Solved: ASA Failover not happening

deepali.shinde · ‎09-15-2011

Dear Experts,

We have ASA 5520 configured for failover and it was working fine. When we wanted to reload the firewall and inactive( Primary) to become Active , we saw that it is in Failed state. The DMZ2 interface in the capture below is the logical sub-interface , but is in Failed State. The other sub-interface on the physical interface Gig0/2 are all fine for the Failed Firewall.

Following are the captures on the Active Firewall

hostname# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: int-fail GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 6 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 16:03:39 GST Apr 27 2011
        This host: Secondary - Active
                Active time: 31720447 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                  Interface Outside (X.X.X.X): Normal
                  Interface Inside (10.40.36.19): Normal
                  Interface DMZ1 (10.40.56.1): Normal
                  Interface DMZ2 (10.40.56.129): Normal (Waiting)
                  Interface DMZ3 (10.40.57.1): Normal
                  Interface Management (10.40.65.202): Normal (Waiting)
                slot 1: empty
        Other host: Primary - Failed
                Active time: 2643818 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                  Interface Outside (X.X.X.X): Normal
                  Interface Inside (10.40.36.20): Normal
                  Interface DMZ1 (10.40.56.2): Normal
                  Interface DMZ2 (10.40.56.130): Failed (Waiting)
                  Interface DMZ3 (10.40.57.2): Normal
                  Interface Management (0.0.0.0): Normal (Waiting)
                slot 1: empty

Stateful Failover Logical Update Statistics
Link : Unconfigured.

hostname# sh int ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         X.X.X.X         YES CONFIG up                    up
GigabitEthernet0/1         10.40.36.19     YES CONFIG up                    up
GigabitEthernet0/2         unassigned      YES unset up                    up
GigabitEthernet0/2.1       10.40.56.1      YES CONFIG up                    up
GigabitEthernet0/2.2       10.40.56.129    YES CONFIG up                    up
GigabitEthernet0/2.3       10.40.57.1      YES CONFIG up                    up
GigabitEthernet0/3         10.40.36.6      YES unset up                    up
Management0/0              10.40.65.2      YES CONFIG up                    up
Virtual254                 unassigned      YES unset up                    up
hostname#

Thanks
D

varrao · ‎09-15-2011

Hi Deepail,

Thats wat you need to verify, why the interafce is down, there must be a switch between the two firewalls, check the vlan config on it and also the interface statu on it.

-Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎09-15-2011

Hi Deepali,

You need to verify the cause for the failure, can you provide the output of :

show failover

Check why the interface is in failed state, check the interface on the switch, trying the failed interface from the active firewall:

ping DMZ2 10.40.56.130

Trace on all the device whether the mac-address for the interafce is being learnt or not.

Check the logs from the time of the issue as well.

Thanks,

Varun

Thanks,
Varun Rao

deepali.shinde · ‎09-15-2011

Thanks Varun. Pasted the output of sh failover of Inactive FW.

I am unable to ping DMZ2 10.40.56.130 , this is logical interface , its one of the sub-interface created , the other sub-interfaces DMZ1 and DMZ3 are up and in Normal state.

hostname# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: int-fail GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 6 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 16:31:48 GST Sep 15 2011
        This host: Primary - Failed
                Active time: 0 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                  Interface Outside (X.X.X.X): Normal
                  Interface Inside (10.40.36.20): Normal
                  Interface DMZ1 (10.40.56.2): Normal
                  Interface DMZ2 (10.40.56.130): Failed (Waiting)
                  Interface DMZ3 (10.40.57.2): Normal
                  Interface Management (0.0.0.0): Normal (Waiting)
                slot 1: empty
        Other host: Secondary - Active
                Active time: 31734116 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                  Interface Outside (X.X.X.X): Normal
                  Interface Inside (10.40.36.19): Normal
                  Interface DMZ1 (10.40.56.1): Normal
                  Interface DMZ2 (10.40.56.129): Normal (Waiting)
                  Interface DMZ3 (10.40.57.1): Normal
                  Interface Management (10.40.65.202): Normal (Waiting)
                slot 1: empty

Stateful Failover Logical Update Statistics
Link : Unconfigured.

varrao · ‎09-15-2011

Hi Deepail,

Thats wat you need to verify, why the interafce is down, there must be a switch between the two firewalls, check the vlan config on it and also the interface statu on it.

-Varun

Thanks,
Varun Rao

deepali.shinde · ‎09-15-2011

Thanks! Varun. The issue is resolved. You were right! the switch did not have the DMZ2 L2 VLAN on it and after adding it,its working fine now.

varrao · ‎09-15-2011

Hey that great news!!!!!! Nice work on it, thanks for the rating

-Varun

Thanks,
Varun Rao