Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2950
Views
10
Helpful
2
Replies

Failover asa 9 - missing something

Go to solution
manuscript1
Level 1
Level 1

‎04-12-2017 07:13 AM - edited ‎03-12-2019 02:12 AM

Hi

I am having problem getting a failover working between two asas. They are both routed and single context and same licence. . I have a crossover in the eth0/2 interface . ( ive changed Ip addresses to protect the innocent ).

I have tried reloading the backup firewall with no luck .....

Any ideas ?

secondary unit shows:

Failover On
Failover unit Secondary
Failover LAN Interface: failover Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 9.1(7)13, Mate Unknown
Last Failover at: 13:44:58 UTC Apr 12 2017
        This host: Secondary - Active
                Active time: 102 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/9.1(7)13) status (Up Sys)
                  Interface outside (62.30.30.29): No Link (Waiting)
                  Interface inside (10.129.1.14): No Link (Waiting)
                slot 1: empty
        Other host: Primary - Failed
                Active time: 0 (sec)
                  Interface outside (62.30.30.30): Unknown (Waiting)
                  Interface inside (10.129.1.13): Unknown (Waiting)

Stateful Failover Logical Update Statistics
        Link : Unconfigured.

primary shows:


Failover On
Failover unit Primary
Failover LAN Interface: failover Ethernet0/2 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 9.1(7)13, Mate Unknown
Last Failover at: 14:31:05 GMT/BDT Apr 12 2017
        This host: Primary - Active
                Active time: 4788 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/9.1(7)13) status (Up Sys)
                  Interface outside (62.30.30.30): Unknown (Waiting)
                  Interface inside (10.129.1.13): No Link (Waiting)
                slot 1: empty
        Other host: Secondary - Not Detected
                Active time: 0 (sec)
                  Interface outside (62.30.30.29): Unknown (Waiting)
                  Interface inside (10.129.1.14): Unknown (Waiting)

Stateful Failover Logical Update Statistics
        Link : statelink Ethernet0/3 (down)
        Stateful Obj    xmit       xerr       rcv        rerr     
        General         0          0          0          0        
        sys cmd         0          0          0          0        
        up time         0          0          0          0        
        RPC services    0          0          0          0        
        TCP conn        0          0          0          0        
        UDP conn        0          0          0          0        
        ARP tbl         0          0          0          0        
        Xlate_Timeout   0          0          0          0        
        IPv6 ND tbl     0          0          0          0        
        VPN IKEv1 SA    0          0          0          0        
        VPN IKEv1 P2    0          0          0          0        
        VPN IKEv2 SA    0          0          0          0        
        VPN IKEv2 P2    0          0          0          0        
        VPN CTCP upd    0          0          0          0        
        VPN SDI upd     0          0          0          0        
        VPN DHCP upd    0          0          0          0        
        SIP Session     0          0          0          0        
        Route Session   0          0          0          0        
        User-Identity   0          0          0          0        
        CTS SGTNAME     0          0          0          0        
        CTS PAC         0          0          0          0        
        TrustSec-SXP    0          0          0          0        
        IPv6 Route      0          0          0          0        

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       0       0
        Xmit Q:         0       0      

relevant config primary :

interface Ethernet0/0
 description outside
 speed 100
 duplex full 
 nameif outside
 security-level 0
 ip address 62.30.30.60 255.255.255.192 standby 62.30.30.59
!
interface Ethernet0/1
 description inside
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.129.1.13 255.255.255.240 standby 10.129.1.14

interface Ethernet0/2
 description LAN Failover Interface

failover
failover lan unit primary
failover lan interface failover Ethernet0/2
failover key *****
failover link statelink Ethernet0/3
failover interface ip failover 10.129.192.161 255.255.255.252 standby 10.129.192.162
failover interface ip statelink 10.129.192.166 255.255.255.252 standby 10.129.192.165

Secondary

interface Ethernet0/0
 description outside
 duplex full
 nameif outside
 security-level 0
 ip address 62.30.30.59 255.255.255.192 standby 62.30.30.60
!
interface Ethernet0/1
 description inside
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.129.1.14 255.255.255.240 standby 10.129.1.13
!
interface Ethernet0/2
 description LAN Failover Interface

failover
failover lan unit secondary
failover lan interface failover Ethernet0/2
failover key *****
failover interface ip failover 10.129.192.162 255.255.255.252 standby 10.129.192.161

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
manuscript1
Level 1
Level 1

‎04-12-2017 08:48 AM

I have fixed this . I had done some manual config on the standby  on the backup . I cleared the config on the standby and added the failover commands and it all came to life

View solution in original post

2 Replies 2

Go to solution
manuscript1
Level 1
Level 1

‎04-12-2017 08:48 AM

I have fixed this . I had done some manual config on the standby  on the backup . I cleared the config on the standby and added the failover commands and it all came to life

Go to solution
tavkaur
Level 1
Level 1

‎04-12-2017 08:53 AM

Hi,

From the snippet i can see that the failover configuration on the two units are different

failover
failover lan unit primary
failover lan interface failover Ethernet0/2
failover key *****
failover link statelink Ethernet0/3
failover interface ip failover 10.129.192.161 255.255.255.252 standby 10.129.192.162
failover interface ip statelink 10.129.192.166 255.255.255.252 standby 10.129.192.165

**

failover

failover lan unit secondary
failover lan interface failover Ethernet0/2
failover key *****
failover interface ip failover 10.129.192.162 255.255.255.252 standby 10.129.192.161

The failover interface IP address assignment has to be same on both the units. Also you have configured state link on the primary unit and not on the secondary unit. Please configure state link on both the units and correct the failover interface ip addresses on the secondary unit. Following should be the configuration on the secondary unit

failover
failover lan unit seconadary
failover lan interface failover Ethernet0/2
failover key *****
failover link statelink Ethernet0/3
failover interface ip failover 10.129.192.161 255.255.255.252 standby 10.129.192.162 -->these IP addresses are incorrectly assigned
failover interface ip statelink 10.129.192.166 255.255.255.252 standby 10.129.192.165

Regards,

Tavleen

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card