Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3751
Views
10
Helpful
6
Replies

ASA Active/Standby mode and Hello messages

Go to solution
mahesh18
Level 6
Level 6

‎05-04-2013 09:56 AM - edited ‎03-11-2019 06:38 PM

Hi Everyone,

On ASA  Active/Standby mode  i know thatsay inside or any other interface of active and standby ASA should connect to same switch and vlan.

When we assign say ip address to inside interface of both ASA like

ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2 255.255.255.0

Need to know if these inside interface talk to each other or not?

Do they send hello messages?

Thanks

MAhesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-04-2013 10:11 AM

Hi Mahesh,

The ASA Active/Standby Failover pair uses both the dedicated Failover interface and the actual Data interfaces to monitor the "health" of the Failover pair.

The units send Failover hello messages and wait for a reply to determine if the other unit is alive or not.

By default all Physical interfaces are automatically monitored. To my understanding Logical interfaces such as Trunk interfaces are NOT monitored by default. You will have to configure monitoring for each subinterface of the Trunk that you want to be monitored.

You would use the command

monitor-interface

Check the Command Reference section for this

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2123112

I would also suggest reading the following section of the Configuration Guide

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1079010

It has information of the Unit and Interface health monitoring of the Failover pair.

If you want to debug Failover activity you could use the command

debug fover

It has multiple additional parameter after that command

Here is the Command Reference section for the debug command

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/d1.html#wp2093011

You can even attach a computer on the switch between the ASAs and capture the packets between them an you can see the Failover messages etc from the ASAs

- Jouni

View solution in original post

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎05-04-2013 10:52 AM

Hi,

Even if the Failover interface is down, to my knowledge, that is yet not enough to Failover the Standby unit to Active.

This is because the ASA Failover pair probably monitor eachother through the Data interfaces also. Obviously having the Failover interface is not something that should be unantended for long but alone it still shouldnt affect which ASA is Active provided the Data interface connections are fine.

Here is a quote from the above links

 Unit Health Monitoring 


 The ASA determines the health of the other unit by monitoring the  failover link. When a unit does not receive three consecutive hello  messages on the failover link, the unit sends interface hello messages  on each interface, including the failover interface, to validate whether  or not the peer interface is responsive. The action that the ASA takes  depends upon the response from the other unit. See the following  possible actions: 


If the ASA receives a response on the failover interface, then it does not fail over. 


If  the ASA does not receive a response on the failover link, but it does  receive a response on another interface, then the unit does not  failover. The failover link is marked as failed. You should restore the  failover link as soon as possible because the unit cannot fail over to  the standby while the failover link is down. 


If  the ASA does not receive a response on any interface, then the standby  unit switches to active mode and classifies the other unit as failed.

- Jouni

View solution in original post

6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-04-2013 10:11 AM

Hi Mahesh,

The ASA Active/Standby Failover pair uses both the dedicated Failover interface and the actual Data interfaces to monitor the "health" of the Failover pair.

The units send Failover hello messages and wait for a reply to determine if the other unit is alive or not.

By default all Physical interfaces are automatically monitored. To my understanding Logical interfaces such as Trunk interfaces are NOT monitored by default. You will have to configure monitoring for each subinterface of the Trunk that you want to be monitored.

You would use the command

monitor-interface

Check the Command Reference section for this

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2123112

I would also suggest reading the following section of the Configuration Guide

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1079010

It has information of the Unit and Interface health monitoring of the Failover pair.

If you want to debug Failover activity you could use the command

debug fover

It has multiple additional parameter after that command

Here is the Command Reference section for the debug command

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/d1.html#wp2093011

You can even attach a computer on the switch between the ASAs and capture the packets between them an you can see the Failover messages etc from the ASAs

- Jouni

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎05-04-2013 10:40 AM

Hi Jouni,

The failover interface which replicates config and statefull failover - which replicates statefull connection.

So as per your above post both are monitored actively by ASA and then as per config hold time on both ASA say if standby  ASA does not listen from say statefull interface for more than 15 secs then the standby should become active right even though ASA was sending hello messages to failover interface fine?

Thanks

MAhesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎05-04-2013 10:52 AM

Hi,

Even if the Failover interface is down, to my knowledge, that is yet not enough to Failover the Standby unit to Active.

This is because the ASA Failover pair probably monitor eachother through the Data interfaces also. Obviously having the Failover interface is not something that should be unantended for long but alone it still shouldnt affect which ASA is Active provided the Data interface connections are fine.

Here is a quote from the above links

 Unit Health Monitoring 


 The ASA determines the health of the other unit by monitoring the  failover link. When a unit does not receive three consecutive hello  messages on the failover link, the unit sends interface hello messages  on each interface, including the failover interface, to validate whether  or not the peer interface is responsive. The action that the ASA takes  depends upon the response from the other unit. See the following  possible actions: 


If the ASA receives a response on the failover interface, then it does not fail over. 


If  the ASA does not receive a response on the failover link, but it does  receive a response on another interface, then the unit does not  failover. The failover link is marked as failed. You should restore the  failover link as soon as possible because the unit cannot fail over to  the standby while the failover link is down. 


If  the ASA does not receive a response on any interface, then the standby  unit switches to active mode and classifies the other unit as failed.

- Jouni

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎05-04-2013 11:52 AM

Hi Jouni,

I checked that if you have failover configured for both failover and standby interface then when i use ASDM it shows

there high availability and there it has failover for unit unit options.

Below that it has option for monitored interfaces and  poll times.

So it monitors the both failover and  monitoried  interfaces.

One last thing when we choose number of triggered inetrfaces that trigger failover as 1

and we are monitoring the say inside interface and ASA  does not receive response  on it will it cause failover?

As per my understanding it should not cause  but need to confirm with you?

Thanks

MAhesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎05-04-2013 12:25 PM

Hi,

To be honest Mahesh, this is something I would have to test to say for certain. Sadly my home ASA cant be used for A/S Failover.

By default it seems that the ASA should failover when single interface fails.

So I am not 100% sure how the Failover will react when the Failover link goes down. I would suspect with default settings that if a single Data interface goes down, Failover happens. I dont know if the same logic applys to Failover interfaces going down as its not exactly a Data interface in the same sense as the actual LAN,WAN and DMZ interfaces the ASA might have.

Maybe I need to order 2 Security Plus licenses for my 2 ASA5505 so I can lab also Failover setups

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎05-04-2013 12:31 PM

Hi Jouni,

Thanks for reply.

I also can not test at home as i have single ASA.

Failover on ASA  is quite interesting.

May be someone in this forum who has done failover testing will answer it.

I also agree on this if  we have configured failover to trigger if 1 interface is down then failover should happened.

But we need some lab for this to test to be certain.

Best regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card