cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
439
Views
0
Helpful
6
Replies

ASA Failover issue.

bhupendrajain
Beginner
Beginner

we have cisco asa 5550 firewall running on ios 8.2

i have add two new interface on firewall,  but it show failled on sh failover output

Last Failover at: 22:50:59 IST Dec 4 2012
        This host: Secondary - Active
                Active time: 2043566 (sec)
                slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                  Interface DMZ-Inside (10.132.x.x/fe80::226:bff:fe43:6672): Normal
                  Interface outside (180.x.x.x): Normal
                  Interface management (192.168.1.1): No Link (Not-Monitored)
                  Interface IPVSIX (0.0.0.0/fe80::225:84ff:fefd:1d7): Normal
                  Interface TATA-INTERNET (115.x.x.226): Normal
                slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
        Other host: Primary - Failed
                Active time: 0 (sec)
                slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                  Interface DMZ-Inside (10.132.x.x/fe80::226:bff:fe43:6686): Normal
                  Interface outside (180.x.x.x) Normal
                  Interface management (0.0.0.0): Normal (Not-Monitored)
                  Interface IPVSIX (0.0.0.0/fe80::225:84ff:fefd:1ff): Failed (Waiting)
                  Interface TATA-INTERNET (115.x.x.227): Normal (Waiting)
                slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)

Stateful Failover Logical Update Statistics
        Link : Unconfigured.

Thanks

Bhupendra Jain

6 Replies 6

Rudy Sanjoko
Enthusiast
Enthusiast

from the above output, it tells me that the failover link is uncofigured also i can see that both asa have the same ios version, interface and model. it would be best if you can share the config of the failover on both sides and enable debugging for failover, below are some usefull commands that can be use to troubleshoot the failover on asa,

show failover

show failover group

show monitor-interface

show running-config failover

debug fover

hi rudy

the above output is for show failover command and show failover group, show monitor-interface commnad is not working

The Output of Show running- config is

failover

failover lan unit secondary

failover lan interface Failover GigabitEthernet0/3

failover replication http

failover interface ip Failover 1.1.1.1 255.255.255.252 standby 1.1.1.2

i assume that is the output from the secondary unit, correct? do you also have the output from the primary unit? how do you connect the failover link between those two asa? do you get any messages from enabling the debug command?

hi rudy,

Both firewall is connected back to back with interface 0/3

sh run failover output of primary unit, Presently primary unit is failed and secondry unit is active.

failover

failover lan unit primary

failover lan interface Failover GigabitEthernet0/3

failover replication http

failover interface ip Failover 1.1.1.1 255.255.255.252 standby 1.1.1.2

we do not enable debug on firewall

I know this is stupid questions, but just to confirm, have you enable  the failover? have you enable the interface for the failover on both  asa? can you give me the output from show failover state as well from  both asa?

At first glance it appears the IPVSIX interface is down on the Primary unit. Please confirm state via "show interface IPVSIX" on that unit.

If it is up, it may be that the Secondary-Active unit cannot confirm it since the interface is IPv6 only and your failover interafce is not IPv6-enabled. If that is the case, try adding IPv6 addresses on the failover interfaces.

"If an interface has only IPv6 addresses configured on it, then the ASA uses IPv6 neighbor discovery instead of ARP to perform the health monitoring tests. For the broadcast ping test, the ASA uses the IPv6 all nodes address (FE02::1)."

Source.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers