Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
870
Views
5
Helpful
6
Replies

ASA Standby active websites down

Iain Goad
Level 1
Level 1

‎03-03-2018 03:10 PM - edited ‎02-21-2020 07:28 AM

Hi All ,

 

I have a pair of Cisco ASA 5525-X, in HA.  The have 9 context's on them.  when in active on the primary everything works fine but when I do no failover active, ie the standby then becomes active, one of the contexts websites stop working.  from the ASA you can ping both up and down ie the the real server of the website and to the default gateway of the context.  I have compared running configurations when both primary and standby are in active and all look the same.  all ports seem up and as I can ping up and down it sees not to be that?  

 

Any ideas please?

 

Thanks

Labels:
0 Helpful
6 Replies 6

Ajay Saini
Level 7
Level 7

‎03-03-2018 11:21 PM

Hello,

 

Since this is happening when secondary device becomes active, I am suspecting to be an arp issue. The only we can fix this is to let the issue happen in a downtime.

 

Syslogs, interface level captures (ingress and egress) and debug arp output while you try to access the website. It will help us in identifying the root cause. 

One thing you can check when you failover is to check the arp entry against the website NATted ip on the firewall. This needs to check on the gateway device. This should be same as the one present now corresponding to the primary device.

 

 

 

HTH
AJ

Iain Goad
Level 1
Level 1
In response to Ajay Saini

‎03-05-2018 12:49 AM

Hi AJ,

Thanks for your reply, I have the arp entries of when I failed it over and
they are al the same as when on the primary. so on ASA the real server is
same aswell as default gateway. On the checkpoint firewall which is up
stream the arp entry stays the same too so no change of arp is seen?

The hard thing with this firewall is we have lots of customers on it so
getting a downtime took 2 months already.

Any more ideas would be great.

Thanks

Iain
0 Helpful

Ajay Saini
Level 7
Level 7
In response to Iain Goad

‎03-05-2018 01:04 AM

Hello,

 

So, no issue should be happening from the ASA or Checkpoint perspective. The ASA works is that it will send a grat arp once failover happens, hence updating the connected switch ports so that the traffic can be sent accordingly. You can check the switch config to make sure that there is no spanning tree config on those ports and they are configured as edge ports.

 

Other than that, since we can not have maintenance window, I am out of ideas :(

 

Regards,

 

AJ

0 Helpful

Iain Goad
Level 1
Level 1
In response to Ajay Saini

‎03-05-2018 01:10 AM

Hi AJ,

I Checked the switches and all are edge ports. going to raise a TAC case I
think.

Thanks for your help

Thanks

Iain
0 Helpful

Florin Barhala
Level 6
Level 6
In response to Iain Goad

‎03-07-2018 02:18 AM

I am also interested in the follow-up of this case, keep us posted please!
0 Helpful

Iain Goad
Level 1
Level 1
In response to Florin Barhala

‎03-07-2018 02:25 AM

Guys the issue was the Firepower module not being configured
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card