cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5115
Views
0
Helpful
4
Replies

Issue with active/passive failover with ASA 5520

jhanington
Level 1
Level 1

Hello. I have been trying to solve this issue for 6 hours now and cannot figure it out. I have a unit that is active and another unit that I reset the configuration and am trying to get it to replicate.  I type in failover on both firewalls and it just doesnt want to work. Originally the failover was working fine but I had to go in and do a password recovery because I got locked out of the ASDM. I followed these instructions and was able to get back in but I noticed the failover config sync was no longer working. I decided to just clear the config of the secondary firewall and just set it as a new failover firewall but I cant get the damn thing to connect/replicate. Below are the outputs of "show failover", show failover state and show failover history for the primary and secondary firewall. Any help would be greatly appreciated as I am running out of hair to pull out of my head.

Both running asdm 6.4.5

ASA 8.0.5

Show failover

Primary

Failover On

Failover unit Primary

Failover LAN Interface: LANFAIL GigabitEthernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 250 maximum

Version: Ours 8.0(5), Mate 8.0(5)

Last Failover at: 10:29:58 EDT Jun 19 2013

This host: Primary - Active

Active time: 1504705 (sec)

slot 0: ASA5520 hw/sw rev (2.0/8.0(5)) status (Up Sys)

  Interface outside (6.15.35.170): Normal (Waiting)

  Interface inside (10.0.0.1): Normal (Waiting)

  Interface SAN (10.0.1.254): Link Down (Not-Monitored)

  Interface management (192.168.1.1): No Link (Not-Monitored)

slot 1: empty

Other host: Secondary - Cold Standby

Active time: 6 (sec)

slot 0: ASA5520 hw/sw rev (2.0/8.0(5)) status (Up Sys)

  Interface outside (6.15.35.178): Unknown

  Interface inside (10.0.0.254): Unknown

  Interface SAN (0.0.0.0): Link Down (Not-Monitored)

  Interface management (0.0.0.0): Unknown (Not-Monitored)

slot 1: empty

Stateful Failover Logical Update Statistics

Link : LANFAIL GigabitEthernet0/3 (up)

Stateful Obj           xmit       xerr       rcv        rerr     

General                    3862489    0          196815     0        

sys cmd            196167     0          196167     0        

up time            0          0          0          0        

RPC services            0          0          0          0        

TCP conn           2268811    0          8          0        

UDP conn           359758     0          558        0        

ARP tbl            1036541    0          81         0        

Xlate_Timeout            0          0          0          0        

VPN IKE upd           542        0          1          0        

VPN IPSEC upd           430        0          0          0        

VPN CTCP upd           0          0          0          0        

VPN SDI upd           0          0          0          0        

VPN DHCP upd           0          0          0          0        

SIP Session           240        0          0          0        

Logical Update Queue Information

Cur           Max           Total

Recv Q:           0           73           196877

Xmit Q:           0           34           7613909

Secondary

Failover On

Failover unit Secondary

Failover LAN Interface: LANFAIL GigabitEthernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 0 of 250 maximum

Version: Ours 8.0(5), Mate 8.0(5)

Last Failover at: 14:49:27 UTC Jun 19 2013

        This host: Secondary - Negotiation

                Active time: 12 (sec)

                slot 0: ASA5520 hw/sw rev (2.0/8.0(5)) status (Up Sys)

                slot 1: empty

        Other host: Primary - Active

                Active time: 1504982 (sec)

                slot 0: empty

                slot 1: empty

Stateful Failover Logical Update Statistics

        Link : LANFAIL GigabitEthernet0/3 (up)

