01-18-2021 07:55 AM
Hi good morning.
I am trying to configure fail over in ASA, I have two ASAs with the same OS and the same model.
I have assigned the ips address for each interface.
All tests are passed(See screenshot) except for the second that failed.
How canI debug this error or how can solve that?
I run the command clear configuration failover but the result was the same, the same error.
Can you help me?
Solved! Go to Solution.
02-01-2021 11:08 AM
To solver the issued I had to do this :
Adding a third commando indicating the management interface:
failover interface ip management 192.168.22.1 255.255.255.0 standby 192.168.22.2
02-01-2021 11:24 AM
I am glad you managed to solve the issue.
However, adding that command and it starts to work doesn’t make sense unless you did not post all the configuration which is on the ASA. This means that your failover interface name was never folink but actually management.
01-18-2021 07:59 AM - edited 01-18-2021 08:01 AM
what is the config on the standby unit ?
are you able to ping standby IP from active unit ?
post the failover config from both the units and how they conencted each other (any small diagram will help)
for reference :
https://www.networkstraining.com/cisco-asa-active-standby-configuration/
01-19-2021 04:47 AM
hi,
is the failover link/cable connected between the two ASA?
post the show run failover and failover exec mate show run failover (or SSH/console to the secondary ASA) to make sure failover is configure on both units.
01-19-2021 10:34 AM
As I know this error appear if the port number is different in both asa
i.e.
inside must be for example gi0/1
outside must be for example gi0/2
if you specify different port in two asa this error appear.
01-19-2021 12:13 PM
All interfaces must match but this is replicated from active to standby once failover is configured. So the important thing is to make sure that the same interface is used for failover and state links. Remember that you need to manually configure failover on the standby device also. Once that is in place all configuration going forward is done on the active device.
01-19-2021 02:06 PM
Hi good afternoon.
1) I made a ping test for all interfaces and the answer is ok.(See screenshot)
2) I run the command : show run failover : no failover.
3) I have mapped each interface in both asa.(See screenshots).
4)I attached the diagram, I have mapped each interface, the fail over link and statful link are connected directly in both ASAs, each interface is connected to the switch without using vlans.
5) We using only asdm, we dont try to configure using console.
01-19-2021 02:43 PM - edited 01-28-2021 09:00 PM
...
01-19-2021 03:03 PM
post both the device config to look.
01-20-2021 04:57 AM
Well, that is your problem. You haven't configured failover for the devices.
primary ASA configuration:
failover
failover lan unit primary
failover lan interface failover Gig0/1 !<-- change Gig0/1 to the correct interface
failover link failover Gig0/1 !<-- best practice is to use separate links for failover and state links but many use the same link still
failover interface ip failover 169.254.0.1 255.255.255.252 standby 169.254.0.2 !<-- change IP addresses to the correct IPs
standby ASA configuration:
failover
failover lan unit secondary
failover lan interface failover Gig0/1 !<-- this interface MUST be the same on both sides
failover link failover Gig0/1
failover interface ip failover 169.254.0.1 255.255.255.252 standby 169.254.0.2
01-26-2021 07:11 PM
Hi good afternoon.
I applied the configuration mentioned below, see the screenshot after that i have tne following scenario:
1) In the primary ASA the configuration was succesful and I saw an icon indicating "active".
2) In the secondary ASA after I enter the configuration and the command failover , the asa2 got stuck and then is required restart the device.
Also I saw two errors : syslodid 106010 Deny inbound protocol 105 and syslog error 105002.
01-26-2021 07:30 PM
Error Message %ASA-1-105002: (Primary) Enabling failover.
Explanation You have used the failover command with no arguments on the console, after having previously disabled failover. Primary can also be listed as Secondary for the secondary unit.
01-28-2021 08:26 PM
Hi good morning this is the show running from FW1(Active)
FW1(config)# show running FailOver
failover
failover lan unit primary
failover lan interface folink GigabitEthernet1/7
failover link statelink GigabitEthernet1/8
failover interface ip folink 192.168.26.1 255.255.255.0 standby 192.168.26.2
failover interface ip statelink 192.168.27.1 255.255.255.0 standby 192.168.27.2
no failover wait-disable
When I run the commands on the secondary unit it got stuck and then is required to hard reset, i have tried several times but the configuration doesnt work.
In the screenshot you can see the configuration that I ran in both ASAs.
02-01-2021 11:08 AM
To solver the issued I had to do this :
Adding a third commando indicating the management interface:
failover interface ip management 192.168.22.1 255.255.255.0 standby 192.168.22.2
02-01-2021 11:24 AM
I am glad you managed to solve the issue.
However, adding that command and it starts to work doesn’t make sense unless you did not post all the configuration which is on the ASA. This means that your failover interface name was never folink but actually management.
02-04-2021 08:23 AM
Hi good morning.
I made a mistake the third command that I added after the failover link and statefull link was
interface management 192.168.25.1 255.255.255.255 192.168.25.2.
Basically adding a standby ip for the management interface in the command line and not directly in the ASDM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide