09-15-2015 10:57 PM - edited 03-11-2019 11:36 PM
Hi Guys,
Im trying to get the failover state for one of the inside interfaces to change to Monitored, and it doesnt seem to be working. The switchport settings on the primary unit for the interface is exactly the same . Tried bouncing the switchport which the inside interface connects to, to no avail.
Is there anything that I may be missing?
TPPASAFW-5525/sec/stby# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover-interface GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(3)4, Mate 9.2(3)4
Last Failover at: 18:38:51 AEST May 12 2015
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.2(3)4) status (Up Sys)
Interface firewall-internal (192.168.103.3): Normal (Monitored)
Interface firewall-dmz (192.168.101.2): Normal (Monitored)
Interface firewall-ext-apnic (x): Normal (Waiting)
Interface logs (192.168.205.8): Normal (Monitored)
Interface management (192.168.109.3): Normal (Monitored)
slot 1: IPS5525 hw/sw rev (N/A/7.1(9)E4) status (Up/Up)
IPS, 7.1(9)E4, Up
Other host: Primary - Active
Active time: 10962400 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.2(3)4) status (Up Sys)
Interface firewall-internal (192.168.103.2): Normal (Monitored)
Interface firewall-dmz (192.168.101.1): Normal (Monitored)
Interface firewall-ext-apnic (x): Normal (Monitored)
Interface logs (192.168.205.7): Normal (Monitored)
Interface management (192.168.109.2): Normal (Monitored)
slot 1: IPS5525 hw/sw rev (N/A/7.1(9)E4) status (Up/Up)
IPS, 7.1(9)E4, Up
Thanks loads!
09-16-2015 12:46 AM
>> Are you able to ping the across the two units on the active IP and Stand by IP configuraed on interface "firewall-ext-apnic" ?
>> Make sure that interfaces on switch connected to ASA's "firewall-ext-apnic" interface is present in same VLAN on the switch.
>> Is ip verify reverse-path interface firewall-ext-apnic present in your configuration? If present try removing it and test it?
09-16-2015 05:58 PM
>> Are you able to ping the across the two units on the active IP and Stand by IP configuraed on interface "firewall-ext-apnic" ? No, not able to ping to interface ip on from the primary unit.
>> Make sure that interfaces on switch connected to ASA's "firewall-ext-apnic" interface is present in same VLAN on the switch. Theyre both on the same vlan
>> Is ip verify reverse-path interface firewall-ext-apnic present in your configuration? If present try removing it and test it? It is, and it seems to have packet dropping and the count keeps increasing, how do i check the source and destination of the packets that are being dropped ?
TPPASAFW-5525/sec/stby# show ip verify statis
interface firewall-internal: 0unicast
rpf drops
interface firewall-dmz: 0 unicast rpf drops
interface firewall-ext-apnic: 4411598 unicast rpf drops
interface logs: 0 unicastrpf drops
interface management: 0 unicastrpf drops
TPPASAFW-5525/sec/stby# show asp drop frame rpf-violated
Reverse-pathverify failed (rpf-violated) 4411557
Last clearing: Never
TPPASAFW-5525/sec/stby# show asp drop frame rpf-violated
Reverse-path
verify failed (rpf-violated) 4411557
Last clearing: Never
I checked the firewall log files and did not see any logs that show reverse-path checks/drops. How do I ensure the logging captures the logs since i see an incrementing value when i do the show asp drop command?
Logging is enabled :
logging enable
logging timestamp
logging buffer-size 512000
loggingasdm-buffer-size 500
logging monitor informational
logging buffered debugging
logging trap informational
loggingasdm informational
Thanks so much !
09-16-2015 11:22 PM
Hi,
>> You can try running packet-tracer on both the ASAs to check the reason of packet drop.
>> Apply packet captures on each unit with specific source IP and destination IP and initiate ICMP. This would let us know if the traffic is reaching the other unit or not.
>> Also ensure you have Primary and secondary IP configured for interface irewall-ext-apnic.
>> From the rpf output i see that there are multiple interfaces with rpf enabled and their status is monitored. You may try removing the rpf check for testing purpose. If removing rpf check works then we might be hitting the defect: https://tools.cisco.com/bugsearch/bug/CSCut29589/?reffering_site=dumpcr
Thanks,
R.Seth
09-29-2015 05:13 PM
Thanks Risseth. Will try the options out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide