Hi Jennifer,

following is the output from primary ASA:

ASA1# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAIL GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 160 maximum
Version: Ours 8.4(1), Mate 8.4(1)
Last Failover at: 15:30:14 UTC Mar 11 2011
        This host: Secondary - Failed
                Active time: 0 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.4(1)) status (Up Sys)
                  Interface outside (172.5.4.51): No Link (Waiting)
                  Interface inside (192.168.95.22): No Link (Waiting)
                  Interface DMZ (10.122.0.2): No Link (Waiting)
                  Interface management (0.0.0.0): No Link (Waiting)
                slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
        Other host: Primary - Active
                Active time: 11001 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.4(1)) status (Up Sys)
                  Interface outside (172.17.40.50): No Link (Waiting)
                  Interface inside (192.168.95.21): No Link (Waiting)
                  Interface DMZ (10.122.0.1): No Link (Waiting)
                  Interface management (192.168.1.1): Normal (Waiting)
                slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)

Stateful Failover Logical Update Statistics
        Link : FAIL GigabitEthernet0/3 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         152        0          152        1
        sys cmd         152        0          152        0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          0          0
        UDP conn        0          0          0          0
        ARP tbl         0          0          0          1
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKEv1 SA    0          0          0          0
        VPN IKEv1 P2    0          0          0          0
        VPN IKEv2 SA    0          0          0          0
        VPN IKEv2 P2    0          0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0
        Route Session   0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       16      2971
        Xmit Q:         0       1       153
ASA1# sh int ip b
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         172.5.4.51    YES CONFIG down                  down
GigabitEthernet0/1         192.168.95.22  YES CONFIG down                  down
GigabitEthernet0/2         10.122.0.2      YES CONFIG down                  down
GigabitEthernet0/3         10.1.9.25  YES unset  up                    up
Internal-Data0/0           unassigned      YES unset  administratively down up
Management0/0              unassigned      YES CONFIG down                  down
GigabitEthernet1/0         unassigned      YES unset  administratively down down
GigabitEthernet1/1         unassigned      YES unset  administratively down down
GigabitEthernet1/2         unassigned      YES unset  administratively down down
GigabitEthernet1/3         unassigned      YES unset  administratively down down
Internal-Data1/0           unassigned      YES unset  up                    up

maybe itsn't working because other interfaces are down except g0/3 (failover interface - this is up)?

by testing failover i meant to say::

whey secondary boots up and if i do "failover active" on secondary then it becomes active initial...then if i do "sh failover" after some time then it says primary:active...secondary:FAIL.

can u advise what problem could be.

Thanks....

Thanks...so failover will work correctly if one of the interface of both ASA say g0/0 stays up all the time?

Thanks

OK, for testing purposes, you should disable the monitor interface command on all interfaces so it doesn't monitor the interface.

And no, the policy says, if 1 interface fails, then performs the failover (you can change this to 2 or 3 interfaces fail, up to you). So you will need to have all the interfaces UP as per your current configuration because 1 interface fail will trigger the failover.

For testing purposes, just disable monitoring the interfaces to keep the failover at its correct state:

no monitor-interface outside

no monitor-interface inside

no monitor-interface DMZ

no monitor-interface management

When you are ready for production, and all interfaces are connected, you can re-enable it.

Message was edited by: Jennifer Halim

Thanks...

how about those admin down interfaces? do i have to take them out from the monitoring too?

you said "And no, the policy says, if 1 interface fails, then performs the failover  (you can change this to 2 or 3 interfaces fail, up to you). So you will  need to have all the interfaces UP as per your current configuration  because 1 interface fail will trigger the failover." -> how do i change it from 1 to 3?

thanks ,,,

Admin down interfaces as long as you haven't configured the name, ip address, and security level, it's ok.

Only those interfaces which are listed in the "show failover" output.

cool Thanks Jennifer...I'll check it out

Cheers, pls kindly mark the post as answered if you have no further question. Thank you.