07-22-2014 04:32 PM - edited 03-11-2019 09:31 PM
Appreciate any help with active/standby config. I just finish configuring the firewall and everything is tested fine but then I noticed the failover status (shown below) shows the standby unit as failed. The configuration between the two unit synch fine but I'm not sure what is going on. Is this normal or is there error somewhere in my configuration.
ACTIVE INTERFACE CONFIG SAMPLE
interface GigabitEthernet0/2.422
vlan 422
nameif inside
security-level 100
ip address 10.254.122.6 255.255.255.248 standby 10.254.122.5
ACTIVE FAILOVER CONFIG
failover
failover lan unit primary
failover lan interface FAIL-OVER GigabitEthernet0/6
failover interface-policy 50%
failover key *****
failover link FAIL-OVER GigabitEthernet0/6
failover interface ip FAIL-OVER 172.22.36.252 255.255.255.0 standby 172.22.36.251
STANDBY FAILOVER CONFIG
failover
failover lan unit primary
failover lan interface FAIL-OVER GigabitEthernet0/6
failover interface-policy 50%
failover key *****
failover link FAIL-OVER GigabitEthernet0/6
failover interface ip FAIL-OVER 172.22.36.252 255.255.255.0 standby 172.22.36.251
Failover On
Failover unit Primary
Failover LAN Interface: FAIL-OVER GigabitEthernet0/6 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 50%
Monitored Interfaces 7 of 216 maximum
Version: Ours 9.1(2), Mate 9.1(2)
Last Failover at: 04:14:35 TOST Jul 21 2014
This host: Primary - Active
Active time: 175553 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.1(2)) status (Up Sys)
Interface outside (PUBLIC-IP): Normal (Waiting)
Interface inside-isp (10.254.120.6): Normal (Waiting)
Interface inside (10.254.122.6): Normal (Waiting)
Interface VPN (10.254.124.6): Normal (Waiting)
Interface inside-legacy (10.254.126.6): Normal (Waiting)
Interface management (10.254.36.252): Normal (Monitored)
Interface dmz (10.254.130.1): Normal (Waiting)
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.1(2)) status (Up Sys)
Interface outside (PUBLIC-IP): Normal (Waiting)
Interface inside-isp (10.254.120.5): Failed (Waiting)
Interface inside (10.254.122.5): Failed (Waiting)
Interface VPN (10.254.124.5): Failed (Waiting)
Interface inside-legacy (10.254.126.5): No Link (Waiting)
Interface management (10.254.36.251): Normal (Monitored)
Interface dmz (10.254.130.2): Normal (Waiting)
Stateful Failover Logical Update Statistics
Link : FAIL-OVER GigabitEthernet0/6 (up)
Stateful Obj xmit xerr rcv rerr
General 277738 0 23409 9
sys cmd 23392 0 23392 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 221944 0 16 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 32401 0 0 9
User-Identity 1 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 14 23458
Xmit Q: 0 30 361865
07-22-2014 07:13 PM
Your secondary unit has three interfaces that the primary is unable to verfy are up:
Interface inside-isp (10.254.120.5): Failed (Waiting)
Interface inside (10.254.122.5): Failed (Waiting)
Interface VPN (10.254.124.5): Failed (Waiting)
Can you see those interfaces up and the addresses reachable from outside the ASA?
07-22-2014 10:00 PM
As per the configuration you need to replace command on secondary unit as given below
failover lan unit secondary
STANDBY FAILOVER CONFIG
failover
failover lan unit secondary
failover lan interface FAIL-OVER GigabitEthernet0/6
failover interface-policy 50%
failover key *****
failover link FAIL-OVER GigabitEthernet0/6
failover interface ip FAIL-OVER 172.22.36.252 255.255.255.0 standby 172.22.36.251
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide