11-26-2012 01:25 AM - edited 03-11-2019 05:27 PM
Hellu Guys,
I have got into a peculiar issue, I have 2 5520 ASA firewalls running ASA ver 8.4.2, fe days back we tested ASA failover between the primary and secondary, below is the fail over config,
IMS-BLR-ASA# sh run | inc failover
failover
failover lan unit primary
failover lan interface lanfailover GigabitEthernet0/3.1
failover link statefailover GigabitEthernet0/3.2
failover interface ip lanfailover 10.224.248.41 255.255.255.248 standby 10.224.248.42
failover interface ip statefailover 10.224.248.49 255.255.255.248 standby 10.224.248.50
SECONDARY ASA:
IMS-BLR-ASA# sh run | inc failover
failover
failover lan unit secondary
failover lan interface lanfailover GigabitEthernet0/3.1
failover link statefailover GigabitEthernet0/3.2
failover interface ip lanfailover 10.224.248.41 255.255.255.248 standby 10.224.248.42
failover interface ip statefailover 10.224.248.49 255.255.255.248 standby 10.224.248.50
The problem I am facing is when we manually force failover from the primay to secondary the traffic flows as expected everything is fine, but when we revert back and check the sh failover my ASA1 was supposed to become the Primary still shows as secondary even though it has become the active unit. Not sure whether this is a config issue or a bug issue any suggestion would be helful.
Thnx
Krishna
11-26-2012 01:41 AM
Hi,
Do you have any "show failover" command outputs from the all of the different phases you mention in your post that we could go through?
but when we revert back and check the sh failover my ASA1 was supposed to become the Primary still shows as secondary even though it has become the active unit
You mean the "show failover" output shows for the Primary ASA (hardware) that its Active after returning to the original setup and it also shows "secondary" with the command "show run failover"?
I guess the best situation would be if you could give "show failover" command output from the different phases of the failover test.
- Jouni
11-26-2012 01:47 AM
Hi Jouni,
Thnx for the reply, sorry but currently I cannot give the sh failover of the diff phases, but I can put across through this post
Scenario 1
ASA1 - Primary and active unit, ASA2 - Secondary and Standby Unit
force the failover, ASA1 became secondary and stand by unit, ASA2 becamse Primary and active
Now we reverted back to original setup
ASA1 - still secondary but active, ASA2 still primary but in stand by mode
Regards
Krishna
11-26-2012 01:54 AM
Hi,
To my understanding if at the moment your ASA (Active ASA that is passing the traffic) shows the output of "failover lan unit secondary" when issuing the command "show run failover" but the output of "show failover" shows that its Active, the Active unit is the ASA you originally configured as the Secondary Hardware.
Can you copy paste here the output of the "show run failover" and "show failover" of the unit that is Active at the moment?
- Jouni
11-26-2012 02:16 AM
Hi Jouni,
Well I did cross verify the config during this phase what I observed even though we had configured the ASA1 as "failover lan unit primary" after we forced the failover and reverted back the config had changed to "failover lan unit secondary
" not sure how this happened but it was the Active unit at this moment. The config was precise we double checked the config before starting the activity.
- Krishna
11-27-2012 01:52 AM
Hi,
Can't say I've ever had this kind of problem.
Only problems related to Failover have been some odd situation where the configuration Sync doesnt go through the the Failover stops working. But nothing like this.
To my understanding no matter how many times you issue "failover active" and/or "no failover active" (if these were the commands) the configuration line "failover lan unit primary/secondary" should not change between the devices.
Also with Active/Standby Failover the configuration "pimary" / "secondary" dont have much use. To my understanding they only define the firewall that will take the active role WHEN both boot up at the same time.
With Active/Active Failover you will configure failover groups where you can then define a preempt timer which would change back to the original primary after the timer when the primary was back up.
Still, could you post the output of "show run failover" and "show failover" from both units at the moment? Remove any IP address or names if you need to.
- Jouni
11-27-2012 02:20 AM
Hi Jouni,
Well I know what u meant, I would love to share the logs but unfortunately the ASAs are of my customer, so they won't provide the logs currently
- Krishna
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide