cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3370
Views
0
Helpful
9
Replies

Cisco ASA 5520 failover

zeeahmed123
Level 1
Level 1

Hi All,

Please can someone help with a failover issue that I ahve and Ijust cant get my head round it..

I have two sites connected via 10G LES link and I have a Cisco ASA 5520 at each site. One of the Sites is the DC and the other is our DR site.

I have configured failover for the Cisco ASA firewalls and would like the node in the DC to be the active firewall. However when I make the the DC node the active firewall it keeps failing over to the secondary node at the DR site. I have changed the failover parameters from milliseconds to seconds and even used the maximum parameters in terms of polling and failover but I still get the same issue. I have also stated that failover should occur if 50% of the interfaces fail, but that too has not solved the issue. We have plenty of bandwidth between the two sites (10Gig) so i dont understand why the firewalls keep failing over. I have tried many times to manually force the node in the DC to be the primary active one but it kjeeps failing over to the DR site.. The Interface used for the failover is a gig interface; I have a separate VLAN configured on the core switches for failover and the failover interfaces are the only interfaces that reside in this VLAN..

Looking at the logs it states the follwoing:

From State                 To State                   Reason
==========================================================================
09:01:53 GMT/BDT Aug 12 2011
Active Applying Config     Active Config Applied      Other unit wants me Active

09:01:53 GMT/BDT Aug 12 2011
Active Config Applied      Active                     Other unit wants me Active

09:04:49 GMT/BDT Aug 12 2011
Active                     Standby Ready              Set by the config command

09:07:51 GMT/BDT Aug 12 2011
Standby Ready              Just Active                Other unit wants me Active

09:07:51 GMT/BDT Aug 12 2011
Just Active                Active Drain               Other unit wants me Active

09:07:51 GMT/BDT Aug 12 2011
Active Drain               Active Applying Config     Other unit wants me Active

09:07:51 GMT/BDT Aug 12 2011
Active Applying Config     Active Config Applied      Other unit wants me Active

09:07:51 GMT/BDT Aug 12 2011
Active Config Applied      Active                     Other unit wants me Active

09:45:07 GMT/BDT Aug 12 2011
Active                     Standby Ready              Set by the config command

09:48:09 GMT/BDT Aug 12 2011
Standby Ready              Just Active                Other unit wants me Active

09:48:09 GMT/BDT Aug 12 2011
Just Active                Active Drain               Other unit wants me Active

09:48:09 GMT/BDT Aug 12 2011
Active Drain               Active Applying Config     Other unit wants me Active

09:48:09 GMT/BDT Aug 12 2011
Active Applying Config     Active Config Applied      Other unit wants me Active

09:48:09 GMT/BDT Aug 12 2011
Active Config Applied      Active                     Other unit wants me Active

09:59:39 GMT/BDT Aug 12 2011
Active                     Standby Ready              Set by the config command

10:02:41 GMT/BDT Aug 12 2011
Standby Ready              Just Active                Other unit wants me Active

10:02:41 GMT/BDT Aug 12 2011
Just Active                Active Drain               Other unit wants me Active

10:02:41 GMT/BDT Aug 12 2011
Active Drain               Active Applying Config     Other unit wants me Active

10:02:41 GMT/BDT Aug 12 2011
Active Applying Config     Active Config Applied      Other unit wants me Active

10:02:41 GMT/BDT Aug 12 2011
Active Config Applied      Active                     Other unit wants me Active

==========================================================================

My failover confi is as as follows:

BEDFORDASA# sh run fail

failover

failover lan unit secondary

failover lan interface FAILOVER GigabitEthernet0/3

failover polltime unit 15 holdtime 45

failover polltime interface 15 holdtime 75

failover interface-policy 50%

failover key *****

failover replication http

failover link FAILOVER GigabitEthernet0/3

failover interface ip FAILOVER 1.1.1.1 255.255.255.252 standby 1.1.1.2

Any help advice will be much appreciated..

regards

9 Replies 9

varrao
Level 10
Level 10

Hi Zahir,

Could you provide the configuration from both the units, that would help and also show failover statistics.

