cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
602
Views
0
Helpful
2
Replies

Cisco ASA1120 Active/Standby Failover

MasterChief
Level 1
Level 1

Hello,

I am currently configuring two Cisco ASA 1120s for Active/Standby failover. So far it is failing. This is what I have done so far. The version that these ASAs are running is Cisco Adaptive Security Appliance Software Version 9.16(4)42. They also have the same encryption license Encryption-3DES-AES. This is Currently what I have configured on both ASAs.

Active ASA:

failover
failover lan unit primary
failover lan interface Failover Ethernet1/8
failover replication http
failover link Failover Ethernet1/8
failover interface ip Failover 192.168.59.1 255.255.255.252 standby 192.168.59.2
no failover wait-disable

Standby ASA: 

failover
failover lan unit secondary
failover lan interface Failover Ethernet1/8
failover link Failover Ethernet1/8
failover interface ip Failover 192.168.59.1 255.255.255.252 standby 192.168.59.2
no failover wait-disable

When I do a show failover on the active ASA this is the output.

 

ciscoasa# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: Failover Ethernet1/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 776 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.16(4)42, Mate 9.16(4)42
Serial Number: Ours JAD2, Mate JAD2
Last Failover at: 17:54:16 UTC Oct 31 2023
This host: Primary - Failed
Active time: 9 (sec)
slot 0: FPR-1120 hw/sw rev (50.46/9.16(4)42) status (Up Sys)
Interface outside (0.0.0.0): No Link (Waiting)
Interface inside (0.0.0.0): No Link (Waiting)
Interface asdm (0.0.0.0): No Link (Waiting)
Interface management (0.0.0.0): No Link (Waiting)
Other host: Secondary - Active
Active time: 5630 (sec)
slot 0: FPR-1120 hw/sw rev (50.46/9.16(4)42) status (Up Sys)
Interface outside (0.0.0.0): No Link (Waiting)
Interface inside (192.168.1.1): No Link (Waiting)
Interface asdm (0.0.0.0): Normal (Waiting)
Interface management (0.0.0.0): Normal (Waiting)

Stateful Failover Logical Update Statistics
Link : Failover Ethernet1/8 (up)
Stateful Obj xmit xerr rcv rerr
General 885 0 1060 0
sys cmd 885 0 885 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 174 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Umbrella Device-ID 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 15 4702
Xmit Q: 0 1 887

 

I erased half of the serial number for security reasons but other than that is the whole output.

Any help is appreciated.

 

 

 

 

1 Accepted Solution

Accepted Solutions

Ben Walters
Level 4
Level 4

It looks like the failover config is functioning properly but there is no failover IP configured on your inside interface of the primary unit causing the firewalls to failover due to a loss of connectivity. The secondary unit has the IP of 192.168.1.1 so it became the active unit. 

View solution in original post

2 Replies 2

Ben Walters
Level 4
Level 4

It looks like the failover config is functioning properly but there is no failover IP configured on your inside interface of the primary unit causing the firewalls to failover due to a loss of connectivity. The secondary unit has the IP of 192.168.1.1 so it became the active unit. 

Thank you for the insight I and my boss was actually able to figure this out. but thank you very much.

Review Cisco Networking for a $25 gift card