Re: Also for those wondering..

jyotirmoy11 · ‎09-23-2011

Hi All,

I have configured two ASA firewal in failover mode - Active and Standby and two ASA is working in failover mode too, but whenever I fire a command " sh failover" in active ASA then it shows - This host is Active and another is failed. I have mention sh run and sh failover of Active ASA below -

ASAPRI#Sh run | include failover

failover

failover lan unit primary

failover lan interface FAILOVER_INT GigabitEthernet0/2

failover interface ip FAILOVER_INT 192.168.50.1 255.255.255.0 standby 192.168.50.2

ASAPRI# sh fail

Failover On

Failover unit Primary

Failover LAN Interface: FAILOVER_INT GigabitEthernet0/2 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 8 of 250 maximum

Version: Ours 8.2(1), Mate 8.2(1)

Last Failover at: 12:43:43 IST Jul 15 2011

This host: Primary - Active

Active time: 6042167 (sec)

slot 0: ASA5550 hw/sw rev (2.0/8.2(1)) status (Up Sys)

Interface Untrust (164.100.122.4): Normal

Interface SWAN (10.178.12.13): Normal (Waiting)

Interface management (192.168.1.1): Normal (Waiting)

Interface NOC/MGMT (10.178.196.1): Normal

Interface OSS (10.178.197.129): Normal

Interface Application_server_Trust (10.178.197.65): Normal

Interface DMZ (10.178.197.1): Normal

Interface BACKUP (10.178.193.193): No Link (Waiting)

slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)

Other host: Secondary - Failed

Active time: 0 (sec)

slot 0: ASA5550 hw/sw rev (2.0/8.2(1)) status (Up Sys)

Interface Untrust (164.100.122.5): Normal

Interface SWAN (10.178.12.14): No Link (Waiting)

Interface management (0.0.0.0): Normal (Waiting)

Interface NOC/MGMT (10.178.196.2): Normal

Interface OSS (10.178.197.130): Normal

Interface Application_server_Trust (10.178.197.66): Normal

Interface DMZ (10.178.197.2): Normal

Interface BACKUP (0.0.0.0): No Link (Waiting)

slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)

Stateful Failover Logical Update Statistics

Link : Unconfigured.

ASASEC#Sh run | include failover

failover

failover lan unit secondary

failover lan interface FAILOVER_INT GigabitEthernet0/2

failover interface ip FAILOVER_INT 192.168.50.1 255.255.255.0 standby 192.168.50.2

ASASEC# sh fail

Failover On

Failover unit Secondary

Failover LAN Interface: FAILOVER_INT GigabitEthernet0/2 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 8 of 250 maximum

Version: Ours 8.2(1), Mate 8.2(1)

Last Failover at: 12:43:43 IST Jul 15 2011

This host: Primary - Active

Active time: 6042167 (sec)

slot 0: ASA5550 hw/sw rev (2.0/8.2(1)) status (Up Sys)

Interface Untrust (164.100.122.4): Normal

Interface SWAN (10.178.12.13): Normal (Waiting)

Interface management (192.168.1.1): Normal (Waiting)

Interface NOC/MGMT (10.178.196.1): Normal

Interface OSS (10.178.197.129): Normal

Interface Application_server_Trust (10.178.197.65): Normal

Interface DMZ (10.178.197.1): Normal

Interface BACKUP (10.178.193.193): No Link (Waiting)

slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)

Other host: Secondary - Failed

Active time: 0 (sec)

slot 0: ASA5550 hw/sw rev (2.0/8.2(1)) status (Up Sys)

Interface Untrust (164.100.122.5): Normal

Interface SWAN (10.178.12.14): No Link (Waiting)

Interface management (0.0.0.0): Normal (Waiting)

Interface NOC/MGMT (10.178.196.2): Normal

Interface OSS (10.178.197.130): Normal

Interface Application_server_Trust (10.178.197.66): Normal

Interface DMZ (10.178.197.2): Normal

Interface BACKUP (0.0.0.0): No Link (Waiting)

slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)

Stateful Failover Logical Update Statistics

Link : Unconfigured.

Please help in this regard

Reg

Jyotirmoy

varrao · ‎09-23-2011

Hi Jyotirmoy,

The failover is not working, there seems to be a loss in communication between the two firewalls on the failover interfaces.

Can you provide the following outputs from both the firewalls:

show run failover

show failover history

show fail state

show failover statistics

Moreover the interface on Primary firewall does not seem to be connected:

Interface SWAN (10.178.12.14): No Link (Waiting)

Plz check this interface.

Thanks,

Varun

Thanks,
Varun Rao

jyotirmoy11 · ‎09-23-2011

Hi Varun,

ASA Primary:-

ASAPRI# sh run failover

failover

failover lan unit primary

failover lan interface FAILOVER_INT GigabitEthernet0/2

failover interface ip FAILOVER_INT 192.168.50.1 255.255.255.0 standby 192.168.50.2

ASAPRI# sh fail his

==========================================================================

From State To State Reason

==========================================================================

12:43:15 IST Jul 15 2011

Not Detected Negotiation No Error

12:43:43 IST Jul 15 2011

Negotiation Just Active No Active unit found

12:43:43 IST Jul 15 2011

Just Active Active Drain No Active unit found

12:43:43 IST Jul 15 2011

Active Drain Active Applying Config No Active unit found

12:43:43 IST Jul 15 2011

Active Applying Config Active Config Applied No Active unit found

12:43:43 IST Jul 15 2011

Active Config Applied Active No Active unit found

==========================================================================

ASAPRI# sh fail state

State Last Failure Reason Date/Time

This host - Primary

Active None

Other host - Secondary

Failed Ifc Failure 11:56:25 IST Sep 19 2011

SWAN: No Link

BACKUP: No Link

====Configuration State===

Sync Done

====Communication State===

Mac set

ASAPRI# sh fail statistics

tx:8786062

rx:8785084

ASAPRI#

ASA SEC:-

ASAPRI# sh run fail

failover

failover lan unit secondary

failover lan interface FAILOVER_INT GigabitEthernet0/2

failover interface ip FAILOVER_INT 192.168.50.1 255.255.255.0 standby 192.168.50.2

ASAPRI# sh fail his

ASAPRI# sh fail history

==========================================================================

From State To State Reason

==========================================================================

05:25:14 IST Aug 17 2011

Failed Standby Ready Interface check

05:25:22 IST Aug 17 2011

Standby Ready Failed Interface check

03:34:17 IST Aug 18 2011

Failed Standby Ready Interface check

03:34:22 IST Aug 18 2011

Standby Ready Failed Interface check

03:37:04 IST Aug 18 2011

Failed Standby Ready Interface check

03:37:39 IST Aug 18 2011

Standby Ready Failed Interface check

07:32:37 IST Aug 18 2011

Failed Standby Ready Interface check

07:33:19 IST Aug 18 2011

Standby Ready Failed Interface check

07:36:42 IST Aug 18 2011

Failed Standby Ready Interface check

07:37:19 IST Aug 18 2011

Standby Ready Failed Interface check

07:59:29 IST Aug 18 2011

Failed Standby Ready Interface check

07:59:44 IST Aug 18 2011

Standby Ready Failed Interface check

08:08:22 IST Aug 18 2011

Failed Standby Ready Interface check

08:08:37 IST Aug 18 2011

Standby Ready Failed Interface check

08:12:02 IST Aug 18 2011

Failed Standby Ready Interface check

08:12:59 IST Aug 18 2011

Standby Ready Failed Interface check

08:13:12 IST Aug 18 2011

Failed Standby Ready Interface check

08:13:19 IST Aug 18 2011

Standby Ready Failed Interface check

03:47:22 IST Sep 19 2011

Failed Standby Ready Interface check

03:47:29 IST Sep 19 2011

Standby Ready Failed Interface check

==========================================================================

ASAPRI# sh fail state

State Last Failure Reason Date/Time

This host - Secondary

Failed Ifc Failure 03:47:29 IST Sep 19 2011

SWAN: No Link

BACKUP: No Link

Other host - Primary

Active None

====Configuration State===

Sync Done - STANDBY

====Communication State===

Mac set

ASAPRI# sh fail stati

ASAPRI# sh fail statistics

tx:8787809

rx:8785373

ASAPRI#

Note: Failover is working but only when i fire sh failover command then only seconday ASA is showing as fail in place of standby...

Thank you for your reply,

As asked by you I have shared above , please help me in this regard......

Reg

Jyotirmoy

varrao · ‎09-23-2011

Hi Jyotirmoy,

When you say it was working fine, what exactly do you mean?? If you do a failover does the Secondary firewall become active, have you tested it ever before or now?

I see this message on the secondary:

03:47:29 IST Sep 19 2011

Standby Ready Failed Interface check

did you check this interface on the secondary?

Varun

Thanks,
Varun Rao

jyotirmoy11 · ‎09-23-2011

Hi Varun,

Everything is working fine, but only problem is when i fire the " sh failover " command then primary ASA is showing active and Secondar ASA is showing failed , where as if I login to secondary ASA I can see the synchronized configuration file of Primary ASA.

Now my question is why seconday ASA is showing failed, Since the configuration file is getting synchronized between two ASA.

Reg

Jyotirmoy

mvsheik123 · ‎09-23-2011

Hi,

It appears that both ASAs sync'd previously but not in sync currently. From your first post both PRI and SEC ASAs showing it self as primary.

ASAPRI# sh fail

Version: Ours 8.2(1), Mate 8.2(1)

Last Failover at: 12:43:43 IST Jul 15 2011

This host: Primary - Active

Other host: Secondary - Failed

ASASEC# sh fail

Version: Ours 8.2(1), Mate 8.2(1)

Last Failover at: 12:43:43 IST Jul 15 2011

This host: Primary - Active

Other host: Secondary - Failed

In case if you have not tested, try make a non prouction impact change (ex:adding a username etc and do write mem). Then check if it replicate to other unit. If not , please check the physical connections and network path. Also, you may want to enable replication method on those ASAs.

hth

MS

Kureli Sankar · ‎09-23-2011

I believe the same "sh run fail" output was copied and pasted on both units and then the "failover lan unit line was changed on one unit to "secondary". That is my guess.

Now, this output that we see is very very strange.

Here is the action plan.

1. On the unit that you think is secondary issue "write erase" - wipe the config and reload without saving.

2. While this unit comes up save the config on the other unit and reboot that as well. When it comes up make sure to issue "sh fail" and make sure it shows this unit primary active other unit secondary failed.

3. Then when the write erased unit comes up clear with no config issue

conf t

int g0/2

no shut

failover lan unit secondary

failover lan interface FAILOVER_INT GigabitEthernet0/2

failover interface ip FAILOVER_INT 192.168.50.1 255.255.255.0 standby 192.168.50.2

failover

4. issue sh fail and watch it detect the existing mate and sync up with the mate.

Good luck.

-KS

tituseee7 · ‎08-12-2015

Hello All,

Even im facing the same issue,Also i cannot try what poonguzhali said , Since this ASA is installed in a entity which runs for 24*7 and even a minor outage is highly critical.So is thr any option to resolve this.

As jyotirmoy11 said ..failover is happening fine.if the primary goes down,Secondary comes on to Active and primary goes to failed state.vice versa

I can able to see the failover interface is UP and pingable.Debug fover shows the cable and other aspects check OK.

Attached a snapshot for reference. Is it a bug ? by the way both the ASA5510 has Version 5.0(8) and both are in sync, Any suggestion ?

Vibhor Amrodia · ‎08-12-2015

Hi,

Can you provide these outputs:-

1) show failover

2) show run all monitor-interface

Thanks and Regards,

Vibhor Amrodia

tituseee7 · ‎08-13-2015

Hello Vibhor,

Now it is fixed by itself .

mokul1-fw1# show failover state

State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Standby Ready Ifc Failure 06:07:08 MYT Aug 13 2015
Inncom: Failed

Thanks anyways :)

martincook1 · ‎12-15-2015

This is probably not useful to the OP as this was 4 years ago. But for others that have stumbled on this page because of similar problems I will point out why the secondary ASA in this case (and possibly yours) will simply not go into a (Standby Ready) status.

Take a look at the OP's "show failover" below these two paragraphs and look at the two colored lines. The Secondary ASA has a link that is in a "no link" status (meaning it is down), also note that the same interface (SWAN) shows as "waiting" next to the interface simply meaning it is being monitored for failover. So you have a Secondary ASA with a interface that is down that is being monitored for failover, that is why it will continue to show your ASA as failed. Until you either stop monitoring that specific port, or you bring it up (it's probably unplugged) then your ASA will stay in a failed status.

Just because your Secondary ASA is in a failed failover status does not mean it will discontinue receiving configuration updates from the Primary ASA, it simply believes that it cannot fully takeover in the event of an actual failover of the Primary ASA, which it can't because you have an interface down on your backup.

ASAPRI# sh fail

Failover On

Failover unit Primary

Failover LAN Interface: FAILOVER_INT GigabitEthernet0/2 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 8 of 250 maximum

Version: Ours 8.2(1), Mate 8.2(1)

Last Failover at: 12:43:43 IST Jul 15 2011

This host: Primary - Active

Active time: 6042167 (sec)

slot 0: ASA5550 hw/sw rev (2.0/8.2(1)) status (Up Sys)

Interface Untrust (164.100.122.4): Normal

Interface SWAN (10.178.12.13): Normal (Waiting)

Interface management (192.168.1.1): Normal (Waiting)

Interface NOC/MGMT (10.178.196.1): Normal

Interface OSS (10.178.197.129): Normal

Interface Application_server_Trust (10.178.197.65): Normal

Interface DMZ (10.178.197.1): Normal

Interface BACKUP (10.178.193.193): No Link (Waiting)

slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)

Other host: Secondary - Failed

Active time: 0 (sec)

slot 0: ASA5550 hw/sw rev (2.0/8.2(1)) status (Up Sys)

Interface Untrust (164.100.122.5): Normal

Interface SWAN (10.178.12.14): No Link (Waiting)

Interface management (0.0.0.0): Normal (Waiting)

Interface NOC/MGMT (10.178.196.2): Normal

Interface OSS (10.178.197.130): Normal

Interface Application_server_Trust (10.178.197.66): Normal

Interface DMZ (10.178.197.2): Normal

Interface BACKUP (0.0.0.0): No Link (Waiting)

slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)

Hope this helps

martincook1 · ‎12-15-2015

Also for those wondering..

Looking at the "show failover" above, you will notice that on BOTH ASA's the Backup port is also in a no link status, and it is being monitored.

Interface BACKUP (0.0.0.0): No Link (Waiting)

So yes the port is down and it is being monitored for failover (waiting), but it is down on both ASA's so that would not make the backup ASA think it would be in a failed status.It could still take over for the Primary, it's pretty easy to take over for a port with no link... it doesn't have to do anything =]

normanksmith · ‎05-18-2019

Excellent thanks. I ran in a similar issue couple weeks ago.

avito2015 · ‎05-12-2017

This host: Primary - Active

Active time: 6042167 (sec)

slot 0: ASA5550 hw/sw rev (2.0/8.2(1)) status (Up Sys)

Interface Untrust (164.100.122.4): Normal

Interface SWAN (10.178.12.13): Normal (Waiting)

Other host: Secondary - Failed

Active time: 0 (sec)

slot 0: ASA5550 hw/sw rev (2.0/8.2(1)) status (Up Sys)

Interface Untrust (164.100.122.5): Normal

Interface SWAN (10.178.12.14): No Link (Waiting)

Because of this, the status appears Failed on secondary, so check link

failover issue in ASA firewall