ASA Multi-Context + sub-Interfaces

John Quick · ‎12-31-2013

I am trying to configure two ASA 5525 in Active/Standby mode using multiple contexts and is in transparent mode. We are using trunk ports which are ether-channeled.

The problem we are having is the the ASA's alternate betwen active/standby with the following messages being seen

Switching to Active

Dec 31 2013 10:23:48: %ASA-1-104001: (Secondary) Switching to ACTIVE - Other unit wants me Active. Primary unit switch reason: Interface check.

.

Dec 31 2013 10:23:58: %ASA-1-105003: (Secondary) Monitoring on interface management waiting

Dec 31 2013 10:24:08: %ASA-1-105004: (Secondary) Monitoring on interface management normal

Switching to Standby

Dec 31 2013 10:24:16: %ASA-1-104002: (Secondary) Switching to STANDBY - Interface check

Dec 31 2013 10:24:38: %ASA-1-104004: (Secondary) Switching to OK.

Here is the configuration from the ASA's.

Active ASA

interface Ethernet0/0

speed 100

duplex full

channel-group 1 mode on

!

interface Ethernet0/1

speed 100

duplex full

channel-group 1 mode on

!

interface Ethernet0/2

speed 100

duplex full

channel-group 2 mode on

!

interface Ethernet0/3

speed 100

duplex full

channel-group 2 mode on

!

interface Management0/0

!

interface Port-channel1

speed 100

duplex full

!

interface Port-channel1.105

vlan 105

!

interface Port-channel1.106

vlan 106

!

interface Port-channel1.107

vlan 107

!

interface Port-channel1.108

vlan 108

!

interface Port-channel1.155

vlan 155

!

interface Port-channel1.156

vlan 156

!

interface Port-channel1.157

vlan 157

!

interface Port-channel1.158

vlan 158

!

interface Port-channel2

speed 100

duplex full

!

interface Port-channel2.801

description LAN Failover Interface

vlan 801

!

interface Port-channel2.802

description STATE Failover Interface

vlan 802

!

failover

failover lan unit primary

failover lan interface LAN-Failover Port-channel2.801

failover link State-Failover Port-channel2.802

failover interface ip LAN-Failover 10.xx.xx.12 255.255.255.248 standby 10.xx.xx.13

failover interface ip State-Failover 10.xx.xx.20 255.255.255.248 standby 10.xx.xx.21

!

admin-context admin

context admin

allocate-interface Management0/0

config-url disk0:/admin.cfg

!

context Context-1

allocate-interface Port-channel1.105-Port-channel1.106

allocate-interface Port-channel1.155-Port-channel1.156

config-url disk0:/Context-1.cfg

!

context Context-2

allocate-interface Port-channel1.107-Port-channel1.108

allocate-interface Port-channel1.157-Port-channel1.158

config-url disk0:/Context-2.cfg

Standby ASA

The same configuration except apart from the failover commands

failover

failover lan unit secondary

failover lan interface LAN-Failover Port-channel2.801

failover link State-Failover Port-channel2.802

failover interface ip LAN-Failover 10.xx.xx.12 255.255.255.248 standby 10.xx.xx.13

failover interface ip State-Failover 10.xx.xx.20 255.255.255.248 standby 10.xx.xx.21

Can anyone see any issues with this configuration?

Many thanks

John

Collin Clark · ‎12-31-2013

Hi John-

You can't run Active/Passive failover with multiple contexts. You must run Active/Active. You can set one firewall to be Primary Active for all contexts if you want it to operate a little more like Active/Passive.

Hope it helps.

fb_webuser · ‎01-01-2014

or use version 9.x

---

Posted by WebUser Erik Boss from Cisco Support Community App

John Quick · ‎01-02-2014

Thanks for your reply.

I am running version 9.1(1) and it works fine until I failover to the standby firewall where it then flips between being active or standby every 30-60 seconds.