Re: Firewalls in Failover with standby address

a.maldonado · ‎09-14-2018

I have an issue with a pair of Cisco ASA5515.

These two firewalls are in Failover configuration. I had some access problems from one of the VLANs yesterday where we could not access the outside network. This is a TEST environment at the moment.

Today, I found the IP addresses of all sub interfaces on the Active firewall have changed and they have taken the IP addresses that I assigned to the standby or secondary Firewall.

Please see below the subinterfaces configuration and the output of sh int ip brief.

Can someone please tell me what might be wrong?

interface GigabitEthernet0/0
no shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.7
vlan 7
nameif A
security-level 100
ip address 10.0.8.1 255.255.255.128 standby 10.0.8.2
dhcprelay server 10.0.0.246
dhcprelay server 10.0.0.247
!
interface GigabitEthernet0/0.8
vlan 8
nameif B
security-level 100
ip address 10.0.8.129 255.255.255.128 standby 10.0.8.130
dhcprelay server 10.0.0.246
dhcprelay server 10.0.0.247
!
interface GigabitEthernet0/0.9
vlan 9
nameif C
security-level 100
ip address 10.0.9.1 255.255.255.0 standby 10.0.9.2
dhcprelay server 10.0.0.246
dhcprelay server 10.0.0.247
!
interface GigabitEthernet0/0.10
vlan 10
nameif D
security-level 100
ip address 10.0.0.5 255.255.255.0 standby 10.0.0.254
!
!
interface GigabitEthernet0/0.13
vlan 13
nameif E
security-level 100
ip address 10.0.13.1 255.255.255.0 standby 10.0.13.2
dhcprelay server 10.0.0.246
dhcprelay server 10.0.0.247
!
interface GigabitEthernet0/0.14
vlan 14
nameif F
security-level 100
ip address 10.0.14.1 255.255.255.128 standby 10.0.14.2
dhcprelay server 10.0.0.246
dhcprelay server 10.0.0.247
dhcprelay server 10.0.0.90
!
interface GigabitEthernet0/0.15
vlan 15
nameif G
security-level 100
ip address 10.0.14.129 255.255.255.128 standby 10.0.14.130
dhcprelay server 10.0.0.246
dhcprelay server 10.0.0.247
!
interface GigabitEthernet0/0.16
vlan 16
nameif H
security-level 100
ip address 10.0.15.1 255.255.255.128 standby 10.0.15.2
dhcprelay server 10.0.0.246
dhcprelay server 10.0.0.247
!
interface GigabitEthernet0/0.17
vlan 17
nameif J
security-level 100
ip address 10.0.15.129 255.255.255.128 standby 10.0.15.130
dhcprelay server 10.0.0.246
dhcprelay server 10.0.0.247
!
interface GigabitEthernet0/0.18
vlan 18
nameif K
security-level 100
ip address 10.0.16.1 255.255.255.0 standby 10.0.16.2
dhcprelay server 10.0.0.246
dhcprelay server 10.0.0.247
!

ASA# sh int ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         unassigned      YES unset up                    up
GigabitEthernet0/0.7       10.0.8.2        YES manual up                    up
GigabitEthernet0/0.8       10.0.8.130      YES manual up                    up
GigabitEthernet0/0.9       10.0.9.2        YES manual up                    up
GigabitEthernet0/0.10      10.0.0.254      YES manual up                    up
GigabitEthernet0/0.13      10.0.13.2       YES manual up                    up
GigabitEthernet0/0.14      10.0.14.2       YES manual up                    up
GigabitEthernet0/0.15      10.0.14.130     YES manual up                    up
GigabitEthernet0/0.16      10.0.15.2       YES manual up                    up
GigabitEthernet0/0.17      10.0.15.130     YES manual up                    up
GigabitEthernet0/0.18      10.0.16.2       YES manual up                    up

And the failover configuration is as follows:

On Active ASA:   !
   interface G0/5
   description FOLINK
   no shut
   !

   failover lan unit primary
    failover lan interface FOLINK G0/5
    failover interface ip FOLINK 192.168.153.253 255.255.255.252 standby 192.168.153.254
         failover link stateful G0/5
    failover
    !
    !
On Standby ASA:

   interface G0/5
    description FOLINK
    no shut
    !

    failover lan unit secondary
        failover lan interface FOLINK G0/5
    failover interface ip FOLINK 192.168.153.253 255.255.255.252 standby 192.168.153.254
    failover link stateful G0/5
    failover

Rahul Govindan · ‎09-14-2018

What does the "show failover" output show up on both Active and Standby Firewalls?

a.maldonado · ‎09-14-2018

Hi Rahul,

Unfortunately, I have since rebooted te Active Firewall in order to do what I had to do. But I enclose the output of the sh failover command on both firewalls. I hope you find someindication of what is happening.

THank you in advance

Rahul Govindan · ‎09-14-2018

Any chance you had a failover event during the time you saw the issue? The Primary device will then receive the standby ip address and Secondary will get the active ip address. Did you happen to check the failover state when the issue took place?

a.maldonado · ‎09-14-2018

Rahul,

When I saw what happened, I checked the failover state of the active firewall and confirmed that it was the active at the time I copied the information I sent you. I did not pay atention to the rest of the output.

I don't remember seeing any messages of change of failover state.

What exactly were you expecting to see? Do you think the failover configuration is correct? I really thought it was too simple to be truth.