cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5922
Views
10
Helpful
9
Replies

ASA failover Active/Standby

Hi, 

 

We have configured failover (Active/Standby) between our 2 ASA firewalls using the configuration giving below.

 

We have tested the failover by power down our Primary ASA (ASA-1) firewall and our Secondary ASA (ASA-2) is become Active. But, the secondary Firewall taking more time (up to 10 Mins) to forward the traffic on ISP's, after the Primary firewall is down.

 

Could someone please help me to reduce the time, to start forwarding the traffic from Secondary ASA to reach internet on ISP's, after the Primary firewall is down.

 

Failover Configuration ASA - 1:

 

# failover
# failover lan unit primary
# failover lan interface folink GigabitEthernet1/8
# failover link statelink GigabitEthernet1/7
# failover interface ip folink 10.10.10.1 255.255.255.252 standby 10.10.10.2
# failover interface ip statelink 10.10.10.5 255.255.255.252 standby 10.10.10.6

 

Failover configuration ASA - 2:

 

# failover
# failover lan unit secondary
# failover lan interface folink GigabitEthernet1/8
# failover link statelink GigabitEthernet1/7
# failover interface ip folink 10.10.10.1 255.255.255.252 standby 10.10.10.2
# failover interface ip statelink 10.10.10.5 255.255.255.252 standby 10.10.10.6

2 Accepted Solutions

Accepted Solutions

Please don't use word-documents to post text, just use text-documents ... 

In the output I don't see anything that should cause these problems. I would upgrade the ASAs to lhe latest interims-release and test again. The release-notes don't mention this problem, but there are other failover related bugs fixed.

If that all doesn't help (and no other one has an idea) you should open a TAC-case.

View solution in original post

Hi Karsten,

 

Thanks for your observations and suggestions on this issue.

View solution in original post

9 Replies 9

This is not normal behavior. The secondary unit should take over the active role within 15 seconds and start forwarding traffic. What did you see on the logs in that timespan? Did your traffic reach the ASA, was the ASA reachable from the internet?

Hi Karsten,

 

Thanks for your responce to my query.

 

We observe Secondary ASA has taken the "Active" role as soon as the Primary unit has failed.

 

We can able to reach the Firewall from LAN and able to ping the public Networks from Firewall.

 

But, we could not able to reach Public Networks from LAN through Secondary ASA upto 10 mins.

 

Do we need to change the global timeouts configured for connections and Xlate to process the timeout on liveconnections to reiniate the connections?

What protocol do use to to reach ISP from firewall. I am more interested in the topology

Statefull failover should synchronize the connections to the standby unit so that this device can directly take over the forwarding. Does "show failover" show any signs of malfunction?

 

Do you have a maintenace window? Then do a "no failover active" on the active unit to test if failover works when initiated gracefully.

Hi Karsten,

 

When we do "no failover active" on Primary Firewall, the Secondary Firewall is able to start forwarding the traffic within sec's.

But, if we powerdown the Primary Firewall (Active) without "no failover active" command, Secondary Firewall changing the role to "Active" and taking time to forward the traffic (upto 10 mins).

 

On status of "Show failover", we can see interface status of both Firewalls is on "Normal" and can able to see Active/Standby status on Primary/Secondary firewalls.

 

We are routing the traffic on Firewall using "Static and Default" routes and please find the attached for network topology.

Your topology is quite common and normaly works as expected. Can you post the output of "show failover"?

Hi Karsten,

 

Please find the attached, for output of "show failover" from Primary and Secondary Firewalls.

Please don't use word-documents to post text, just use text-documents ... 

In the output I don't see anything that should cause these problems. I would upgrade the ASAs to lhe latest interims-release and test again. The release-notes don't mention this problem, but there are other failover related bugs fixed.

If that all doesn't help (and no other one has an idea) you should open a TAC-case.

Hi Karsten,

 

Thanks for your observations and suggestions on this issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: