cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9222
Views
0
Helpful
20
Replies

Connectivity test from this device to the peer device failed.

Hi good morning.

I am trying to configure fail over in ASA, I have two ASAs with the same OS and the same model.

I have assigned the ips address for each interface.

All tests are passed(See screenshot) except for the second that failed.

How canI debug this error or how can solve that?

I run the command clear configuration failover but the result was the same, the same error.

Can you help me?

2 Accepted Solutions

Accepted Solutions

To solver the issued I had to do this :

Adding a third commando indicating the management interface:

failover interface ip management 192.168.22.1 255.255.255.0 standby 192.168.22.2

View solution in original post


I am glad you managed to solve the issue.

However, adding that command and it starts to work doesn’t make sense unless you did not post all the configuration which is on the ASA. This means that your failover interface name was never folink but  actually management.

 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

20 Replies 20

balaji.bandi
Hall of Fame
Hall of Fame

what is the config on the standby unit ?

 

are you able to ping standby IP from active unit ?

 

post the failover config from both the units and how they conencted each other (any small diagram will help)

 

for reference :

 

https://www.networkstraining.com/cisco-asa-active-standby-configuration/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

johnlloyd_13
Level 9
Level 9

hi,

is the failover link/cable connected between the two ASA?

post the show run failover and failover exec mate show run failover (or SSH/console to the secondary ASA) to make sure failover is configure on both units.

As I know this error appear if the port number is different in both asa 

i.e. 

inside must be for example gi0/1 

outside must be for example gi0/2

if you specify different port in two asa this error appear.

All interfaces must match but this is replicated from active to standby once failover is configured.  So the important thing is to make sure that the same interface is used for failover and state links.  Remember that you need to manually configure failover on the standby device also.  Once that is in place all configuration going forward is done on the active device.

--
Please remember to select a correct answer and rate helpful posts

Hi good afternoon.

1) I made a ping test for all interfaces and the answer is ok.(See screenshot)

2) I run the command : show run failover : no failover.

3) I have mapped each interface in both asa.(See screenshots).

4)I attached the diagram, I have mapped each interface, the fail over link and statful link are connected directly in both ASAs, each interface is connected to the switch without using vlans.

5) We using only asdm, we dont try to configure using console.

...

post both the device config to look.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Well, that is your problem.  You haven't configured failover for the devices.

primary ASA configuration:

failover

failover lan unit primary

failover lan interface failover Gig0/1 !<-- change Gig0/1 to the correct interface

failover link failover Gig0/1 !<-- best practice is to use separate links for failover and state links but many use the same link still

failover interface ip failover 169.254.0.1 255.255.255.252 standby 169.254.0.2 !<-- change IP addresses to the correct IPs

 

standby ASA configuration:

failover

failover lan unit secondary

failover lan interface failover Gig0/1 !<-- this interface MUST be the same on both sides

failover link failover Gig0/1

failover interface ip failover 169.254.0.1 255.255.255.252 standby 169.254.0.2

--
Please remember to select a correct answer and rate helpful posts

Hi good afternoon.

I applied the configuration mentioned below, see the screenshot after that i have tne following scenario:

1) In the primary ASA the configuration was succesful and I saw an icon indicating "active".

2) In the secondary ASA after I enter the configuration and the command failover , the asa2 got stuck and then is required restart the device.

Also I saw two errors : syslodid 106010 Deny inbound protocol 105 and syslog error 105002.

can you post-show run command from both the units, along with show failover?

105002

Error Message %ASA-1-105002: (Primary) Enabling failover.

Explanation You have used the failover command with no arguments on the console, after having previously disabled failover. Primary can also be listed as Secondary for the secondary unit.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi good morning this is the show running from FW1(Active)

FW1(config)# show running FailOver
failover
failover lan unit primary
failover lan interface folink GigabitEthernet1/7
failover link statelink GigabitEthernet1/8
failover interface ip folink 192.168.26.1 255.255.255.0 standby 192.168.26.2
failover interface ip statelink 192.168.27.1 255.255.255.0 standby 192.168.27.2
no failover wait-disable

When I run the commands on the secondary unit it got stuck and then is required to hard reset, i have tried several times but the configuration doesnt work.

In the screenshot you can see the configuration that I ran in both ASAs.

 

To solver the issued I had to do this :

Adding a third commando indicating the management interface:

failover interface ip management 192.168.22.1 255.255.255.0 standby 192.168.22.2


I am glad you managed to solve the issue.

However, adding that command and it starts to work doesn’t make sense unless you did not post all the configuration which is on the ASA. This means that your failover interface name was never folink but  actually management.

 

--
Please remember to select a correct answer and rate helpful posts

Hi good morning.

I made a mistake the third command that I added after the failover link and statefull link was 

interface management 192.168.25.1 255.255.255.255 192.168.25.2.

Basically adding a standby ip for the management interface in the command line and not directly in the ASDM

Review Cisco Networking for a $25 gift card