Hello,

I am not looking for any route failover with IP SLA. Is there any solution available ,If the monitored interface (LAN) of the active firewall is logically down(not physically) then the failover will happen from standby to active.

If the interface is logically down then the ASA will perform a series of connectivity tests to determine if the link really is down.  If the ASA determines that the link is down then a failover will occur.

Interface Monitoring

You can monitor up to 250 interfaces divided between all contexts. You should monitor important interfaces, for example, you might configure one context to monitor a shared interface (because the interface is shared, all contexts benefit from the monitoring).

When a unit does not receive hello messages on a monitored interface for half of the configured hold time, it runs the following tests:

1. Link Up/Down test—A test of the interface status. If the Link Up/Down test indicates that the interface is operational, then the security appliance performs network tests. The purpose of these tests is to generate network traffic to determine which (if either) unit has failed. At the start of each test, each unit clears its received packet count for its interfaces. At the conclusion of each test, each unit looks to see if it has received any traffic. If it has, the interface is considered operational. If one unit receives traffic for a test and the other unit does not, the unit that received no traffic is considered failed. If neither unit has received traffic, then the next test is used.

2. Network Activity test—A received network activity test. The unit counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If no traffic is received, the ARP test begins.

3. ARP test—A reading of the unit ARP cache for the 2 most recently acquired entries. One at a time, the unit sends ARP requests to these machines, attempting to stimulate network traffic. After each request, the unit counts all received traffic for up to 5 seconds. If traffic is received, the interface is considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the end of the list no traffic has been received, the ping test begins.

4. Broadcast Ping test—A ping test that consists of sending out a broadcast ping request. The unit then counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops.

If all network tests fail for an interface, but this interface on the other unit continues to successfully pass traffic, then the interface is considered to be failed. If the threshold for failed interfaces is met, then a failover occurs. If the other unit interface also fails all the network tests, then both interfaces go into the "Unknown" state and do not count towards the failover limit.

An interface becomes operational again if it receives any traffic. A failed security appliance returns to standby mode if the interface failure threshold is no longer met.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/failover.html#wp1042489

--

Please remember to select a correct answer and rate helpful posts

But how would this re-route the internal traffic to use firewall 2? That is what you are looking for isn't Rahul?

If the interface link is down it would initiate a failover to the standby ASA (if all the conditions are met).  As I mentioned earlier if there is a failure between DS1 and FD1 then it is not possible to initiate a failover to ASA2.

--

Please remember to select a correct answer and rate helpful posts

Hello cweatherford1 , you are right ..So no way to perform failover if the interface between DS1 and FD1 down !!(:)

Isn't that what I mention in my initial post?

Couldn't you setup OSPF and make sure it is setup to use the preferred route if both are up and then if that path goes down it would just send the traffic the other way?

Mike

Do you think OSPF will initiate failover if the neighbor is down (still the physical interface is up)?

Rahul
 

Hello,

We were talking about the inside interface connectivity with respect to device failover, not outside links

Regards

Rahul

HI karthik,

With  this scenario, we cant go ahead with the redundant interface configuration as there will be 2 FD devices connected to both ASAs.

Regards

Rahul

Hi Rahul,

If so you can go with 2 interfaces in asa 1 and 2 interfaces in asa2, each will have 2 connections from FD1&2 respectively..... in this case you may not achieve the failover... but even connection from FD1 fails also... it will take the ASA1 to exit out...... but for this you need to do a proper routing in place to get this done.....

Because in the member interface always 1 interface will be active.... 1 interface will be on standby.... so some of your requirement will work....

Regards

Karthik