03-19-2013 09:39 AM - edited 03-11-2019 06:16 PM
hello everyone,
I've got a ASA 5550 firewall interface failover issue.
Please take a look at the attached file.
when I shut down the inside interface Gi 1/1 of the left firewall(Active firewall),
It failed to failover.
but when I shut down the Gi 1/12 of the Core 1 switch,
The firewall failover very well.
I followed this guide but I was not able to failover.
https://supportforums.cisco.com/thread/228489
how can I configure so that when the Gi 1/1 or Gi 1/0 interface goes down,
it can failover ?
I appreciate any help,
Thanks,
ASA config:
.....
interface GigabitEthernet0/3
description STATE Failover Interface
!
interface Management0/0
description LAN Failover Interface
management-only
!
interface GigabitEthernet1/0
media-type sfp
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/1
media-type sfp
nameif inside
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet1/2
media-type sfp
nameif inside-backup
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface GigabitEthernet1/3
media-type sfp
nameif outside-backup
security-level 0
ip address 192.168.3.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type AllowedICMP
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
icmp-object time-exceeded
access-list EXEMPT extended permit ip 192.168.4.0 255.255.255.0 any
access-list EXEMPT extended permit ip 10.1.0.0 255.255.0.0 any
access-list EXEMPT extended permit ip 192.168.5.0 255.255.255.0 any
access-list no-nat extended permit ip 10.1.0.0 255.255.0.0 host 0.0.0.0
access-list outside_access_in extended permit icmp any any object-group AllowedICMP
access-list outside_access_in extended permit ip host 192.168.2.253 any
access-list outside_access_in extended permit ip 192.168.2.0 255.255.255.0 any
…
failover
failover lan unit secondary
failover lan interface fobasic Management0/0
failover key *****
failover link fostate GigabitEthernet0/3
failover interface ip fobasic 192.168.200.1 255.255.255.0 standby 192.168.200.2
failover interface ip fostate 192.168.201.1 255.255.255.0 standby 192.168.201.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any unreachable outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside-backup) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group outside_access_in out interface outside
access-group EXEMPT in interface inside
access-group EXEMPT out interface inside
!
router eigrp 10
no auto-summary
network 192.168.2.0 255.255.255.0
network 192.168.3.0 255.255.255.0
network 192.168.4.0 255.255.255.0
network 192.168.5.0 255.255.255.0
redistribute static
!
route outside 0.0.0.0 0.0.0.0 192.168.2.254 1
……
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
track 1 rtr 123 reachability
……..
management-access inside
dhcpd dns x.x.x.x
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
…..
Solved! Go to Solution.
03-19-2013 09:47 AM
It's normal behavior))). When you do shutdown of gi1/1 on active ASA, you automatically shutdownn the same interface on the standby appliance. So the normal command syncronization is happenning and no failover occurs.
But when you shutdown interface of a switch, interface of active ASA gets marked as failed, and failover happens.
03-19-2013 09:47 AM
It's normal behavior))). When you do shutdown of gi1/1 on active ASA, you automatically shutdownn the same interface on the standby appliance. So the normal command syncronization is happenning and no failover occurs.
But when you shutdown interface of a switch, interface of active ASA gets marked as failed, and failover happens.
03-19-2013 10:20 AM
Hi Andrew,
Thank you so much for your instant reply.
It do help me a lot.
Actually, my goal is to test the firewall failover situation.
since I hope the left ASA( either device itself or any interface ) goes down,
then the right ASA can take over very well.
in this case, on top of 1) unplug the cable between Core 1 switch and the left ASA
2) unplug the left ASA power
is there any way that I can test Gi 1/1 of left ASA failover ?
Thanks again,
03-20-2013 12:53 AM
If you unplug the cable between core 1 and left ASA the failover will occur, as long as monitoring of gi1/1 enabled on ASA (wich it is by default). And unplugging that caple - you're testing gi1/1, as u asked on the last sentence. If you unplug left ASA power, failover also will happen.
03-21-2013 05:55 PM
hi Andrew,
Thank you again for your reply.
May I have one more question ?
I am configuring the failover for the two interfaces between router and left switch.
what I want is when the left switch's outside interface( connecting to router ) shut down,
then the inbound traffice should go this way, router -> right switch -> left ASA
outbound as well
and after I shut down the switch's interface (connecting to router),
connectivity situation,
host can ping router's backup interface(192.168.3.253) and 192.168.3.253 can ping 4.2.2.2,
while host can NOT ping 4.2.2.2
also, 192.168.3.253 can ping left firewall's 1/3 interface (192.168.3.1)
I think there is something wrong with my firewall configuration or router static route configuration.
so please help me when you are available.
This is my first time to configure IP SLA for backup static route.
correct me if I am wrong
Thanks in advance.
Router config :
…………..
interface GigabitEthernet0/0
description ISP circuit order 1-111111111111
ip address X.X.X.X 255.255.255.248
ip accounting output-packets
ip nat outside
ip nat enable
no ip virtual-reassembly
duplex full
speed 1000
media-type sfp
no negotiation auto
!
interface GigabitEthernet0/1
description uplink to main-1 interface g 1/0/12
ip address 192.168.2.253 255.255.255.0
ip accounting output-packets
ip nat inside
ip nat enable
no ip virtual-reassembly
duplex full
speed 1000
media-type sfp
no negotiation auto
standby 2 ip 192.168.2.254
standby 2 priority 110
standby 2 preempt
!
interface GigabitEthernet0/2
ip address 192.168.3.253 255.255.255.0
no ip redirects
duplex full
speed 1000
negotiation auto
standby 3 ip 192.168.3.254
standby 3 priority 110
standby 3 preempt
!
router eigrp 10
redistribute static
passive-interface GigabitEthernet0/0
network 192.168.2.0
network 192.168.3.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 X.X.X.X
ip route 10.1.0.0 255.255.0.0 192.168.2.1
ip route 10.1.20.0 255.255.255.0 192.168.2.13
no ip http server
!
ip dns server view-group aaaaaaa
ip dns server
ip nat pool mypool X.X.X.X X.X.X.X netmask 255.255.255.252
ip nat inside source list 1 pool mypool overload
!
logging alarm informational
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 10.1.33.0 0.0.0.255
!
control-plane
!
gatekeeper
shutdown
!
ASA config :
.....
interface GigabitEthernet0/3
description STATE Failover Interface
!
interface Management0/0
description LAN Failover Interface
management-only
!
interface GigabitEthernet1/0
media-type sfp
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/1
media-type sfp
nameif inside
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet1/2
media-type sfp
nameif inside-backup
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface GigabitEthernet1/3
media-type sfp
nameif outside-backup
security-level 0
ip address 192.168.3.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type AllowedICMP
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
icmp-object time-exceeded
access-list EXEMPT extended permit ip 192.168.4.0 255.255.255.0 any
access-list EXEMPT extended permit ip 10.1.0.0 255.255.0.0 any
access-list EXEMPT extended permit ip 192.168.5.0 255.255.255.0 any
access-list no-nat extended permit ip 10.1.0.0 255.255.0.0 host 0.0.0.0
access-list outside_access_in extended permit icmp any any object-group AllowedICMP
access-list outside_access_in extended permit ip host 192.168.2.253 any
access-list outside_access_in extended permit ip 192.168.2.0 255.255.255.0 any
access-list outside_access_in extended permit ip host 192.168.3.253 any
access-list outside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
…
failover
failover lan unit secondary
failover lan interface fobasic Management0/0
failover key *****
failover link fostate GigabitEthernet0/3
failover interface ip fobasic 192.168.200.1 255.255.255.0 standby 192.168.200.2
failover interface ip fostate 192.168.201.1 255.255.255.0 standby 192.168.201.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any echo-reply outside-backup
icmp permit any unreachable outside-backup
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside-backup) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group outside_access_in out interface outside
access-group outside_access_in in interface outside-backup
access-group outside_access_in out interface outside-backup
access-group EXEMPT in interface inside
access-group EXEMPT out interface inside
!
router eigrp 10
no auto-summary
network 192.168.2.0 255.255.255.0
network 192.168.3.0 255.255.255.0
network 192.168.4.0 255.255.255.0
network 192.168.5.0 255.255.255.0
redistribute static
!
route outside 0.0.0.0 0.0.0.0 192.168.2.253 1 track 20
route outside 0.0.0.0 0.0.0.0 192.168.3.253 22
……
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
track 1 rtr 123 reachability
……..
sla monitor 2
type echo protocol ipIcmpEcho 192.168.2.253 interface outside
sla monitor schedule 2 life forever start-time now
track 20 rtr 2 reachability
management-access inside
dhcpd dns x.x.x.x
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
…..
03-22-2013 12:07 AM
I don't understand you you're trying to use HSRP between your router and switces. If you have l3 reachability (i.e. routing enabled between your asa/switches/router) just let eighp take care of redundancy. just don't see why you should use HSRP here, or maybe i'm missing something)). Maybe someone else can comment on this.
03-22-2013 05:44 AM
okay, I see.
I think at this moment I do NOT need the HSRP configuration.
do you have any idea about the ASA routing configuration ?
since now the backup interface of router is not able to ping inside host.
Thanks for your time,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide