Re: ASA Failover pair

flokki123 · ‎11-13-2018

Hi all,

today I had the Problem that my ASA FW cluster told me:

Lost Failover communications with mate on interface xvc

Fortunately, it also told me:

Testing Interface xvc

Testing on interface xvc Passed

Also, when i checked the Status etc., everything looked fine.

But then i was thinking about what does the ASA actually mean with: Lost Failover communications with mate on interface xvc

Do the ASAs in a Failover configuration actively monitor the interfaces of the mate? And yes, how do they do it? They periodically ping those interfaces?

I know that they actively check the state and the reachability via the state/Failover link, but i didnt know that the check all configured interfaces.

I didnt find any respective entry in the config, thus i think this might be the Default behaviour!? Can anyone shed some light for me on this?

Thanks a lot in Advance!

Joel · ‎11-13-2018

Hi,

Do you have the monitor-interface command enabled? Example below:

monitor-interface inside

If you run show failover you should see

Monitored Interfaces 3 of 1049 maximum

This determines the number of interfaces you are monitoring. If a number fail it will trigger a failover.

Useful resource

https://community.cisco.com/t5/security-documents/asa-interface-monitoring-in-failover-and-its-impact/ta-p/3144324

Joel

mkazam001 · ‎11-13-2018

ASA units in a failover pair use the Failover control link for the below:

Initial failover peer discovery & negotiation

Configuration replication from the active unit to its standby peer

Device-level health monitoring

Each unit uses the link to report its own operational health & monitor it's peer by exchanging periodic keepalive messages.

Default unit poll is 1 second & hold time is 15 secs.

Related config example:

failover lan interface FAILOVER g0/3

failover interface ip FAILOVER 192.168.12.1 255.255.255.0 standby 192.168.12.2

Regards, mk

Please rate or accept as solution :)

flokki123 · ‎11-14-2018

Hi Mk,

thanks a lot for your answer.

You wrote: "Each unit uses the link to report its own operational health & monitor it's peer by exchanging periodic keepalive messages."

So does that mean that e.g. if the "active" device realizes that an interface is down it will communicate this to the "standby" and then a message like the one i mentioned is created?

So, the "standby" does not actively monitor the interfaces of its mate!? Or is the "Device-level health Monitoring" exactly that? And the "standby" does e.g. ping all its mates interfaces to check on them?

Thanks a lot!

mkazam001 · ‎11-14-2018

the active or 1st asa will monitor its own interfaces, if the configured number of interfaces goes down - this will lead to a failover to the 2nd asa

the link between them - if the standby or 2nd asa does not receive a keepalive for 15 sec (def) it will take over active role

no, standby is not monitoring interfaces of its mate

hope that helps

regards, mk

please rate if helpful or solved :)

flokki123 · ‎11-15-2018

Hi Mk,

thanks again for your time and answer!

I should have been more precise.

The message "Lost Failover communication with mate on interface xvc" was shown to me by the standby unit.

And interface xvc was not the Failover link but a another interface configured on the cluster. thats why i was wondering how the standby unit actually noticed it.

And also thats why i was wondering if the standby unit actively Monitors the interfaces of the active unit.

Regards

Florian