Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1305
Views
0
Helpful
5
Replies

Failover on ASA5510 - reason of interface tests

Sasha Morozov
Level 1
Level 1

‎06-25-2011 08:00 AM - edited ‎03-11-2019 01:50 PM

Do I correctly understand that when two ASA 5510 are in failover pair, the switchover from primary to secondary if one interface of primary goes down shall happen ONLY if failover link is up? So when the failover link is down and one interface on primary got down also,  interface tests between the two ASAs still are being done , but secondary SHALL NEVER try to become active.

In this case why to make  tests on data interfaces ? What is the reason to make them?

If the knowledge of that some interfaces  of primary became down comes through failover link - no need to make additional interface tests - primary will tell about the failure to secondary. If so should run

no monitor-interface  ifname

command to disload devices and network by foolish  tests?

Labels:
0 Helpful
5 Replies 5

Anu M Chacko
Cisco Employee
Cisco Employee

‎06-25-2011 11:33 AM

Hi Sasha,

You're right. A failover will happen only if the failover link is up. FYI, after the fix for the following bug, failover happens even if the failover link is down:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw37519

The interface tests are done to monitor the health of the interfaces. The failover link does relay the information about the data interfaces-whether the interface links are up or down. If interface monitoring is enabled, the results of which interface is healthier is decided through the failover link. Interface tests are done and the results of these tests are compared over the failover link. Failover is triggered when the active unit becomes less healthier than the standby unit. This is why they are enabled on the interfaces.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html#wp1097144

Hope this helps.

Regards,

Anu

P.S. Please mark this question as resolved if it has been answered. Do rate helpful posts. Thanks!


0 Helpful

Sasha Morozov
Level 1
Level 1
In response to Anu M Chacko

‎06-25-2011 01:41 PM

Ok, thank you, I got you. How do I get access to the http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw37519

I have the only guest account and the website tells me


Your Cisco Guest Login is not entitled to use Bug Toolkit.

Registered Customers and Partners may register for access here

What should I purchase for that?

0 Helpful

Anu M Chacko
Cisco Employee
Cisco Employee
In response to Sasha Morozov

‎06-25-2011 01:54 PM

Hi Sasha,

This is probably because the contract is not your name. You need to have a valid CCO id to access the details.

Regards,

Anu

P.S. Please mark this question as answered if it has been resolved. Do rate helpful posts.

0 Helpful

Sasha Morozov
Level 1
Level 1
In response to Anu M Chacko

‎06-26-2011 01:32 PM

Ok. I'd like to mark the question as answered. But please anwser my last question.

Here are 2 situations.

First situation.

Two ASA 5510 are in failover pair. We break the failover link. No reaction from secondary except that it marks the failover link as failed. We break one data link on primary. No reaction from secondary. We break ALL links on primary, that is primary unit is not connected to network at all. No reaction from secondary, that is if the situation will go on it shall never become active. And...

Second situation.

Two ASA 5510 are in failover pair. We just deprive primary unit of power supply, that is we in a hard way switch it off just tearing off the power cable on it. The reaction from secondary is (ah wonder!!!) it becomes active.

Now the question is: what is the difference between the two situations. Both are the same because secondary cannot catch the information that the primary got down: in the first - because failover links failed, in the second one - primary had no chance to tell something to secondary by failover link 'cause was powered off by tearing the power cable off. How the secondary differentiate these cases?

Thank you.

0 Helpful

Anu M Chacko
Cisco Employee
Cisco Employee
In response to Sasha Morozov

‎06-27-2011 04:00 AM

Hi Sasha,

In the first case, you first broke the failover link. No failover will happen since the units can still talk to each other via data interfaces and traffic will not be affected. If anything happens after this, like the data interfaces go down, no failover will happen and traffic will be affected. With CSCsw37519 bug fix, the interface health will be compared only at the time of the failover link failure. For whatever happens after this, no failover will happen, which is why you saw that behavior.

In the next scenario, the ASA was powered down. When this happens, interface tests are quickly done to calculate which ASA has more healthier interfaces and this is decided via the failover link. Since the Primary ASA interfaces are all down, the Secondary ASA is labelled as more healthier and failover happens successfully.

Hope this is clear. Please let me know if you have any queries about this.

Regards,

Anu

P.S. Please mark this question as answered if it has been resolved. Do rate helpful posts.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card