Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1416
Views
0
Helpful
3
Replies

Firewall Failover Monitoring Issue in HA Mode

sanjeevmahadani
Level 1
Level 1

‎06-07-2012 11:30 PM - edited ‎03-11-2019 04:17 PM

Hi,

I have configured the two FW for HA mode, and I am checking " sh Failover " I am unable to understand why it’s showing only two interface in monitoring.  It should show all 4 interface in monitoring. I have highlighted in below configuration.

I am very new for FW, below is my complete FW configuration, I'll appreciate for your help to me, if i am missing anything in my configurations ie. means routing / VLAN ........

TechMFWPRIM# sh fail

Failover On

Failover unit Primary

Failover LAN Interface: HA-SYNC Management0/0 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

----------------------------------------------------------

Monitored Interfaces 2 of 110 maximum

----------------------------------------------------------

failover replication http

Version: Ours 8.4(2), Mate 8.4(2)

Last Failover at: 04:10:31 UTC Jun 7 2012

        This host: Primary - Active

                Active time: 21300 (sec)

                slot 0: ASA5510 hw/sw rev (2.0/8.4(2)) status (Up Sys)

                  Interface Outside_Data (172.16.1.2): Normal (Waiting)

-------------------------------------------------------------------------------------------------------------

                  Interface INSIDE (10.28.63.17): Normal (Not-Monitored)

                  Interface CDMZ (10.28.63.33): Normal (Not-Monitored)

-------------------------------------------------------------------------------------------------------------

                  Interface Outside_Voice (172.16.2.2): Normal (Waiting)

                slot 1: empty

        Other host: Secondary - Standby Ready

                Active time: 80510 (sec)

                slot 0: ASA5510 hw/sw rev (2.0/8.4(2)) status (Up Sys)

                  Interface Outside_Data (0.0.0.0): Normal (Waiting)

------------------------------------------------------------------------------------------------------------

                  Interface INSIDE (10.28.63.18): Normal (Not-Monitored)

                  Interface CDMZ (10.28.63.34): Normal (Not-Monitored)

------------------------------------------------------------------------------------------------------------

                  Interface Outside_Voice (0.0.0.0): Normal (Waiting)

                slot 1: empty

Stateful Failover Logical Update Statistics

        Link : Unconfigured.

TechMFWPRIM#

TechMFWPRIM(config)# sh run

: Saved

:

ASA Version 8.4(2)

!

hostname TechMFWPRIM

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description Outside Airtel_Data

nameif Outside_Data

security-level 0

ip address 172.16.1.2 255.255.255.252

!

interface Ethernet0/1

description Inside Airtel LAN Interface

no nameif

no security-level

no ip address

!

interface Ethernet0/1.102

description Inside Airtel LAN Interface

vlan 102

nameif INSIDE

security-level 100

ip address 10.28.63.17 255.255.255.240 standby 10.28.63.18

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

interface Ethernet0/2.100

description CDMZ

vlan 100

nameif CDMZ

security-level 50

ip address 10.28.63.33 255.255.255.240 standby 10.28.63.34

!

interface Ethernet0/3

description Outside_Voice

nameif Outside_Voice

security-level 0

ip address 172.16.2.2 255.255.255.252

!

interface Management0/0

description LAN Failover Interface

!

ftp mode passive

pager lines 24

logging asdm informational

mtu Outside_Data 1500

mtu INSIDE 1500

mtu CDMZ 1500

mtu Outside_Voice 1500

failover

failover lan unit primary

failover lan interface HA-SYNC Management0/0

failover replication http

failover interface ip HA-SYNC 192.168.3.1 255.255.255.0 standby 192.168.3.2

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

route Outside_Data 0.0.0.0 0.0.0.0 172.16.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.28.0.0 255.255.255.240 INSIDE

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet 0.0.0.0 0.0.0.0 INSIDE

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username TIMFW password c.6Nu5hdpSeNFjvS encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:39242421493f5e1e7e9039247fa4ac00

: end

Reg

Sanjeev

Labels:
0 Helpful
3 Replies 3

Sergey Tregubov
Level 1
Level 1

‎06-08-2012 12:29 AM

By default Cisco ASA in Failover monitors only physical interfaces with configured nameifs and ip addresses.

Monitoring of subinterfaces is disabled by default.

To enable monitoring of subinterfaces use command (in your case) :

monitor-interface INSIDE

monitro-interface CDMZ

0 Helpful

sanjeevmahadani
Level 1
Level 1
In response to Sergey Tregubov

‎06-08-2012 12:54 AM

Hi Serqey,

Thanks let me try...this will update you shortly the progress.

Just one more help, pls. check the above FW configurations and suggest if i am missing anything

Regards

Sanjeev

0 Helpful

Sergey Tregubov
Level 1
Level 1
In response to sanjeevmahadani

‎06-08-2012 02:46 AM

In your config you have command failover replication http, without stateful failover this command is useless.

you can enable stateful failover (in your case) with the command:

failover link HA-SYNC

so now your active ASA replicates state information to the standby one; by default http is not replicated, so we have to use failover replication http command to enable it

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card