Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8933
Views
0
Helpful
5
Replies

ASA Failover

sameermunj
Level 1
Level 1

‎10-12-2010 02:57 AM - edited ‎03-11-2019 11:53 AM

Hi experts

My network setup has 2 number for ASA 5520 firewall configured in as Active-Standby setup.(ASA Version 8.2(1) )..One of the firewall is configured as Active and other is Standby..Recently we experienced automatic failover without any boot/failure of primary firewall or without any physical communication issue.The primary firewall was working fine still the failover has happened and standby firewall has become active..

From the documentation i could found following reasons for the failover...

  • The unit has a hardware failure or a power failure.

  • The unit has a software failure.
  • Too many monitored interfaces fail.
  • The no failover active command is entered on the active unit, or the failover active command is entered on standby unit.

Is there any other reason for the failover apart from 4 mentioned above....Setup is working fine and jsut want to understand the cause for the failover..

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-12-2010 03:06 AM

You can check the reason why the failover occured by issueing the command: show failover history

Here is the command reference for more information:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s3.html#wp1474400

Hope that helps to determine the possible issue.

0 Helpful

sameermunj
Level 1
Level 1
In response to Jennifer Halim

‎10-12-2010 03:23 AM

Hello

Thanks for the quick reply..

Please find below the output of show history

------------------ show failover history ------------------

==========================================================================

From State                 To State                   Reason

==========================================================================

09:49:40 IST Oct 8 2010

Standby Ready              Just Active                Other unit wants me Active

09:49:40 IST Oct 8 2010

Just Active                Active Drain               Other unit wants me Active

09:49:40 IST Oct 8 2010

Active Drain               Active Applying Config     Other unit wants me Active

09:49:40 IST Oct 8 2010

Active Applying Config     Active Config Applied      Other unit wants me Active

09:49:40 IST Oct 8 2010

Active Config Applied      Active                     Other unit wants me Active

04:06:18 IST Oct 9 2010

Active                     Failed                     Interface check

04:06:35 IST Oct 9 2010

Failed                     Standby Ready              Interface check

07:47:30 IST Oct 9 2010

Standby Ready              Failed                     Interface check

07:47:33 IST Oct 9 2010

Failed                     Standby Ready              Interface check

07:47:43 IST Oct 9 2010

Standby Ready              Failed                     Interface check

07:48:00 IST Oct 9 2010

Failed                     Standby Ready              Interface check

15:57:58 IST Oct 10 2010

Standby Ready              Failed                     Interface check

15:58:15 IST Oct 10 2010

Failed                     Standby Ready              Interface check

16:01:13 IST Oct 10 2010

Standby Ready              Failed                     Interface check

16:01:15 IST Oct 10 2010

Failed                     Standby Ready              Interface check

06:28:09 IST Oct 11 2010

Standby Ready              Just Active                Other unit wants me Active

06:28:09 IST Oct 11 2010

Just Active                Active Drain               Other unit wants me Active

06:28:09 IST Oct 11 2010

Active Drain               Active Applying Config     Other unit wants me Active

06:28:09 IST Oct 11 2010

Active Applying Config     Active Config Applied      Other unit wants me Active

06:28:09 IST Oct 11 2010

Active Config Applied      Active                     Other unit wants me Active

==========================================================================

it looks the connectivity issue happening since last 3 days but the final faiolver reason for today morning is not clear..

can you please help me in understanding the excat reason..

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to sameermunj

‎10-12-2010 04:45 AM

Looks like it failed because of interface failure. Can you also post the output of "show failover" from both units.

Also check each interfaces on the ASA firewalls, both physical cable as well as connection to the switch port. One of the interfaces could have failed, hence causing the issue.

0 Helpful

alexandravidojevic
Level 1
Level 1

‎01-22-2014 05:02 AM

Hi there,

All monitored interface must be in "Normal" state.

If only one or more monitored interaces are "Failed" for any reason and Secondary unit will be "Failed" or most of time except short intervals being "Standby Ready".

You can test this option by typing in cfg mode  "no monitor-interace NAME_OF_FAILED_INT" after that Secondary unit has to be "Standby Ready"

0 Helpful

alexandravidojevic
Level 1
Level 1

‎01-22-2014 05:05 AM

Hi there,

All monitored interface must be in "Normal" state.

If only one or more monitored interaces are "Failed" for any reason and Secondary unit will be "Failed" or most of time except short intervals being "Standby Ready".

You can test this option by typing in cfg mode  "no monitor-interace NAME_OF_FAILED_INT" after that Secondary unit has to be "Standby Ready"

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card