11-21-2006 11:31 PM - edited 03-11-2019 01:59 AM
Hi,
I have 2 Cisco ASA, configuring in failover. In the primary unit, I can see:
his host: Primary - Active
Active time: 3349739 (sec)
slot 0: ASA5520 hw/sw rev (1.1/7.1(2)) status (Up Sys)
Interface outside (192.168.29.203): Normal
Interface inside (172.26.100.200): Normal
Interface dmzisa (192.168.27.100): Normal
Interface management (192.168.29.105): Link Down (Not-Monitored)
slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC SSM 6.1 (Build#1519)) status (Up/Up)
Logging port IP: 192.168.29.103/25
CSC SSM, 6.1 (Build#1519), Up
Other host: Secondary - Standby Ready
Active time: 277 (sec)
slot 0: ASA5520 hw/sw rev (1.1/7.1(2)) status (Up Sys)
Interface outside (192.168.29.204): Normal
Interface inside (172.26.100.201): Normal
Interface dmzisa (192.168.27.101): Normal
Interface management (192.168.29.106): Normal (Not-Monitored)
slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC SSM 6.1 (Build#1519)) status (Up/Up)
Logging port IP: 192.168.29.104/25
However, the interface management is in shutdown in both ASAs.
On the other hand, in the standby unit, I have:
This host: Secondary - Standby Ready
Active time: 277 (sec)
slot 0: ASA5520 hw/sw rev (1.1/7.1(2)) status (Up Sys)
Interface outside (192.168.29.204): Normal
Interface inside (172.26.100.201): Normal
Interface dmzisa (192.168.27.101): Normal
Interface management (192.168.29.106): Link Down (Not-Monitored)
slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC SSM 6.1 (Build#1519)) status (Up/Up)
Logging port IP: 192.168.29.104/25
CSC SSM, 6.1 (Build#1519), Up
Other host: Primary - Active
Active time: 3349581 (sec)
slot 0: ASA5520 hw/sw rev (1.1/7.1(2)) status (Up Sys)
Interface outside (192.168.29.203): Normal
Interface inside (172.26.100.200): Normal
Interface dmzisa (192.168.27.100): Normal
Interface management (192.168.29.105): Link Down (Not-Monitored)
slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC SSM 6.1 (Build#1519)) status (Up/Up)
Logging port IP: 192.168.29.103/25
CSC SSM, 6.1 (Build#1519), Up
What is it wrong?.
Best Regards.
Thank you very much
Nuria
11-22-2006 12:44 AM
This could be a physical connectivity issue.
Do you connect both management ports to active ports? LInk down means no signal is received by ASA from the other end.
Can you post both interface detail status?
HTH
AK
11-22-2006 01:17 AM
In ASA1:
FWASA# sh interface management
Interface Management0/0 "management", is administratively down, line protocol is up
Hardware is i82557, BW 100 Mbps
Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
MAC address 0018.195b.dee3, MTU 1500
IP address 192.168.29.105, subnet mask 255.255.255.128
8863 packets input, 971812 bytes, 0 no buffer
Received 1149 broadcasts, 0 runts, 0 giants
2 input errors, 0 CRC, 0 frame, 2 overrun, 0 ignored, 0 abort
0 L2 decode drops
17838 packets output, 3923878 bytes, 0 underruns
0 output errors, 144 collisions, 0 interface resets
0 babbles, 0 late collisions, 153 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/128)
output queue (curr/max blocks): hardware (1/16) software (0/1)
Traffic Statistics for "management":
8503 packets input, 826979 bytes
13470 packets output, 3684385 bytes
601 packets dropped
In ASA2:
FWASA# sh interface management
Interface Management0/0 "management", is administratively down, line protocol is up
Hardware is i82557, BW 100 Mbps
Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
MAC address 0018.1900.52fa, MTU 1500
IP address 192.168.29.106, subnet mask 255.255.255.128
214 packets input, 7180 bytes, 0 no buffer
Received 63 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
2 packets output, 128 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/46)
output queue (curr/max blocks): hardware (1/1) software (0/1)
Traffic Statistics for "management":
87 packets input, 5422 bytes
2 packets output, 56 bytes
32 packets dropped
In both ASAs, I have put in shutdown this interface. But in ASA1, when I do "show failover", it appears, as "normal".
Best Regards
Thank you very much
Nuria
11-22-2006 02:31 AM
Looks like management port is in shutdown state. Can you unshut/enable both interfaces?
This should work.
HTH
AK
11-22-2006 02:53 AM
Yes, they are in shutdown. But I want that those interfaces are in shutdown.
However, in the ASA1, when I do "show failover", this device see "up", the interface management in ASA2. And that thing is wrong. And I don?t know why.
Thank you very much.
11-22-2006 05:51 AM
Your concerned noted:
Primary unit - sh failover
Interface management (192.168.29.105): Link Down (Not-Monitored)
Interface management (192.168.29.106): Normal (Not-Monitored)
Secondary unit:
Interface management (192.168.29.106): Link Down (Not-Monitored)
Interface management (192.168.29.105): Link Down (Not-Monitored)
Can you post the ASA config, specifically on the interfaces configuration and thw whole failover parameters? A full 'sh failover' will also help.
HTH
AK
11-22-2006 07:31 AM
The interfaces configuration is:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.29.203 255.255.255.128 standby 192.168.29.204
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.26.100.200 255.255.255.0 standby 172.26.100.201
!
interface GigabitEthernet0/2
nameif dmzisa
security-level 50
ip address 192.168.27.100 255.255.255.0 standby 192.168.27.101
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.29.105 255.255.255.128 standby 192.168.29.106
The failover configuration is:
failover
failover lan unit primary
failover lan interface lan_fail GigabitEthernet0/3
failover key *****
failover replication http
failover link lan_fail GigabitEthernet0/3
failover interface ip lan_fail 192.168.31.1 255.255.255.252 standby 192.168.31.2
The "show fail" in ASA1:
ASA# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: lan_fail GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
failover replication http
Version: Ours 7.1(2), Mate 7.1(2)
Last Failover at: 09:45:58 CEDT Oct 14 2006
This host: Primary - Active
Active time: 3378569 (sec)
slot 0: ASA5520 hw/sw rev (1.1/7.1(2)) status (Up Sys)
Interface outside (192.168.29.203): Normal
Interface inside (172.26.100.200): Normal
Interface dmzisa (192.168.27.100): Normal
Interface management (192.168.29.105): Link Down (Not-Monitored)
slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC SSM 6.1 (Build#1519)) status (Up/Up)
Logging port IP: 192.168.29.103/25
CSC SSM, 6.1 (Build#1519), Up
Other host: Secondary - Standby Ready
Active time: 277 (sec)
slot 0: ASA5520 hw/sw rev (1.1/7.1(2)) status (Up Sys)
Interface outside (192.168.29.204): Normal
Interface inside (172.26.100.201): Normal
Interface dmzisa (192.168.27.101): Normal
Interface management (192.168.29.106): Normal (Not-Monitored)
slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC SSM 6.1 (Build#1519)) status (Up/Up)
Logging port IP: 192.168.29.104/25
CSC SSM, 6.1 (Build#1519), Up
Stateful Failover Logical Update Statistics
Link : lan_fail GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 138029572 0 440620 29
sys cmd 439273 0 439272 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 68795883 0 0 0
UDP conn 67638101 0 1272 0
ARP tbl 1156315 0 76 29
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 6 440933
Xmit Q: 0 11 141407961
Thank you very much.
Best Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide