Solved: ASA5508 Active/Standby Automatic failback? - Page 2

LindseyJGreen · ‎04-04-2023

Hi,

I have a pair of Active/Standby ASA 5508's running 9.16.2. I needed to reboot the Primary Active firewall so I performed a stateful failover which worked as expected.

I then rebooted the primary firewall and all traffic continued to work through the secondary unit.

The problem came when the active started to come back up, the secondary switched back to standby, seemingly before the Active was ready and we lost all connectivity briefly.

I've never known the firewalls to automatically failback, let alone do it before the firewalls are ready.

Below is the Failover History from the ASA's:

Primary:

From State To State Reason
==========================================================================
10:10:09 BST Apr 4 2023
Not Detected Negotiation No Error

10:10:54 BST Apr 4 2023
Negotiation Just Active No Active unit found

10:10:54 BST Apr 4 2023
Just Active Active Drain No Active unit found

10:10:54 BST Apr 4 2023
Active Drain Active Applying Config No Active unit found

10:10:54 BST Apr 4 2023
Active Applying Config Active Config Applied No Active unit found

10:10:54 BST Apr 4 2023
Active Config Applied Active No Active unit found

==========================================================================

Secondary:

10:02:34 BST Apr 4 2023
Standby Ready Just Active Set by the config command

10:02:34 BST Apr 4 2023
Just Active Active Drain Set by the config command

10:02:34 BST Apr 4 2023
Active Drain Active Applying Config Set by the config command

10:02:34 BST Apr 4 2023
Active Applying Config Active Config Applied Set by the config command

10:02:34 BST Apr 4 2023
Active Config Applied Active Set by the config command

10:11:16 BST Apr 4 2023
Active Cold Standby Failover state check

10:11:17 BST Apr 4 2023
Cold Standby Sync Config Failover state check

10:12:13 BST Apr 4 2023
Sync Config Sync File System Failover state check

10:12:13 BST Apr 4 2023
Sync File System Bulk Sync Failover state check

10:12:26 BST Apr 4 2023
Bulk Sync Standby Ready Failover state check

==========================================================================

Below is our config:

Primary:

failover
failover lan unit primary
failover lan interface Failover GigabitEthernet1/8
failover link Failover GigabitEthernet1/8
failover interface ip Failover 172.16.254.1 255.255.255.252 standby 172.16.254.2
no failover wait-disable
no monitor-interface Staff-Wifi
no monitor-interface service-module

Secondary:

failover
failover lan unit secondary
failover lan interface Failover GigabitEthernet1/8
failover link Failover GigabitEthernet1/8
failover interface ip Failover 172.16.254.1 255.255.255.252 standby 172.16.254.2
no failover wait-disable
no monitor-interface Staff-Wifi
no monitor-interface service-module

Any Ideas what happened?

Thanks

MHM Cisco World · ‎04-06-2023

Thanks a lot for update us.