12-27-2012 11:45 PM - edited 03-11-2019 05:41 PM
we have cisco asa 5550 firewall running on ios 8.2
i have add two new interface on firewall, but it show failled on sh failover output
Last Failover at: 22:50:59 IST Dec 4 2012
This host: Secondary - Active
Active time: 2043566 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface DMZ-Inside (10.132.x.x/fe80::226:bff:fe43:6672): Normal
Interface outside (180.x.x.x): Normal
Interface management (192.168.1.1): No Link (Not-Monitored)
Interface IPVSIX (0.0.0.0/fe80::225:84ff:fefd:1d7): Normal
Interface TATA-INTERNET (115.x.x.226): Normal
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Primary - Failed
Active time: 0 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface DMZ-Inside (10.132.x.x/fe80::226:bff:fe43:6686): Normal
Interface outside (180.x.x.x) Normal
Interface management (0.0.0.0): Normal (Not-Monitored)
Interface IPVSIX (0.0.0.0/fe80::225:84ff:fefd:1ff): Failed (Waiting)
Interface TATA-INTERNET (115.x.x.227): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : Unconfigured.
Thanks
Bhupendra Jain
12-28-2012 01:27 AM
from the above output, it tells me that the failover link is uncofigured also i can see that both asa have the same ios version, interface and model. it would be best if you can share the config of the failover on both sides and enable debugging for failover, below are some usefull commands that can be use to troubleshoot the failover on asa,
show failover
show failover group
show monitor-interface
show running-config failover
debug fover
12-28-2012 02:09 AM
hi rudy
the above output is for show failover command and show failover group, show monitor-interface commnad is not working
The Output of Show running- config is
failover
failover lan unit secondary
failover lan interface Failover GigabitEthernet0/3
failover replication http
failover interface ip Failover 1.1.1.1 255.255.255.252 standby 1.1.1.2
12-28-2012 02:20 AM
i assume that is the output from the secondary unit, correct? do you also have the output from the primary unit? how do you connect the failover link between those two asa? do you get any messages from enabling the debug command?
12-28-2012 02:47 AM
hi rudy,
Both firewall is connected back to back with interface 0/3
sh run failover output of primary unit, Presently primary unit is failed and secondry unit is active.
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/3
failover replication http
failover interface ip Failover 1.1.1.1 255.255.255.252 standby 1.1.1.2
we do not enable debug on firewall
12-28-2012 06:28 AM
I know this is stupid questions, but just to confirm, have you enable the failover? have you enable the interface for the failover on both asa? can you give me the output from show failover state as well from both asa?
12-28-2012 07:26 AM
At first glance it appears the IPVSIX interface is down on the Primary unit. Please confirm state via "show interface IPVSIX" on that unit.
If it is up, it may be that the Secondary-Active unit cannot confirm it since the interface is IPv6 only and your failover interafce is not IPv6-enabled. If that is the case, try adding IPv6 addresses on the failover interfaces.
"If an interface has only IPv6 addresses configured on it, then the ASA uses IPv6 neighbor discovery instead of ARP to perform the health monitoring tests. For the broadcast ping test, the ASA uses the IPv6 all nodes address (FE02::1)."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide