Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
75714
Views
15
Helpful
2
Replies

asa active/standby failover check

lkadlik
Level 1
Level 1

‎09-09-2011 11:03 AM - edited ‎03-11-2019 02:22 PM

Hi,


I was hoping that you could confirm the config for me.  It more or less looks like it should work. One thing that looks off to me though is in regards to the

failover interface.

On the primary firewall it is listed as 

failover interface ip lan-fo 10.20.28.2 255.255.255.0 standby 10.20.28.3

failover interface ip state-fo 10.20.29.2 255.255.255.0 standby 10.20.29.3

On the secondary is it listed as

failover interface ip lan-fo 10.20.28.2 255.255.255.0 standby 10.20.28.3

failover interface ip state-fo 10.20.29.2 255.255.255.0 standby 10.20.29.3

If the failover interfaces on the primary are

0001# sh failover interface

        interface lan-fo GigabitEthernet0/2.1

                System IP Address: 10.20.28.2 255.255.255.0

                My IP Address    : 10.20.28.2

                Other IP Address : 10.20.28.3

        interface state-fo GigabitEthernet0/2.2

                System IP Address: 10.20.29.2 255.255.255.0

                My IP Address    : 10.20.29.2

                Other IP Address : 10.20.29.3

and on the secondary they are

0001# sh failover int

        interface lan-fo GigabitEthernet0/2.1

                System IP Address: 10.20.28.2 255.255.255.0

                My IP Address    : 10.20.28.3

                Other IP Address : 10.20.28.2

        interface state-fo GigabitEthernet0/2.2

                System IP Address: 10.20.29.2 255.255.255.0

                My IP Address    : 10.20.29.3

                Other IP Address : 10.20.29.2

shouldn't the failover interface config on the secondary be

failover interface ip lan-fo 10.20.28.x 255.255.255.0 standby 10.20.28.3
failover interface ip state-fo 10.20.29.x 255.255.255.0 standby 10.20.29.3

Where X is something other then 2?  If so, what should it be? 

Below is the entire config and output of both devices.


Thank you

10.20.30.2  ( active)

0001# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: lan-fo GigabitEthernet0/2.1 (up)
Unit Poll frequency 800 milliseconds, holdtime 3 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
failover replication http
Version: Ours 8.0(3), Mate 8.0(3)
Last Failover at: 19:27:20 EDT Aug 7 2011
        This host: Primary - Active
                Active time: 2819442 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.0(3)) status (Up Sys)
                  Interface outside (206.221.36.2): Normal
                  Interface inside (10.20.30.2): Normal
                  Interface dmz (192.168.50.2): Normal
                  Interface managment (0.0.0.0): Link Down (Waiting)
                slot 1: empty
        Other host: Secondary - Standby Ready
                Active time: 0 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.0(3)) status (Up Sys)
                  Interface outside (206.221.36.3): Normal
                  Interface inside (10.20.30.3): Normal
                  Interface dmz (192.168.50.3): Normal
                  Interface managment (0.0.0.0): Normal (Waiting)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : state-fo GigabitEthernet0/2.2 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         103809028  0          623131     0
        sys cmd         377682     0          377682     0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        59477164   0          109245     0
        UDP conn        38790318   0          116400     0
        ARP tbl         5155784    0          19744      0
        Xlate_Timeout   0          0          0          0
        VPN IKE upd     3217       0          30         0
        VPN IPSEC upd   4863       0          30         0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       41      4234676


  <cr>
0001# sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         None
Other host -   Secondary
               Standby Ready  Comm Failure             19:27:20 EDT Aug 7 2011

====Configuration State===
        Sync Done
        Sync Done - STANDBY
====Communication State===
        Mac set

0001# sh failover hist
==========================================================================
From State                 To State                   Reason
==========================================================================
15:45:35 EDT Aug 7 2011
Not Detected               Negotiation                No Error

15:46:03 EDT Aug 7 2011
Negotiation                Cold Standby               Detected an Active mate

15:46:05 EDT Aug 7 2011
Cold Standby               Sync Config                Detected an Active mate

15:46:18 EDT Aug 7 2011
Sync Config                Sync File System           Detected an Active mate

15:46:18 EDT Aug 7 2011
Sync File System           Bulk Sync                  Detected an Active mate

15:46:21 EDT Aug 7 2011
Bulk Sync                  Standby Ready              Detected an Active mate

19:27:20 EDT Aug 7 2011
Standby Ready              Just Active                HELLO not heard from mate

19:27:20 EDT Aug 7 2011
Just Active                Active Drain               HELLO not heard from mate

19:27:20 EDT Aug 7 2011
Active Drain               Active Applying Config     HELLO not heard from mate

19:27:20 EDT Aug 7 2011
Active Applying Config     Active Config Applied      HELLO not heard from mate

19:27:20 EDT Aug 7 2011
Active Config Applied      Active                     HELLO not heard from mate

==========================================================================
0001#

        Xmit Q:         0       39      122273566

0001# sh failover interface
        interface lan-fo GigabitEthernet0/2.1
                System IP Address: 10.20.28.2 255.255.255.0
                My IP Address    : 10.20.28.2
                Other IP Address : 10.20.28.3
        interface state-fo GigabitEthernet0/2.2
                System IP Address: 10.20.29.2 255.255.255.0
                My IP Address    : 10.20.29.2
                Other IP Address : 10.20.29.3
0001#


