Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1528
Views
0
Helpful
6
Replies

ASA Failover Issue

Udupikrishna091
Level 1
Level 1

‎11-26-2012 01:25 AM - edited ‎03-11-2019 05:27 PM

Hellu Guys,

I have got into a peculiar issue, I have 2 5520 ASA firewalls running ASA ver 8.4.2, fe days back we tested ASA failover between the primary and secondary, below is the fail over config,

IMS-BLR-ASA# sh run | inc failover

failover

failover lan unit primary

failover lan interface lanfailover GigabitEthernet0/3.1

failover link statefailover GigabitEthernet0/3.2

failover interface ip lanfailover 10.224.248.41 255.255.255.248 standby 10.224.248.42

failover interface ip statefailover 10.224.248.49 255.255.255.248 standby 10.224.248.50

SECONDARY ASA:

IMS-BLR-ASA# sh run | inc failover

failover

failover lan unit secondary

failover lan interface lanfailover GigabitEthernet0/3.1

failover link statefailover GigabitEthernet0/3.2

failover interface ip lanfailover 10.224.248.41 255.255.255.248 standby 10.224.248.42

failover interface ip statefailover 10.224.248.49 255.255.255.248 standby 10.224.248.50

The problem I am facing is when we manually force failover from the primay to secondary the traffic flows as expected everything is fine, but when we revert back and check the sh failover my ASA1 was supposed to become the Primary still shows as secondary even though it has become the active unit. Not sure whether this is a config issue or a bug issue any suggestion would be helful.

Thnx

Krishna

Labels:
0 Helpful
6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

‎11-26-2012 01:41 AM

Hi,

Do you have any "show failover" command outputs from the all of the different phases you mention in your post that we could go through?

but when we revert back and check the sh failover my ASA1 was supposed  to become the Primary still shows as secondary even though it has become  the active unit

You mean the "show failover" output shows for the Primary ASA (hardware) that its Active after returning to the original setup and it also shows "secondary" with the command "show run failover"?

I guess the best situation would be if you could give "show failover" command output from the different phases of the failover test.

- Jouni

0 Helpful

Udupikrishna091
Level 1
Level 1
In response to Jouni Forss

‎11-26-2012 01:47 AM

Hi Jouni,

Thnx for the reply, sorry but currently I cannot give the sh failover of the diff phases, but I can put across through this post

Scenario 1

ASA1 - Primary and active unit, ASA2 - Secondary and Standby Unit

force the failover, ASA1 became secondary and stand by unit, ASA2 becamse Primary and active

Now we reverted back to original setup

ASA1 - still secondary but active, ASA2 still primary but in stand  by mode

Regards

Krishna

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Udupikrishna091

‎11-26-2012 01:54 AM

Hi,

To my understanding if at the moment your ASA (Active ASA that is passing the traffic) shows the output of "failover lan unit secondary" when issuing the command "show run failover" but the output of "show failover" shows that its Active, the Active unit is the ASA you originally configured as the Secondary Hardware.

Can you copy paste here the output of the "show run failover" and "show failover" of the unit that is Active at the moment?

- Jouni

0 Helpful

Udupikrishna091
Level 1
Level 1
In response to Jouni Forss

‎11-26-2012 02:16 AM

Hi Jouni,

Well I did cross verify the config during this phase what I observed even though we had configured the ASA1 as "failover lan unit primary" after we forced the failover and reverted back the config had changed to "failover lan unit secondary
" not sure how this happened but it was the Active unit at this moment. The config was precise we double checked the config before starting the activity.

- Krishna

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Udupikrishna091

‎11-27-2012 01:52 AM

Hi,

Can't say I've ever had this kind of problem.

Only  problems related to Failover have been some odd situation where the  configuration Sync doesnt go through the the Failover stops working. But  nothing like this.

To my understanding no matter how many times you issue "failover active" and/or "no failover active" (if these were the commands) the configuration line "failover lan unit primary/secondary" should not change between the devices.

Also with Active/Standby Failover the configuration "pimary" / "secondary" dont have much use. To my understanding they only define the firewall that will take the active role WHEN both boot up at the same time.

With Active/Active Failover you will configure failover groups where you can then define a preempt timer which would change back to the original primary after the timer when the primary was back up.

Still, could you post the output of "show run failover" and "show failover" from both units at the moment? Remove any IP address or names if you need to.

- Jouni

0 Helpful

Udupikrishna091
Level 1
Level 1
In response to Jouni Forss

‎11-27-2012 02:20 AM

Hi Jouni,

Well I know what u meant, I would love to share the logs but unfortunately the ASAs are of my customer, so they won't provide the logs currently

- Krishna

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card