09-01-2010 05:02 PM - edited 03-11-2019 11:33 AM
Hello Everyone,
I have redundant firewalls on a multicontext active/standby setup. There are only 3 interfaces (inside, dmz, outside) configured using subinterfaces for all contexts. I am getting waiting state on the interfaces when I do "sh failover". Unfortunately at this moment I cannot provide a config of the "sh failover" since I am having access problem due to changeover to TACACS. I will do so in a very short while.
I need to know if it is possible to do forceful failover when the interfaces are in active state. Currently the active firewall is "ACTIVE" and the secondary firewall is "STANDBY READY".
You can see my last post on the same issue - https://supportforums.cisco.com/message/3171035#3171035.
Thanks
09-01-2010 05:12 PM
Do you have standby IP addresses assigned to your interfaces? This could be a possible reason why your interfaces are in waiting state:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s3.html#wp1425186
Also, since you are using subintefaces, did you specify those subinterfaces to be monitored by failover? By default physical interfaces are monitored, while subinterfaces are not:
By default, monitoring of physical interfaces is enabled and the monitoring of subinterfaces is disabled. You can enable monitoring for subinterfaces with the command "monitor-interface
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1073911
09-01-2010 05:21 PM
Hi Allen,
In every context I am monitoring the interfaces. The interfaces are being monitored like this
admin context
===========
interface outsideshared
nameif outside
security-level 55
ip address 15.10.12.1 255.255.255.0 standby 15.10.12.2
!
interface dmzadmincontext
nameif dmz
security-level 60
ip address 16.10.12.1 255.255.255.0 standby 16.10.12.2
!
interface insideadmincontext
nameif inside
security-level 100
ip address 17.10.12.1 255.255.255.0 standby 17.10.12.2
!
monitor-interface outside
monitor-interface dmz
monitor-interface inside
customer A context
===============
interface outside
nameif outside
security-level 0
ip address 192.168.11.2 255.255.255.0 standby 192.168.11.3
!
interface inside
nameif inside
security-level 98
ip address 192.168.12.2 255.255.255.0 standby 192.168.12.3
!
monitor-interface outside
monitor-interface inside
All these interfaces are subinterfaces defined as vlans in the system context. These are configs which I have on my machine (address changes)
Thanks
09-01-2010 05:13 PM
As long as your failover is working fine active/standby you can do the failover. For the interfaces in waiting state you need to check connectivity as it cannot check the standby ip.
- AD
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide