Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1018
Views
0
Helpful
2
Replies

HA Active/Standby Issue on Cisco ASAv

dim_ing
Level 1
Level 1

‎02-02-2021 02:42 AM

Hello,

 

I am experiencing issue with HA configuration between 2 ASAv. Please find below the failover configuration for the primary and the secondary:

 

 

act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 461 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.12(3)12, Mate 9.12(3)12
Serial Number: Ours 9AHM36A2SF1, Mate 9AF8LBVTFBW
Last Failover at: 11:19:25 CEST Feb 2 2021
This host: Primary - Active
Active time: 722 (sec)
slot 0: ASAv hw/sw rev (/9.12(3)12) status (Up Sys)
Interface VPN-INSIDE (172.17.19.3): Normal (Monitored)
Interface VPN-OUTSIDE (172.17.18.3): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 924 (sec)
Interface VPN-INSIDE (172.17.19.4): Normal (Monitored)
Interface VPN-OUTSIDE (172.17.18.4): Normal (Monitored)

 

 

stby# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER GigabitEthernet0/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 461 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.12(3)12, Mate 9.12(3)12
Serial Number: Ours 9AF8LBVTFBW, Mate 9AHM36A2SF1
Last Failover at: 11:19:25 CEST Feb 2 2021
This host: Secondary - Standby Ready
Active time: 924 (sec)
slot 0: ASAv hw/sw rev (/9.12(3)12) status (Up Sys)
Interface VPN-INSIDE (172.17.19.4): Normal (Monitored)
Interface VPN-OUTSIDE (172.17.18.4): Normal (Monitored)
Other host: Primary - Active
Active time: 654 (sec)
Interface VPN-INSIDE (172.17.19.3): Normal (Monitored)
Interface VPN-OUTSIDE (172.17.18.3): Normal (Monitored)

 

When I perform the command "failover active" on Standby it seems it becomes active, but the ping towards the Active IP 172.17.19.3 doesn't return anything and I see the status normal(waiting) as you can see in the attached picture.

 

 

Please also have in mind  that I have also configured standby interfaces:

interface GigabitEthernet0/1
nameif VPN-INSIDE
security-level 100
ip address 172.17.19.3 255.255.255.0 standby 172.17.19.4
!

interface GigabitEthernet0/2
nameif VPN-OUTSIDE
security-level 10
ip address 172.17.18.3 255.255.255.0 standby 172.17.18.4
!

Do you have any idea, what could be the issue and after the failover neither of the IPs are pingable. The only pingable is the failover IP.

Preview file
126 KB
0 Helpful
2 Replies 2

johnlloyd_13
Level 9
Level 9

‎02-02-2021 05:37 AM

hi,

are you forcing failover from active/primary to secondary/standby FW?

try issuing a "no failover active" from the active primary.

0 Helpful

dim_ing
Level 1
Level 1
In response to johnlloyd_13

‎02-02-2021 05:47 AM

Hello,

I forced the failover so as to check if it is working properly, but although secondary becomes active it is unreachable and the only way to restore it is via VM console.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card