip
06-06-2012 05:15 AM
Thank you Jennifer. I configured a Stateful link using the commands you mentioned.
Thought you might be interested to know that everything is now working as I expected! The ASAs do not failover when I unplug,
1) The Failover link
2) The Stateful failover link
3) Both Failover and Stateful failover links
I had to reconfigure the Active and Standby IPs of the INSIDE and OUTSIDE interfaces. Now I can see the standby IPs assigned on the Standby ASA. Whereas earlier there were no IPs assigned to the INSIDE and OUTSIDE interfaces on the Standby ASA. This might have been a config replication problem over the Failover link.
For anyone interested, the failover scenarios inhttp://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091405should work absolutely fine in an Active/Standby ASA HA config.
Cheers
06-06-2012 05:51 AM
Great, thanks for the update.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide