Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1017
Views
0
Helpful
3
Replies

ASA Active/Standby Failover

amohabir1
Level 1
Level 1

‎04-01-2008 06:22 AM - edited ‎03-11-2019 05:25 AM

I have two ASA 5520's setup in an active standby configuration. Each pix is configured with a inside and outside interface. I am also using the other two interfaces for the failover, and stateful pair. These firewall's are directly plugged into each other (no switches in between, I don't have any cross over cables so right now they are connected using straight through cables)

I am sourcing a ping from my laptop to a website, and then I force a fail on the active firewall by unplugging one of the monitored interfaces. The failover works but it seems to take too long to failover. I timed it and found that I am able to recover my ping close to a minute later after the failover has happened. Is this normal behavior or is there something wrong in my setup.

Labels:
0 Helpful
3 Replies 3

srue
Level 7
Level 7

‎04-01-2008 07:58 AM

That's definitely not normal, even with default timeouts.

You can use the same interface for failover and stateful failover, btw.

Can you ping the failover (standby) IP addresses from the active ASA? I mean, the IP address that is directly connected with the straight through cable.

Can you post your failover config?

"sh run failover"

also, did you configure standby addresses on your interfaces?

0 Helpful

amohabir1
Level 1
Level 1
In response to srue

‎04-01-2008 08:26 AM

Yes I can ping from primary to secondary fine.

I also configured standby addresses everywhere.

This is the config from the active..

failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/2

failover polltime unit msec 200 holdtime msec 800

failover polltime interface msec 500 holdtime 5

failover link stateful GigabitEthernet0/3

failover interface ip failover 192.168.20.9 255.255.255.252 standby 192.168.20.1

0

failover interface ip stateful 192.168.20.13 255.255.255.252 standby 192.168.20.

14

0 Helpful

amohabir1
Level 1
Level 1
In response to amohabir1

‎04-01-2008 07:29 PM

Okay so I figured out what was causing the issue. I have an ospf procces running. The setup included 2 layers of asa firewalls. The first set of firewalls connects to the internet on the outside interface and an internet dmz on the inside interface running failover. I generate a default route of 0.0.0.0 0.0.0.0 and advertise that to the second set of firewalls...these firewalls sit on the same dmz segment as the internet firewalls as well as protect the real inside network. The default route is then propogated to the core and beyond.

When the firewall failover happens the ospf process has to start up again on the firewall which essentially shuts it down and causes the default route to be advertised once its learned again. It uses the default ospf timers to send the hello's to establish the adjacency. Once it is re-learned by the ASA traffic starts to flow again.

My question is what is the best way to handle this situation. should I just statically assign default routes on the 2 layers of firewalls as well as default routes for all of the routers participating in the inside network?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card