Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
906
Views
0
Helpful
1
Replies

Cisco ASA 5520 Failover with DMZ

sdiver
Level 1
Level 1

‎09-04-2013 06:34 AM - edited ‎03-11-2019 07:34 PM

I have a pair of Cisco ASA 5520s running as a primary/standby. Everything is working properly with the primary ASA, however when I trigger a failover, everything works except for the DMZ interface on the standby ASA. I've poured over the configs, but perhaps I have been staring at them too long because I am just not seeing anything.

Below is the output of the sh run failover, sh failover, and sh run interface commands for each unit...

PRIMARY ASA

Primary-ASA# sh run failover

failover

failover lan unit primary

failover lan interface stateful1 GigabitEthernet0/3

failover key *****

failover link stateful1 GigabitEthernet0/3

failover interface ip stateful1 192.168.216.1 255.255.255.0 standby 192.168.216.2

Primary-ASA# sh failover

Failover On

Failover unit Primary

Failover LAN Interface: stateful1 GigabitEthernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 160 maximum

Version: Ours 8.2(5), Mate 8.2(5)

Last Failover at: 20:39:23 CDT Sep 3 2013

This host: Primary - Active

Active time: 69648 (sec)

slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)

     Interface outside (184.61.38.254): Normal

     Interface inside (192.168.218.252): Normal

     Interface dmz (192.168.215.254): Normal (Waiting)

     Interface management (192.168.1.1): Normal (Not-Monitored)

slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)

     IPS, 6.0(3)E1, Up

Other host: Secondary - Standby Ready

Active time: 2119 (sec)

slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)

Interface outside (184.61.38.253): Normal

Interface inside (192.168.218.253): Normal

Interface dmz (192.168.215.252): Normal (Waiting)

Interface management (192.168.1.2): Normal (Not-Monitored)

slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)

IPS, 6.0(3)E1, Up

Primary-ASA# sh run interface

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 184.61.38.254 255.255.255.128 standby 184.61.38.253

ospf cost 10

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.218.252 255.255.255.0 standby 192.168.218.253

ospf cost 10

!

interface GigabitEthernet0/2

nameif dmz

security-level 50

ip address 192.168.215.254 255.255.255.0 standby 192.168.215.252

ospf cost 10

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

ospf cost 10

management-only

STANDBY ASA

Standby-ASA# sh run failover

failover

failover lan unit secondary

failover lan interface stateful1 GigabitEthernet0/3

failover key *****

failover link stateful1 GigabitEthernet0/3

failover interface ip stateful1 192.168.216.1 255.255.255.0 standby 192.168.216.2

Standby-ASA# sh failover

Failover On

Failover unit Secondary

Failover LAN Interface: stateful1 GigabitEthernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 160 maximum

Version: Ours 8.2(5), Mate 8.2(5)

Last Failover at: 20:39:23 CDT Sep 3 2013

This host: Secondary - Standby Ready

Active time: 2119 (sec)

slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)

Interface outside (184.61.38.253): Normal

Interface inside (192.168.218.253): Normal

Interface dmz (192.168.215.252): Normal (Waiting)

Interface management (192.168.1.2): Normal (Not-Monitored)

slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)

     IPS, 6.0(3)E1, Up

Other host: Primary - Active

Active time: 70110 (sec)

      slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)

Interface outside (184.61.38.254): Normal

Interface inside (192.168.218.252): Normal

Interface dmz (192.168.215.254): Normal (Waiting)

Interface management (192.168.1.1): Normal (Not-Monitored)

slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)

     IPS, 6.0(3)E1, Up

Standby-ASA# sh run interface

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 184.61.38.254 255.255.255.128 standby 184.61.38.253

ospf cost 10

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.218.252 255.255.255.0 standby 192.168.218.253

ospf cost 10

!

interface GigabitEthernet0/2

nameif dmz

security-level 50

ip address 192.168.215.254 255.255.255.0 standby 192.168.215.252

ospf cost 10

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

ospf cost 10

management-only

Does anyone see something I might be missing? I am at a loss...

Labels:
0 Helpful
1 Reply 1

sdiver
Level 1
Level 1

‎09-04-2013 09:53 AM

I'll just answer my own question...the configs are correct, but it the interface on the standby ASA was plugged into an improperly configured switchport. That'll do it everytime.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card