cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2460
Views
0
Helpful
11
Replies

Cisco ASA 5512 Failover HA Problem

burhan.agir
Beginner
Beginner

Hi,

 

I have two 5512 ASA's. I did configuration that FW-2 become Active and FW-1 become Standby. But when I power on the devices always FW-1 become Active. I checked the "show failover state" command I saw that "Ifc Failure" reason. But I check the monitored interfaces there is no problem about that. What is the real mean "Ifc Failure" reason? It is related just interface up/down status?

By the way, I tried a lot of time that power off and on again. Firstly power on FW-2 after FW-1 but results are always the same.

I add the config output and failover config from console each other.

 

Thanks,

11 Replies 11

balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend

Do you have "preempt" configuration ?

 

can you post primary Full configuration to look ?

 

look also failover actions :

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_active_standby.html#15525

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,

Thanks for your answer. I added the failover interface configuration below.
I do not know there is preempt or not. But I think there is no "preempt" setting. I check the link that you posted also I did not see about that.

 

!
interface GigabitEthernet0/2
description LAN Failover Interface
!

Thanks,

Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor

"Ifc Failure" means interfce failure. could you try to change the cable or what else you can do is run ping from one asa to other asa example FW-2 ping to FW-1 failover ip address. in between these two ASA is there any switch? if so look at the switch config. or they connted back to back?

 

are you using the context in your box. if you than make changes to this. now if you have two context as Context1=group 1 and Context 2 = group2  than,

 

!

failover lan unit prim

failover lan interface FO gig0/2

failover link STATE gig0/2

failover interface ip FO 192.168.1.1 255.255.255.0 sta 192.168.1.2

failover interface ip STATE 192.168.2.1 255.255.255.0 192.168.2.2

failover group 1

  prim

  pre

failover group 2

 sec

 pre

!

please do not forget to rate.

Hi Sheraz,

 

Thank you for your reply. 

I can ping each other.

Yes, there is a switch and I changed the cable. Also, I did tdr test with command on a switch but there was no error. 

I have back to back connection between FW's for failover. FW's switch connections are LAN and WAN connection. I checked all of them but I could not see any problem about cable or SFP's. 

I do not use context.

 

Thanks,

Hi you have problem with your failover config on setup. you need to give standby ip address to those interface which you are monitoing.  if you put the config site by site of the show failover you will see the ip addres are not seen on the other box which is why you having this issue.

!

Version: Ours 9.5(2), Mate 9.5(2)
Last Failover at: 13:37:34 UTC Mar 10 2019
This host: Primary - Standby Ready
Active time: 16 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.5(2)) status (Up Sys)
Interface management (0.0.0.0): No Link (Not-Monitored)
Interface XXX (10.111.4.9): Normal (Monitored)
Interface YYY (0.0.0.0): Normal (Not-Monitored)
slot 1: SFR5512 hw/sw rev (N/A/5.3.1-152) status (Up/Up)
ASA FirePOWER, 5.3.1-152, Up, (Monitored)
Other host: Secondary - Active
Active time: 198 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.5(2)) status (Up Sys)
Interface management (192.168.1.1): Normal (Not-Monitored)
Interface XXX (10.111.4.10): Normal (Monitored)
Interface YYY (10.112.1.4): Normal (Not-Monitored)
slot 1: SFR5512 hw/sw rev (N/A/5.3.1-152) status (Up/Up)
ASA FirePOWER, 5.3.1-152, Up, (Monitored)

please do not forget to rate.

i also noted your port-channel 2 is missing the ip address too. Which make sense but you missing the standby ip addres which is why your active passive not working properly.

 

 

FW-1

Port-channel2 10.112.1.4 YES CONFIG up up

 

FW-2

Port-channel2 unassigned YES CONFIG up up

 

 

and looking into your configuation you have used the same ip address twice.

 

FW2

!

interface Port-channel2
lacp max-bundle 8
nameif YYY
security-level 1
ip address 10.112.1.4 255.255.255.0

 

---

FW-1

!

interface Port-channel2
lacp max-bundle 8
nameif YYY
security-level 1
ip address 10.112.1.4 255.255.255.0

 

please do not forget to rate.

Hi,

 

I added the standby IP address on Po1 and Po2 but the situation was the same. And I could not see any configuration example in documents given standby IP is necessary. This is must? Also, I have another HA devices without standby IP addresses but I did not see any problem on some of them.

 

Also when I check the Po2 configuration (from console) I can see the IP address under port but I could not see on command output. I do not understand why it is. 

 

I did some test about boot time. I power on FW2 and FW1 on same time when I did this always FW1 become master. But firstly I power on FW2 and after 10 seconds about later power on FW1, FW2 become master. This situation could be about boot time?

 

Thanks,

can you post full confguration of both the ASA devices and show hilgh level toplogy of connection.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,

 

Did you add the interfaces to be monitored?

 

also you need to add the criteria that if minimum one interface is down to perform the failover.

 

As far as i know if you don't have context there is no preempt option you need to revert to the Primary ASA manually.

 

Please rate if helpful

 

 

Hi,

The monitored interface was added. YKI and YSHA.
All interfaces are up.
I do not need preempt.

Thanks,

Hi,

 

You can find in attachment.

 

Thanks,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers