Solved: Failover configuration FW

chrisvanwyk · ‎03-10-2011

Hi

Please assit. I have configured failover between 2 FW's and tested the failover. It does work only one packet drops. My configuration is a bit different to the way it is suppose to be but I need to know why do you need to enter the secondary ip address if this configuration works. When the Lan cable is pulled from the monitored interface the FW fails over the stanby and the show failover produces the opiste of what you see here were the stanby gets all the config. Please advise. I will monitor the other interface when needed for now the inside and outside will do.

Thanks.

failover
failover lan unit primary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2

Failover On
Failover unit Primary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 20:54:07 SA Feb 12 2011
        This host: Primary - Active
                Active time: 2221693 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface outside (X.X.X.X): Normal (Waiting)
                  Interface inside (X.X.X.X): Normal (Waiting)
                  Interface 3rdParty (X.X.X.X): Normal (Not-Monitored)
                  Interface Extranet-VPN (X.X.X.X): Normal (Waiting)
                  Interface Liquid_DMZ (X.X.X.X): Normal (Not-Monitored)
                  Interface CSWE_PublicDMZ (X.X.X.X): Normal (Not-Monitored)
                  Interface CSWE_PrivateDMZ (X.X.X.X): Normal (Not-Monitored)
                  Interface PublicDMZ (X.X.X.X): Normal (Not-Monitored)
                  Interface PrivateDMZ (X.X.X.X): Normal (Not-Monitored)
                  Interface Bermuda_DMZ (X.X.X.X): Normal (Not-Monitored)
                  Interface @Remote (X.X.X.X): Normal (Not-Monitored)
                  Interface CA_Server (X.X.X.X): Normal (Not-Monitored)
                  Interface ADSL_VPN (X.X.X.X): Normal (Not-Monitored)
                  Interface SOCVRF (X.X.X.X): Normal (Not-Monitored)
                slot 1: empty
        Other host: Secondary - Standby Ready
                Active time: 1587 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface outside (0.0.0.0): Normal (Waiting)
                  Interface inside (0.0.0.0): Normal (Waiting)
                  Interface 3rdParty (0.0.0.0): Normal (Not-Monitored)
                  Interface Extranet-VPN (0.0.0.0): Normal (Waiting)
                  Interface Liquid_DMZ (0.0.0.0): Normal (Not-Monitored)
                  Interface CSWE_PublicDMZ (0.0.0.0): Normal (Not-Monitored)
                  Interface CSWE_PrivateDMZ (0.0.0.0): Normal (Not-Monitored)
                  Interface PublicDMZ (0.0.0.0): Normal (Not-Monitored)
                  Interface PrivateDMZ (0.0.0.0): Normal (Not-Monitored)
                  Interface Bermuda_DMZ (0.0.0.0): Normal (Not-Monitored)
                  Interface @Remote (0.0.0.0): Normal (Not-Monitored)
                  Interface CA_Server (0.0.0.0): Normal (Not-Monitored)
                  Interface ADSL_VPN (0.0.0.0): Normal (Not-Monitored)
                  Interface SOCVRF (0.0.0.0): Normal (Not-Monitored)
                slot 1: empty

PAUL GILBERT ARIAS · ‎03-10-2011

I don't know Cisco's offical explanation about the standby IP since I was not able to find it on any document but we can say it is basically for monitoring and management.

View solution in original post

PAUL GILBERT ARIAS · ‎03-10-2011

Normally you set the standby ip for monitoring. Since you don't have a standby ip it shows normal (waiting) on the inside and outside. When you don't have monitoring enabled on the other interfaces and something happens to them then failover might not work by failing to the standby unit

Sent from Cisco Technical Support iPhone App

chrisvanwyk · ‎03-10-2011

Hi

Yes I know but you can see that from the output all the stanby interfaces are 0.0.0.0 no ip address configured. I tested the 2 monitored interfaces and it works when I pull the cable out of the inside interface the FW failover occurs and the config is copied to the stanby and becomes the active. My question is why do you then need to add a standby IP in the configuration under the interface when the standby interface get the current config from the active and resumes it role. This is just then waisting a free IP.

PAUL GILBERT ARIAS · ‎03-10-2011

I agree. Not 100% needed since it will work. I see a need if you want to access it by ssh or telnet. without an ip you only access the secondary unit via console.

Sent from Cisco Technical Support iPhone App

chrisvanwyk · ‎03-10-2011

OK

so we can confirm then the secondary IP is then only for remote management.

PAUL GILBERT ARIAS · ‎03-10-2011

I don't know Cisco's offical explanation about the standby IP since I was not able to find it on any document but we can say it is basically for monitoring and management.