-Varun

Thanks,
Varun Rao


Hi Varun,

Attached are the failover configs from both units as well as the failover statistics. Thank you

Secondary Firewall (currently Active)

BEDFORDASA# sh run fail

failover

failover lan unit secondary

failover lan interface FAILOVER GigabitEthernet0/3

failover polltime unit 15 holdtime 45

failover polltime interface 15 holdtime 75

failover interface-policy 50%

failover key *****

failover replication http

failover link FAILOVER GigabitEthernet0/3

failover interface ip FAILOVER 1.1.1.1 255.255.255.252 standby 1.1.1.2

Primary Firewall (currently Standby)

BEDFORDASA# sh run fail

failover

failover lan unit primary

failover lan interface FAILOVER GigabitEthernet0/3

failover polltime unit 15 holdtime 45

failover polltime interface 15 holdtime 75

failover interface-policy 50%

failover key *****

failover replication http

failover link FAILOVER GigabitEthernet0/3

failover interface ip FAILOVER 1.1.1.1 255.255.255.252 standby 1.1.1.2

Failover statistics:

Stateful Failover Logical Update Statistics
        Link : FAILOVER GigabitEthernet0/3 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         291450     0          601080     6
        sys cmd         869        0          869        0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        227697     0          426332     1
        UDP conn        61953      0          170343     5
        ARP tbl         922        0          3525       0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKE upd     0          0          0          0
        VPN IPSEC upd   9          0          11         0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       5       644179
        Xmit Q:         0       10      300299
BEDFORDASA#

Hi,

More information regarding the failover. i thought it may have been one of the DMZ interfaces failing that may have been causing the failure so I disabled them and that has made no difference..

The logs show no information when the primary fails over to the secondary unit..

BEDFORDASA# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER GigabitEthernet0/3 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 15 seconds, holdtime 75 seconds
Interface Policy 50%
Monitored Interfaces 4 of 160 maximum
failover replication http
Version: Ours 8.3(2), Mate 8.3(2)
Last Failover at: 11:13:03 GMT/BDT Aug 12 2011
        This host: Secondary - Active
               Active time: 823918 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.3(2)) status (Up Sys)
                  Interface outside (194.74.x.x): Normal
                  Interface inside (10.17.249.5): Normal
                  Interface dmz2 (172.18.0.129): Normal
                  Interface dmz1 (172.18.0.1): Normal
                  Interface management (0.0.0.0): Link Down (Not-Monitored)
                slot 1: empty
        Other host: Primary - Standby Ready
                Active time: 2006 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.3(2)) status (Up Sys)
                  Interface outside (194.74.x.x): Normal
                  Interface inside (10.17.249.6): Normal
                  Interface dmz2 (172.18.0.130): Normal
                  Interface dmz1 (172.18.0.2): Normal
                  Interface management (0.0.0.0): Normal (Not-Monitored)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : FAILOVER GigabitEthernet0/3 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         8143       0          4          0
        sys cmd         4          0          4          0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        6519       0          0          0
        UDP conn        1611       0          0          0
        ARP tbl         9          0          0          0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKE upd     0          0          0          0
        VPN IPSEC upd   0          0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       1       4
        Xmit Q:         0       1       8415

Hi Zahir,

Can you collect logs, after recreating the whole issue, let see what does the ASA say when the Primary becomes standby ready.

-Varun

Thanks,
Varun Rao

Hi Varun,

I have enabled logging at debugging level, but nothing is in the logs after I have re-created the issue. I have failed over nearly 10 times so far but aprt from the show failover history command nothing else is informative about what is going on..

I have no other issues on the network and the vlans are spanned between both the DC and the DR site. even when failing over between the two firewalls i have no loss of connectivity to the internet or my SSL sessions from remote users..

I have configured failover on Cisco ASA firewalls many times and have never seen this issue before..

Very confused...

Zahir

Can you just keep these values as default:

failover polltime unit 1 holdtime 15

failover polltime interface 5 holdtime 25

Just a test..

-Varun

Thanks,
Varun Rao

I entered the default values and failed back to the primary firewall; it lasted for a few minutes and then failed over to the secondary firewall again..

Hi Zahir,

I did a bit of digging into the issue, can you check the following:

If you disable the monitoring of all the interfaces, does that make a difference??

Moreover can you provide me the output of show failover history from the primary firewall. Also please ensure that all the interfaces are in up state.

Looking forward to you response.

-Varun

Thanks,
Varun Rao

Brent Rockburn
Level 2
Level 2

Did this ever get resolved?

Review Cisco Networking for a $25 gift card