Solved: Cisco ASA 5540s not HA not working on Standby ASA

Shawn Thomas · ‎07-15-2013

I have two Cisco ASA 5540s that i want to cluster... here are the basic that I have covered thus far:

Code is the same for both units, failover configs, and mgmt interfaces are up and up.

I have not connected either FW to the network yet... should failover work without the ASAs being connected to the network?

I would have thought that I could do my initial config and then pair them up to get the config to sync.

I have tried a crossover and straight through cable to no avail.

Primary ASA:

P10-CORP-ASA# show failover

Failover On

Failover unit Primary

Failover LAN Interface: StatefulFO Management0/0 (Failed - No Switchover)

Unit Poll frequency 2 seconds, holdtime 6 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 1 of 210 maximum

failover replication http

Version: Ours 8.2(5)41, Mate Unknown

Last Failover at: 17:45:04 UTC Jul 15 2013

This host: Primary - Active

Active time: 9030 (sec)

slot 0: ASA5540 hw/sw rev (2.0/8.2(5)41) status (Up Sys)

Secondary ASA:

P10-CORP-ASA# sh failover

Failover On

Failover unit Secondary

Failover LAN Interface: StatefulFO Management0/0 (Failed - No Switchover)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 0 of 210 maximum

Version: Ours 8.2(5)41, Mate Unknown

Last Failover at: 19:56:44 UTC Jul 15 2013

This host: Secondary - Standby Ready

Active time: 136 (sec)

slot 0: ASA5540 hw/sw rev (2.0/8.2(5)41) status (Up Sys)

Primary Failover Config:

failover

failover lan unit primary

failover lan interface StatefulFO Management0/0

failover polltime unit 2 holdtime 6

failover replication http

failover link StatefulFO Management0/0

failover interface ip StatefulFO X.x.x.x. x.x.x.x standby x.x.x.x

Secondary Failover Config:

failover

failover lan unit secondary

failover lan interface StatefulFO Management0/0

failover link StatefulFO Management0/0

failover interface ip StatefulFO X.x.x.x. x.x.x.x standby x.x.x.x

Mgmt Ports:

Active:

interface Management0/0

description LAN/STATE Failover Interface

speed 100

duplex full

management-only

Secondary:

interface Management0/0

description LAN/STATE Failover Interface

speed 100

duplex full

management-only

Julio Carvajal · ‎07-15-2013

Hello Shawn,

Is highly recommended (not to say a MUST) to use an interface for the failover link with the capacity similar to the ones that will be handeling traffic so in this case managment interface 0/0 is not a good option,

Altough using the managment interface is an option but can u remove the following

interface managment 0/0

no managment-only

This on both sides,

Let me know

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Shawn Thomas · ‎07-15-2013

Or should I try another interface on the ASA... as i mentioned these are not connected to the network.

outside interface nor any other interface.

Julio Carvajal · ‎07-15-2013

Hello Shawn,

Is highly recommended (not to say a MUST) to use an interface for the failover link with the capacity similar to the ones that will be handeling traffic so in this case managment interface 0/0 is not a good option,

Altough using the managment interface is an option but can u remove the following

interface managment 0/0

no managment-only

This on both sides,

Let me know

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Shawn Thomas · ‎07-16-2013

Did not work... i blew away the failover configs and the int M0/0 configs too... and reapplied the configs minus the management-only on the interfaces still did not work.

I connected both the Active/Standby and still wont detect each other.

I also attempt to force failover by doing the 'failover active/ no failover active to no avail.

Andrew Phirsov · ‎07-16-2013

I have not connected either FW to the network yet... should failover work without the ASAs being connected to the network?

Failover surely should work withoug ASAs interfaces being connected anywhere. Interface, dedicated for failover shouldn't be management only.

Failover config u have now seems to be ok.

Try using different debug fover commands to see what's actually happening.

Shawn Thomas · ‎07-16-2013

Issue was a faulty x-over cable... once i did that... the config sync occurred and i was able to test Active/Standby

respectively for both units.

Issue is RESOLVED.

Julio Carvajal · ‎07-16-2013

Hello Shawn,

Great to hear that,

Some kudos to you

Please mark the question as answered so future users having the same issue can see what was your solution

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Shawn Thomas · ‎07-16-2013

no management only and use a cross over cable and that will fix!