Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3550
Views
10
Helpful
4
Replies

ASA Firewall - Normal(Waiting)

Chin
Level 1
Level 1

‎09-15-2015 10:57 PM - edited ‎03-11-2019 11:36 PM

Hi Guys,

Im trying to get the failover state for one of the inside interfaces to change to Monitored, and it doesnt seem to be working. The switchport settings on the primary unit for the interface is exactly the same . Tried bouncing the switchport which the inside interface connects to, to no avail. 

Is there anything that I may be missing?

 

TPPASAFW-5525/sec/stby# show failover
Failover On 
Failover unit Secondary
Failover LAN Interface: failover-interface GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(3)4, Mate 9.2(3)4
Last Failover at: 18:38:51 AEST May 12 2015
        This host: Secondary - Standby Ready 
                Active time: 0 (sec)
                slot 0: ASA5525 hw/sw rev (1.0/9.2(3)4) status (Up Sys)
                  Interface firewall-internal (192.168.103.3): Normal (Monitored)
                  Interface firewall-dmz (192.168.101.2): Normal (Monitored)
                  Interface firewall-ext-apnic (x): Normal (Waiting)  
                  Interface logs (192.168.205.8): Normal (Monitored)
                  Interface management (192.168.109.3): Normal (Monitored)
                slot 1: IPS5525 hw/sw rev (N/A/7.1(9)E4) status (Up/Up)
                  IPS, 7.1(9)E4, Up
        Other host: Primary - Active 
                Active time: 10962400 (sec)
                slot 0: ASA5525 hw/sw rev (1.0/9.2(3)4) status (Up Sys)
                  Interface firewall-internal (192.168.103.2): Normal (Monitored)
                  Interface firewall-dmz (192.168.101.1): Normal (Monitored)
                  Interface firewall-ext-apnic (x): Normal (Monitored)
                  Interface logs (192.168.205.7): Normal (Monitored)
                  Interface management (192.168.109.2): Normal (Monitored)
                slot 1: IPS5525 hw/sw rev (N/A/7.1(9)E4) status (Up/Up)
                  IPS, 7.1(9)E4, Up

 

Thanks loads!

 

Labels:
0 Helpful
4 Replies 4

Rishabh Seth
Level 7
Level 7

‎09-16-2015 12:46 AM

>> Are you able to ping the across the two units on the active IP and Stand by IP configuraed on interface "firewall-ext-apnic" ? 

>> Make sure that interfaces on switch connected to ASA's "firewall-ext-apnic" interface is present in same VLAN on the switch.

>> Is  ip verify reverse-path interface firewall-ext-apnic  present in your configuration? If present try removing it and test it?

0 Helpful

Chin
Level 1
Level 1
In response to Rishabh Seth

‎09-16-2015 05:58 PM

>> Are you able to ping the across the two units on the active IP and Stand by IP configuraed on interface "firewall-ext-apnic" ? No, not able to ping to interface ip on  from the primary unit. 

 

>> Make sure that interfaces on switch connected to ASA's "firewall-ext-apnic" interface is present in same VLAN on the switch. Theyre both on the same vlan

 

>> Is  ip verify reverse-path interface firewall-ext-apnic  present in your configuration? If present try removing it and test it?  It is, and it seems to have packet dropping and the count keeps increasing, how do i check the source and destination of the packets that are being dropped ? 

 

TPPASAFW-5525/sec/stby# show ip verify statis
interface firewall-internal: 0unicast

rpf drops
interface firewall-dmz: 0 unicast rpf drops
interface firewall-ext-apnic: 4411598 unicast rpf drops
interface logs: 0 unicastrpf drops
interface management: 0 unicastrpf drops

 

TPPASAFW-5525/sec/stby# show asp drop frame rpf-violated  
  Reverse-pathverify failed (rpf-violated)                              4411557

Last clearing: Never

TPPASAFW-5525/sec/stby# show asp drop frame rpf-violated  
  Reverse-path

verify failed (rpf-violated)                              4411557

Last clearing: Never

 

I checked the firewall log files and did not see any logs that show reverse-path checks/drops. How do I ensure the logging captures the logs since i see an incrementing value when i do the show asp drop command?

Logging is enabled : 

logging enable
logging timestamp
logging buffer-size 512000
loggingasdm-buffer-size 500
logging monitor informational
logging buffered debugging
logging trap informational
loggingasdm informational

 

Thanks so much !

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to Chin

‎09-16-2015 11:22 PM

Hi,

>> You can try running packet-tracer on both the ASAs to check the reason of packet drop.

>> Apply packet captures on each unit with specific source IP and destination IP and initiate ICMP. This would let us know if the traffic is reaching the other unit or not.

>> Also ensure you have Primary and secondary IP configured for interface irewall-ext-apnic.

>> From the rpf output i see that there are multiple interfaces with rpf enabled and their status is monitored. You may try removing the rpf check for testing purpose. If removing rpf check works then we might be hitting the defect: https://tools.cisco.com/bugsearch/bug/CSCut29589/?reffering_site=dumpcr

Thanks,

R.Seth

 

 

AdamAlphonz
Level 1
Level 1
In response to Rishabh Seth

‎09-29-2015 05:13 PM

Thanks Risseth. Will try the options out.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card