hi,

ataur-rahman1 · ‎06-05-2016

hello team

kindly help me for below , i have two cisco ASA 5525 as active / standby , as i know in HA by default all physical interfaces will be monitored but sub interfaces is not monitored

i have one interface that is ( inside) there is no ip address assigned to it and i have created many sub interfaces ( 100 + ) on that physical interface , i want to confirm , to failover to trigger if inside interface goes down physically ( the failover will happen smoothly or i have to confirgure standby ip on all sub interfaces and to monitor all the sub interfaces )

Marvin Rhoads · ‎06-05-2016

Your assessment is correct.

johnlloyd_13 · ‎06-05-2016

hi,

you'll need to configure the monitoring of 'inside' interface/subinterface on each security context and also the failover policy/criteria, i.e. number of failed interfaces or specify as percentage.

see helpful link and sample below.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_active_standby.html#41939

ciscoasa/pri/act(config)# failover interface-policy ?

configure mode commands/options:
<1-216> number of failed interfaces
<1-100>% percentage of failed interfaces
ciscoasa/pri/act(config)# failover interface-policy 50%

ataur-rahman1 · ‎06-05-2016

thanks john , the monitoring of inside ( physical interface is already monitored ) but do i have to monitor the sub interfaces also ( as there is no IP address on inside interface and the status of inside interface is as below)

my major concern is if inside interface physically goes down the failover should trigger and the production environment shouldnt effect

[Interface inside (0.0.0.0): Normal (Waiting)]

Interface llllllllllll (10.215.218.2): Normal (Not-Monitored)
Interface pppppp (10.10.10.1): Normal (Not-Monitored)

ASA/pri/act# sh run all monitor-interface
monitor-interface outside
monitor-interface inside
no monitor-interface lllllllllllll
no monitor-interface pppppp

johnlloyd_13 · ‎06-05-2016

yes, you should monitor subinterfaces which corresponds to the configured 'nameif' on each context.

monitor-interface iii

monitor-interface ppp

don't also forget the failover interface-policy command that i mentioned.

ataur-rahman1 · ‎06-05-2016

appreciated your help :)

in addition , should i have to add the standby IPs under all sub interfaces as currently there is no standby IPs configured in any of the sub interface

johnlloyd_13 · ‎06-05-2016

hi,

it's not a hard prerequisite to configure the standby IPs for failover.

you'll do this if you want the 'monitor-interface' feature to work properly.

ataur-rahman1 · ‎06-12-2016

hi ,

is there any limitation of monitoring interfaces , i just checked its 250 ( are these limitations of sub interfaces )

ataur-rahman1 · ‎06-12-2016

hi john

the default policy is if single interface goes down , the fail over is triggered ,

ciscoasa/pri/act(config)# failover interface-policy ?

configure mode commands/options:
<1-216> number of failed interfaces
<1-100>% percentage of failed interfaces
ciscoasa/pri/act(config)# failover interface-policy 50%

how can i specify if outside physical interface (i.e single interface ) goes down the fail over should be triggered

and inside few sub interfaces goes down ( may be 50% down) then only the trigger should happen

the reason behind this question is , if all the subinterfaces are up but the outside interface is down and i have implemented this command then may be the fail over will not happen as i have modified the default policy to 50% of sub interfaces

ciscoasa/pri/act(config)# failover interface-policy ?

configure mode commands/options:
<1-216> number of failed interfaces
<1-100>% percentage of failed interfaces
ciscoasa/pri/act(config)# failover interface-policy 50%

Cisco ASA Failover