Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1850
Views
0
Helpful
8
Replies

Cisco ASA HA Setup in ACTIVE - ACTIVE State

Go to solution
Ed OLeary
Level 1
Level 1

‎10-30-2014 01:42 AM - edited ‎03-11-2019 10:00 PM

I have two ASA 5540s, with 8.4.(2).8 installed in a HA setup , they lost synchronisation last week, and now are both in ACTIVE mode.

 

I have a PRIMARY/ACTIVE and a SECONDARY/ACTIVE.

 

Is there any procedure to get back to PRIMARY/ACTIVE and SECONDARY/STANDBY available, is it just rebooting the PRIMARY, and the PRECEDENCE command on it starts the process.

 

Checked Layer 2 / 3 CONNECTION between both devices on the FAILOVER cable, and it is working.

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎10-30-2014 04:09 AM

Hi,

If the both the ASA devices in Active/Standby HA pair are showing Active , it would be because of the communication issues on the fail-over lan link.

Are the Fail-over interface connected directly between the devices or is there a switch in between ?

Try to check the communication which would be tricky as the IP's would be active IP on both the devices.

You can try to reload the Secondary Unit and it should detect the Primary Active and will become Standby given that the fail-over lan interface communication is working fine.

Also , would you be able to give the outputs for these form both the units:-

show failover history

show fail state

Thanks and Regards,

Vibhor Amrodia

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎10-30-2014 04:09 AM

Hi,

If the both the ASA devices in Active/Standby HA pair are showing Active , it would be because of the communication issues on the fail-over lan link.

Are the Fail-over interface connected directly between the devices or is there a switch in between ?

Try to check the communication which would be tricky as the IP's would be active IP on both the devices.

You can try to reload the Secondary Unit and it should detect the Primary Active and will become Standby given that the fail-over lan interface communication is working fine.

Also , would you be able to give the outputs for these form both the units:-

show failover history

show fail state

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Vibhor Amrodia

‎10-30-2014 04:36 AM

I don't think the issue is because the failover link is down.  If the failover link is down a stateful failover would not be possible but since the ASA sends hello messages out active (monitored) interfaces, if there is communication between the ASA data interfaces a failover would not occur and the ASAs would remain in Active/Standby mode. The failover link would be marked as failed.

If both ASAs are in Active Active state I would think that suggests a bigger communication failure between the ASAs.

Are the ASAs located within the same datasenter / communications room or are they seperated?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Marius Gunnerud

‎10-30-2014 05:39 AM

Hi Marius,

I am not sure if i understand your reply correctly.

I pointed out that :- If the both the ASA devices in Active/Standby HA pair are showing Active , it would be because of the communication issues on the fail-over lan link.

By this , I was pointing to the failover lan connection between the TWO devices.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Vibhor Amrodia

‎10-30-2014 05:44 AM

Yes, I know.  But when the failover link is down, the ASA sends hello packets out the monitored interfaces (ie. interfaces that are used to send data).  If the primary ASA is reachable through the data interfaces the secondary ASA will remain in standby but the failover link will be marked as failed.

If the primary ASA is not reachable over the failover link or the data links then a failover occurs and the standby assumes the active state.  However, if neither the primary or secondary are able to contact eachother but there is no real failover situation on the primary, you run into a split-brain situation where both become active.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Ed OLeary
Level 1
Level 1
In response to Marius Gunnerud

‎10-30-2014 03:36 PM

Thanks for the reply Lads,

 

 

      Each FW is connected to individual switches, that are connected to each other by fibre link. Checked the Layer2 connections, and you can see the MACs on both devices from  both switches ..

 

       The failed Firewall I put into NO FAILOVER, and can ping either side of the FAILOVER / HEARTBEAT link from the other firewall.

 

      Rebooted the FW with all Interfaces in SHUTDOWN, to check errors on bootup, any issues with failed Firewall, seem to come up correctly

   

      So at the moment, I have a SECONDARY firewall in ACTIVE , and PRIMARY in NO FAILOVER, with interfaces in SHUTDOWN.

 

        Need to bring PRIMARY live again, and system back to PRI / ACTIVE and SECONDARY / STANDBY

 

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Ed OLeary

‎10-31-2014 01:45 AM

Have you checked the logs for any abnormalities during the time of the failure?

Since both are in Active, there must have been some type of communication failure between the two ASAs.  Either over the network (perhaps there were som major delays) or one of the ASAs experienced an issue that caused hello packets to not be sent or recieved.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Ed OLeary
Level 1
Level 1
In response to Marius Gunnerud

‎11-01-2014 05:05 PM

Marius

 

 

     Nothing in the logs of the SECONDARY / ACTIVE , and by the time I had physical access to the PRIMARY/ACTIVE (1 week), nothing in its logs either ..

Looking to bring the system live again next week, have some downtime scheduled ... anyone got a general schedule for systems in ACTIVE-ACTIVE, to PRI/ACT and SEC/STBY?

0 Helpful

Go to solution
Ed OLeary
Level 1
Level 1
In response to Ed OLeary

‎11-03-2014 05:13 AM

Don,t know who said this question was "answered" ... its not

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card