Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1492
Views
0
Helpful
4
Replies

Cisco ASA unit failed.

samarjit.das
Level 1
Level 1

‎09-07-2012 03:24 AM - edited ‎03-11-2019 04:51 PM

Which trigger a cisco ASA unit to be failed. The primary firewall was acting the active role and secondary was acting the standby role. On failure of one interface in the primary firewall, the unit was declared as failed and secondary firewall automatically switchover to the active role. In this scenario failover worked as expected but don't know why the primary unit was declared as failed in one interface failure.

I would like to know whether failure of single link connected to a interface makes the unit fail.If not what is the number of interface should be down to be a unit failed.

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎09-07-2012 04:34 AM

That is all controlled with the failover-commands. With "show failover" you can see the actual settings of your ASA.

The options are described in the config-guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_standby.html#wp1074591

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

samarjit.das
Level 1
Level 1
In response to Karsten Iwen

‎09-08-2012 07:30 AM

The unit can fail in condition of  too many monitored interfaces fail but in my case only one monitored interface is fail.But don't know why unit is showing failed.

0 Helpful

Mohammad Alhyari
Cisco Employee
Cisco Employee
In response to samarjit.das

‎09-08-2012 10:44 AM

HI ,

what happened here is that we :

stopped receiving HA helloes on that interface

started interface testing as mentioned below :

https://supportforums.cisco.com/docs/DOC-2469

then the interface marked as failed and failover happened . and notice that the default is to failover if we have one failed interface.

Mohammad.

0 Helpful

gurpsin2
Level 1
Level 1

‎09-08-2012 10:54 AM

Hi samarjit,

An interface check is always done by both the units in failover through hello packets exchange, failover would occur if

1) a monitored interface fails

2) the standby unit gets to know that it's peer has less active interfaces than it currently has n since it has more active interfaces, it becomes active.

I think 2nd option applies to ur case

Thnks

Sent from Cisco Technical Support iPhone App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card