We have a pair of 5585x's configured as an active/active failover pair. They are in multi-context mode with two groups.
Following issues recently we are seeing contexts with similar logging as this:
%PIX-1-105005: (Primary) Lost Failover communications with mate on interface inside %PIX-1-105008: (Primary) Testing Interface inside %PIX-1-105009: (Primary) Testing on interface inside Passed
We can ping across the failover and stateful failover connections on the System context without dropout. We have no errors on the interfaces but we still see this failover communications error occurring.
When debugging the failover on a context we can see the failover health traffic generated for all monitored interfaces (using debug fover txip) but on the failover mate context we do not see the traffic (using "debug fover rxip"). If we check the system context we see all the health traffic received for the failover mate.
The interfaces are directly connected with the "sh route" command giving expected result and a trace using icmp reaches the mate IP in a straight swap. Looking at the failover on System and Firewall context using "sh fail" gives the expected result with interfaces monitored and normal. We do not have routes on the system context.
There is no issue with failover - this is working fine but the monitored interface logging we are seeing is problematic as it indicates if an interface fails it will not fail over (on if whol unit fails).
Thanks for the response. All context VLANs concerned are port-channelled down to a Layer 2 Nexus 5K pair. The failover and Stateful connections take a different route to a layer 2 switch stack and these show no errors. Logs do not show flapping on the nexus and stack.
I'll monitor the ASA to see what capturing ASA drops produces and post results. Same with ip protocol 105.
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 22.214.171.124Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 126.96.36.199R1(config-ikev2-keyring-pee...
This document shows how to use the Port Radius NAS PORT Id Attribute in a compound condition to control access with 802.1X.A user jdoe is allowed to access the network only through the physical port FastEthernet 0/1 of the switch and the user jwhite is al...
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...