Good afternoon guys,
I've got an issue with the failover state of my Secondary ASA. Herein lies the problem.
I have a Primary / Secondary ASA. I also have a 2960X switch stack comprising of 2 physical switches. I have direct connections from ASA ports to the management ports of the switches.
ASA Primary 0/5 > 2960X (master) OOB Management (FastEthernet)
ASA Secondary 0/5 > 2960X (slave) OOB Management (FastEthernet)
The problem I have is that the management port on the slave 2960X will not come online unless we lose the master switch / management port. Because of this, the link is showing upon the ASA as "no link" and therefore the failover status is showing as failed for the secondary ASA.
ASA001# Show failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Ifc Failure 08:46:07 GMT/BST Dec 6 2017
DMZ_Management_VLAN: No Link
====Configuration State===
Sync Done - STANDBY
====Communication State===
Mac set
ASA001# show failover
Failover On
Failover unit Primary
Failover LAN Interface: LANFAILOVER GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 316 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 04:45:17 GMT/BST Oct 27 2017
This host: Primary - Active
Active time: 9421910 (sec)
slot 0: ASA5545 hw/sw rev (3.1/9.2(2)4) status (Up Sys)
Interface management (0.0.0.0): Link Down (Shutdown)
Interface Transit_BrownExt_VLAN (x.21.95.249): Normal (Not-M onitored)
Interface Transit_GreenExt_VLAN (x.252.230.166): Normal (Not -Monitored)
Interface Transit_GreenInt_VLAN (x.21.95.241): Normal (Monitored)
Interface DMZ_Management_VLAN (x.21.95.233): Normal (Waiting )
slot 1: SFR5545 hw/sw rev (N/A/5.4.0-764) status (Up/Up)
ASA FirePOWER, 5.4.0-764, Up
Other host: Secondary - Failed
Active time: 998 (sec)
slot 0: ASA5545 hw/sw rev (3.1/9.2(2)4) status (Up Sys)
Interface management (0.0.0.0): Link Down (Shutdown)
Interface Transit_BrownExt_VLAN (x.21.95.250): Normal (Not-Monitored)
Interface Transit_GreenExt_VLAN (x.252.230.165): Normal (Not-Monitored)
Interface Transit_GreenInt_VLAN (x.21.95.242): Normal (Monitored)
Interface DMZ_Management_VLAN (x.21.95.234): No Link (Waiting)
slot 1: SFR5545 hw/sw rev (N/A/5.4.0-764) status (Up/Up)
ASA FirePOWER, 5.4.0-764, Up
Stateful Failover Logical Update Statistics
Link : LINKFAILOVER GigabitEthernet0/6 (up)
Stateful Obj xmit xerr rcv rerr
General 49552948 0 1256337 0
sys cmd 1256319 0 1256319 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 33836766 0 0 0
UDP conn 12384524 0 0 0
ARP tbl 1483387 0 17 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 191 0 0 0
VPN IKEv1 P2 616 0 0 0
VPN IKEv2 SA 588869 0 0 0
VPN IKEv2 P2 1785 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 414 0 0 0
Route Session 77 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 13 10678923
Xmit Q: 0 7 61813441
Do I just treat this reported failuer as a "red herring" as if we lose the master switch the slave switch / oob management port will come online?
Anyone suggestions or advice very welcome.
Kind regards.