Cisco ASA Failover status

PutmanoAIT · ‎01-13-2016

Dear Expert,

I have one question regarding the failover status on cisco ASA. I have configure ASA failover as below:

failover lan unit primary
failover lan interface FAILOVER g0/7
failover link FAILOVER g0/7
failover interface ip FAILOVER 192.168.99.1 255.255.255.252 standby 192.168.99.2
failover

It works fine but when I type command "show failover" it shows as below:

Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 516 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 11:04:46 UTC Jan 14 2016
This host: Primary - Active
.......
Other host: Secondary - Failed
......

Secondary host Failed but it works find.

I'm not sure what the main issue.

Best regards,

Mano

Akshay Rastogi · ‎01-13-2016

Hi Mano,

When you say it works fine, what do you? Do you see Secondary ASA as Standby on Secondary Unit?

Please check 'show failover history' to see the actual cause of the Failover'. If it shows reason for failed as 'Interface check' then check the output of 'show failover state' to see the data interface which is failing on Secondary Unit.

If the Status in history show 'communication failure' then check the connectivity between ASA through Failover Link gig0/7. There might be some issue with Failover messages.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

PutmanoAIT · ‎01-14-2016

Y I said it works fine bcoz when i turn the primary down the secondary come up to primary as normal and when the primary come up the secondary went to standby.

Akshay Rastogi · ‎01-14-2016

Hi Mano,

Did you see the output i have mentioned in my last comment. Did you found any specific reason?

Regards,

Akshay Rastogi

PutmanoAIT · ‎01-15-2016

The communication is normal. One more thing what i don't understand is, i have configure monitor interface
and wheb the active asa's interface down. The secondary is up as active as expect. however when the active asa's interface come active back
there are no switching to active as i want. Do you know what the issues?

Thanks for your answers.

best regards,
Mano

adam kalabadzi · ‎01-15-2016

Hi,

You can do that on active/active failover using preempt. but i am affraid you cant do that on active/standby.

cheers,

ak

Akshay Rastogi · ‎01-15-2016

Hi Mano,

It is expected behavior with Active/Standby setup. The device does not failover over to the previous unit once it is back. However Active/Active failover setup have 'preempt' option which you need to configure under a specific 'group'. This makes specific context to be always active on a specific unit if that unit is up.

Hope it answers your query.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Richard Bradfield · ‎01-13-2016

can you login to the secondary ASA and do a show failover.

Are the monitored interfaces up on both ASAs?

PutmanoAIT · ‎01-15-2016

May be the monitor interface on seconday are not up. One more thing what i don't understand is, i have configure monitor interface
and wheb the active asa's interface down. The secondary is up as active as expect. however when the active asa's interface come active back
there are no switching to active as i want. Do you know what the issues?

Thanks for your answers.

best regards,
Mano

Tariq Mahmoud · ‎08-06-2023

I have seen this issue as well, here I'm referring to the "Failed" state. In our case, it was due to the fact that the port channel interface facing the secondary FTD was administratively down, hence the interfaces were not active from switch side and the status was shown as "Failed" in the CLI output but "Standby" on FMC GUI.

The status on the CLI went to "Standby ready" after we restored the port channel state on the switch.