0001# sh int GigabitEthernet0/2.1
Interface GigabitEthernet0/2.1 "lan-fo", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        VLAN identifier 28
        Description: LAN Failover Interface
        MAC address 001d.a29a.685e, MTU 1500
        IP address 10.20.28.2, subnet mask 255.255.255.0
  Traffic Statistics for "lan-fo":
        5879452 packets input, 727833436 bytes
        5879256 packets output, 721107472 bytes
        114 packets dropped
0001# sh int GigabitEthernet0/2.2
Interface GigabitEthernet0/2.2 "state-fo", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        VLAN identifier 29
        Description: STATE Failover Interface
        MAC address 001d.a29a.685e, MTU 1500
        IP address 10.20.29.2, subnet mask 255.255.255.0
  Traffic Statistics for "state-fo":
        4019755 packets input, 406601280 bytes
        36406525 packets output, 35708134160 bytes
        114 packets dropped

0001# sh run | inc failover
failover lan unit primary
failover lan interface lan-fo GigabitEthernet0/2.1
failover polltime unit msec 800 holdtime 3
failover key *****
failover replication http
failover link state-fo GigabitEthernet0/2.2
failover interface ip lan-fo 10.20.28.2 255.255.255.0 standby 10.20.28.3
failover interface ip state-fo 10.20.29.2 255.255.255.0 standby 10.20.29.3

==============================================================
==============================================================

10.20.30.3 ( standby)

0001# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: lan-fo GigabitEthernet0/2.1 (up)
Unit Poll frequency 800 milliseconds, holdtime 3 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
failover replication http
Version: Ours 8.0(3), Mate 8.0(3)
Last Failover at: 19:28:28 EDT Aug 7 2011
        This host: Secondary - Standby Ready
                Active time: 0 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.0(3)) status (Up Sys)
                  Interface outside (206.221.36.3): Normal
                  Interface inside (10.20.30.3): Normal
                  Interface dmz (192.168.50.3): Normal
                  Interface managment (0.0.0.0): Link Down (Waiting)
                slot 1: empty
        Other host: Primary - Active
                Active time: 2820545 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.0(3)) status (Up Sys)
                  Interface outside (206.221.36.2): Normal
                  Interface inside (10.20.30.2): Normal
                  Interface dmz (192.168.50.2): Normal
                  Interface managment (0.0.0.0): Unknown (Waiting)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : state-fo GigabitEthernet0/2.2 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         376058     0          103880972  111
        sys cmd         376058     0          376058     0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          59521521   59
        UDP conn        0          0          38817255   52
        ARP tbl         0          0          5158052    0
        Xlate_Timeout   0          0          0          0
        VPN IKE upd     0          0          3220       0
        VPN IPSEC upd   0          0          4866       0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       92      125878319
        Xmit Q:         0       1       376058


0001# sh failover hist
==========================================================================
From State                 To State                   Reason
==========================================================================
19:28:38 EDT Aug 7 2011
Not Detected               Negotiation                No Error

19:29:09 EDT Aug 7 2011
Negotiation                Cold Standby               Detected an Active mate

19:29:11 EDT Aug 7 2011
Cold Standby               Sync Config                Detected an Active mate

19:29:24 EDT Aug 7 2011
Sync Config                Sync File System           Detected an Active mate

19:29:24 EDT Aug 7 2011
Sync File System           Bulk Sync                  Detected an Active mate

19:29:29 EDT Aug 7 2011
Bulk Sync                  Standby Ready              Detected an Active mate


0001# sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Secondary
               Standby Ready  None
Other host -   Primary
               Active         None

====Configuration State===
        Sync Done - STANDBY
====Communication State===
        Mac set

0001# sh failover int
        interface lan-fo GigabitEthernet0/2.1
                System IP Address: 10.20.28.2 255.255.255.0
                My IP Address    : 10.20.28.3
                Other IP Address : 10.20.28.2
        interface state-fo GigabitEthernet0/2.2
                System IP Address: 10.20.29.2 255.255.255.0
                My IP Address    : 10.20.29.3
                Other IP Address : 10.20.29.2


failover lan unit secondary
failover lan interface lan-fo GigabitEthernet0/2.1
failover polltime unit msec 800 holdtime 3
failover key *****
failover replication http
failover link state-fo GigabitEthernet0/2.2
failover interface ip lan-fo 10.20.28.2 255.255.255.0 standby 10.20.28.3
failover interface ip state-fo 10.20.29.2 255.255.255.0 standby 10.20.29.3


==========================================================================

Labels:
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎09-09-2011 11:13 AM

Your config is correct as far as I can tell. Perhaps it may help your confusion if you think about the fact that both ASAs share the same config. Both ASAs need to know that the active address should be .2 and the standby address should be .3. Each ASA knows whether it is the active or the standby and therefore know whether their address should be .2 or .3. But they both work from the same config.

HTH

Rick

HTH

Rick

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Richard Burts

‎09-09-2011 11:40 AM

Your config looks perfect.

You can copy and paste the failover lines between the two boxes.

The only diff. will be the following:

on the primary:

failover lan unit primary

on the secodary:

failover lan unit secondary

You can refer same config here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1028629

-KS

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card