Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2775
Views
5
Helpful
3
Replies

Cisco Asa Failover Fail/ Interface Up but does not Sync

jtapia0011
Level 1
Level 1

‎06-10-2020 03:59 PM

Hello Guys, I'd appreciate it if you'd help me out.

 

I have two firewalls, a primary and a secondary in failover mode, 5 days ago I failed the primary and the secondary took the role of active, so far so good.

 

The problem is that the primary/standby does not synchronize the settings and neither does its failover status.

 

As a note I want to let you know that curiously the ips of the failover interfaces pinging between them, which is weird because the interface says fail but I can ping between them.

 

Status from active and working firewall

 

Failover On
Failover unit Secondary
Failover LAN Interface: failint Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 6 of 110 maximum
Version: Ours 8.2(5)59, Mate 8.2(5)59
Last Failover at: 20:18:15 CHILE Jun 4 2020
This host: Secondary - Active
Active time: 511245 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(5)59) status (Up Sys)
Interface inside (A.B.C.D): Normal (Waiting)
Interface dmz (A.B.C.D): Normal (Waiting)
Interface dmz2 (A.B.C.D)): Normal (Not-Monitored)
Interface New_DMZ (A.B.C.D)): Normal (Waiting)
Interface LAN-WESTFIRE (A.B.C.D): Unknown (Waiting)
Interface management (A.B.C.D)): Link Down (Waiting)
Interface outside (A.B.C.D): Normal
slot 1: ASA-SSM-10 hw/sw rev (1.0/) status (Unresponsive/Up)
Other host: Primary - Failed
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(5)59) status (Up Sys)
Interface inside (A.B.C.D)): Failed (Waiting)
Interface dmz (A.B.C.D)): Failed (Waiting)
Interface dmz2 (A.B.C.D)): Normal (Not-Monitored)
Interface New_DMZ (A.B.C.D)): Failed (Waiting)
Interface LAN-WESTFIRE (A.B.C.D)): Unknown (Waiting)
Interface management (0.0.0.0): Link Down (Waiting)
Interface outside (A.B.C.D)): Normal
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(4)E1) status (Up/Up)
IPS, 6.0(4)E1, Up

Stateful Failover Logical Update Statistics
Link : Unconfigured.

 

-------------------------------------------------

------------------------------------------------

 

# show failover state

State Last Failure Reason Date/Time
This host - Secondary
Active None
Other host - Primary
Failed Ifc Failure 18:10:24 CHILE Jun 10 2020
inside: Failed
dmz: Failed
New_DMZ: Failed

====Configuration State===
Sync Done
Sync Done - STANDBY
====Communication State===
Mac set

 

--------------------------------------------------

-------------------------------------------------

 

show failover interface ( I CAN PING THEM)
interface failint Ethernet0/3
System IP Address: 1.1.1.4 255.255.255.248
My IP Address : 1.1.1.5
Other IP Address : 1.1.1.4

--------------------------------------

-------------------------------------

 

20:18:15 CHILE Jun 4 2020
Standby Ready Just Active Other unit wants me Active

20:18:15 CHILE Jun 4 2020
Just Active Active Drain Other unit wants me Active

20:18:15 CHILE Jun 4 2020
Active Drain Active Applying Config Other unit wants me Active

20:18:15 CHILE Jun 4 2020
Active Applying Config Active Config Applied Other unit wants me Active

20:18:15 CHILE Jun 4 2020
Active Config Applied Active Other unit wants me Active

 

 

 

0 Helpful
3 Replies 3

Sheraz.Salim
VIP
VIP

‎06-10-2020 04:23 PM

Seems likely you have a layer 1 or 2 issue. check your switch in between these two firewalls. Interface inside (A.B.C.D)): Failed (Waiting)   Interface dmz (A.B.C.D)): Failed (Waiting)  Interface New_DMZ (A.B.C.D)): Failed (Waiting)  are showing as Failed.

 

Failover On
Failover unit Secondary
Failover LAN Interface: failint Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 6 of 110 maximum
Version: Ours 8.2(5)59, Mate 8.2(5)59
Last Failover at: 20:18:15 CHILE Jun 4 2020
This host: Secondary - Active
Active time: 511245 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(5)59) status (Up Sys)
Interface inside (A.B.C.D): Normal (Waiting)
Interface dmz (A.B.C.D): Normal (Waiting)
Interface dmz2 (A.B.C.D)): Normal (Not-Monitored)
Interface New_DMZ (A.B.C.D)): Normal (Waiting)
Interface LAN-WESTFIRE (A.B.C.D): Unknown (Waiting)
Interface management (A.B.C.D)): Link Down (Waiting)
Interface outside (A.B.C.D): Normal
slot 1: ASA-SSM-10 hw/sw rev (1.0/) status (Unresponsive/Up)
Other host: Primary - Failed
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(5)59) status (Up Sys)
Interface inside (A.B.C.D)): Failed (Waiting)
Interface dmz (A.B.C.D)): Failed (Waiting)
Interface dmz2 (A.B.C.D)): Normal (Not-Monitored)
Interface New_DMZ (A.B.C.D)): Failed (Waiting)
Interface LAN-WESTFIRE (A.B.C.D)): Unknown (Waiting)
Interface management (0.0.0.0): Link Down (Waiting)
Interface outside (A.B.C.D)): Normal
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(4)E1) status (Up/Up)
IPS, 6.0(4)E1, Up

Stateful Failover Logical Update Statistics
Link : Unconfigured.

please do not forget to rate.
0 Helpful

jtapia0011
Level 1
Level 1
In response to Sheraz.Salim

‎06-11-2020 07:27 AM - edited ‎06-11-2020 07:46 AM

You mean check Failover interface cable port and switch right?

 

 

Att

0 Helpful

Sheraz.Salim
VIP
VIP
In response to jtapia0011

‎06-11-2020 08:06 AM

your primary firewall have some issue with interfaces check layer 1 and 2 connectivity.

please do not forget to rate.
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card