Re: Cisco ASA 5512 Failover HA Problem

burhan.agir · ‎03-10-2019

Hi,

I have two 5512 ASA's. I did configuration that FW-2 become Active and FW-1 become Standby. But when I power on the devices always FW-1 become Active. I checked the "show failover state" command I saw that "Ifc Failure" reason. But I check the monitored interfaces there is no problem about that. What is the real mean "Ifc Failure" reason? It is related just interface up/down status?

By the way, I tried a lot of time that power off and on again. Firstly power on FW-2 after FW-1 but results are always the same.

I add the config output and failover config from console each other.

Thanks,

balaji.bandi · ‎03-10-2019

Do you have "preempt" configuration ?

can you post primary Full configuration to look ?

look also failover actions :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_active_standby.html#15525

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

burhan.agir · ‎03-11-2019

Hi,

Thanks for your answer. I added the failover interface configuration below.
I do not know there is preempt or not. But I think there is no "preempt" setting. I check the link that you posted also I did not see about that.

!
interface GigabitEthernet0/2
description LAN Failover Interface
!

Thanks,

Sheraz.Salim · ‎03-11-2019

"Ifc Failure" means interfce failure. could you try to change the cable or what else you can do is run ping from one asa to other asa example FW-2 ping to FW-1 failover ip address. in between these two ASA is there any switch? if so look at the switch config. or they connted back to back?

are you using the context in your box. if you than make changes to this. now if you have two context as Context1=group 1 and Context 2 = group2 than,

!

failover lan unit prim

failover lan interface FO gig0/2

failover link STATE gig0/2

failover interface ip FO 192.168.1.1 255.255.255.0 sta 192.168.1.2

failover interface ip STATE 192.168.2.1 255.255.255.0 192.168.2.2

failover group 1

prim

pre

failover group 2

sec

pre

!

please do not forget to rate.

burhan.agir · ‎03-11-2019

Hi Sheraz,

Thank you for your reply.

I can ping each other.

Yes, there is a switch and I changed the cable. Also, I did tdr test with command on a switch but there was no error.

I have back to back connection between FW's for failover. FW's switch connections are LAN and WAN connection. I checked all of them but I could not see any problem about cable or SFP's.

I do not use context.

Thanks,

Sheraz.Salim · ‎03-11-2019

Hi you have problem with your failover config on setup. you need to give standby ip address to those interface which you are monitoing. if you put the config site by site of the show failover you will see the ip addres are not seen on the other box which is why you having this issue.

!

Version: Ours 9.5(2), Mate 9.5(2)
Last Failover at: 13:37:34 UTC Mar 10 2019
This host: Primary - Standby Ready
Active time: 16 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.5(2)) status (Up Sys)
Interface management (0.0.0.0): No Link (Not-Monitored)
Interface XXX (10.111.4.9): Normal (Monitored)
Interface YYY (0.0.0.0): Normal (Not-Monitored)
slot 1: SFR5512 hw/sw rev (N/A/5.3.1-152) status (Up/Up)
ASA FirePOWER, 5.3.1-152, Up, (Monitored)
Other host: Secondary - Active
Active time: 198 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.5(2)) status (Up Sys)
Interface management (192.168.1.1): Normal (Not-Monitored)
Interface XXX (10.111.4.10): Normal (Monitored)
Interface YYY (10.112.1.4): Normal (Not-Monitored)
slot 1: SFR5512 hw/sw rev (N/A/5.3.1-152) status (Up/Up)
ASA FirePOWER, 5.3.1-152, Up, (Monitored)

please do not forget to rate.

Sheraz.Salim · ‎03-11-2019

i also noted your port-channel 2 is missing the ip address too. Which make sense but you missing the standby ip addres which is why your active passive not working properly.

FW-1

Port-channel2 10.112.1.4 YES CONFIG up up

FW-2

Port-channel2 unassigned YES CONFIG up up

and looking into your configuation you have used the same ip address twice.

FW2

!

interface Port-channel2
lacp max-bundle 8
nameif YYY
security-level 1
ip address 10.112.1.4 255.255.255.0

---

FW-1

!

interface Port-channel2
lacp max-bundle 8
nameif YYY
security-level 1
ip address 10.112.1.4 255.255.255.0

please do not forget to rate.

burhan.agir · ‎03-13-2019

Hi,

I added the standby IP address on Po1 and Po2 but the situation was the same. And I could not see any configuration example in documents given standby IP is necessary. This is must? Also, I have another HA devices without standby IP addresses but I did not see any problem on some of them.

Also when I check the Po2 configuration (from console) I can see the IP address under port but I could not see on command output. I do not understand why it is.

I did some test about boot time. I power on FW2 and FW1 on same time when I did this always FW1 become master. But firstly I power on FW2 and after 10 seconds about later power on FW1, FW2 become master. This situation could be about boot time?

Thanks,

balaji.bandi · ‎03-14-2019

can you post full confguration of both the ASA devices and show hilgh level toplogy of connection.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

bern81 · ‎03-14-2019

Hi,

Did you add the interfaces to be monitored?

also you need to add the criteria that if minimum one interface is down to perform the failover.

As far as i know if you don't have context there is no preempt option you need to revert to the Primary ASA manually.

Please rate if helpful

burhan.agir · ‎03-15-2019

Hi,

The monitored interface was added. YKI and YSHA.
All interfaces are up.
I do not need preempt.

Thanks,

burhan.agir · ‎03-14-2019

Hi,

You can find in attachment.

Thanks,