        Stateful Obj    xmit       xerr       rcv        rerr

        General         0          0          0          0

        sys cmd         0          0          0          0

        up time         0          0          0          0

        RPC services    0          0          0          0

        TCP conn        0          0          0          0

        UDP conn        0          0          0          0

        ARP tbl         0          0          0          0

        Xlate_Timeout   0          0          0          0

        VPN IKE upd     0          0          0          0

        VPN IPSEC upd   0          0          0          0

        VPN CTCP upd    0          0          0          0

        VPN SDI upd     0          0          0          0

        VPN DHCP upd    0          0          0          0

        SIP Session     0          0          0          0

        Logical Update Queue Information

                        Cur     Max     Total

        Recv Q:         0       0       0

        Xmit Q:         0       0       0


Show failover state

Primary

               State          Last Failure Reason      Date/Time

This host  -   Primary

               Active         None

Other host -   Secondary

               Cold Standby   Comm Failure             10:31:54 EDT Jun 19 2013

====Configuration State===

====Communication State===

Secondary

               State          Last Failure Reason      Date/Time

This host  -   Secondary

               Disabled       None

Other host -   Primary

               Not Detected   None

====Configuration State===

====Communication State===

Show failover history

Primary

=========================================================================

From State                 To State                   Reason

==========================================================================

08:06:13 EDT Jun 19 2013

Disabled                   Negotiation                Set by the config command

08:06:58 EDT Jun 19 2013

Negotiation                Just Active                No Active unit found

08:06:58 EDT Jun 19 2013

Just Active                Active Drain               No Active unit found

08:06:58 EDT Jun 19 2013

Active Drain               Active Applying Config     No Active unit found

08:06:58 EDT Jun 19 2013

Active Applying Config     Active Config Applied      No Active unit found

08:06:58 EDT Jun 19 2013

Active Config Applied      Active                     No Active unit found

08:22:53 EDT Jun 19 2013

Active                     Disabled                   Set by the config command

08:31:35 EDT Jun 19 2013

Disabled                   Negotiation                Set by the config command

08:32:20 EDT Jun 19 2013

Negotiation                Just Active                No Active unit found

08:32:20 EDT Jun 19 2013

Just Active                Active Drain               No Active unit found

08:32:20 EDT Jun 19 2013

Active Drain               Active Applying Config     No Active unit found

08:32:20 EDT Jun 19 2013

Active Applying Config     Active Config Applied      No Active unit found

08:32:20 EDT Jun 19 2013

Active Config Applied      Active                     No Active unit found

10:09:31 EDT Jun 19 2013

Active                     Disabled                   LAN Interface become un-configured

10:29:13 EDT Jun 19 2013

Disabled                   Negotiation                Set by the config command

10:29:58 EDT Jun 19 2013

Negotiation                Just Active                No Active unit found

10:29:58 EDT Jun 19 2013

Just Active                Active Drain               No Active unit found

10:29:58 EDT Jun 19 2013

Active Drain               Active Applying Config     No Active unit found

10:29:58 EDT Jun 19 2013

Active Applying Config     Active Config Applied      No Active unit found

10:29:58 EDT Jun 19 2013

Active Config Applied      Active                     No Active unit found

==========================================================================

Secondary

==========================================================================

From State                 To State                   Reason

==========================================================================

14:31:46 UTC Jun 19 2013

Active Applying Config     Active Config Applied      No Active unit found

14:31:46 UTC Jun 19 2013

Active Config Applied      Active                     No Active unit found

14:31:51 UTC Jun 19 2013

Active                     Cold Standby               Failover state check

14:32:06 UTC Jun 19 2013

Cold Standby               Disabled                   HA state progression failed

14:48:32 UTC Jun 19 2013

Disabled                   Negotiation                Set by the config command

14:49:27 UTC Jun 19 2013

Negotiation                Just Active                No Active unit found

14:49:27 UTC Jun 19 2013

Just Active                Active Drain               No Active unit found

14:49:27 UTC Jun 19 2013

Active Drain               Active Applying Config     No Active unit found

14:49:27 UTC Jun 19 2013

Active Applying Config     Active Config Applied      No Active unit found

14:49:27 UTC Jun 19 2013

Active Config Applied      Active                     No Active unit found

14:49:32 UTC Jun 19 2013

Active                     Cold Standby               Failover state check

14:49:47 UTC Jun 19 2013

Cold Standby               Disabled                   HA state progression failed

14:49:55 UTC Jun 19 2013

Disabled                   Negotiation                Set by the config command

14:50:51 UTC Jun 19 2013

Negotiation                Just Active                No Active unit found

14:50:51 UTC Jun 19 2013

Just Active                Active Drain               No Active unit found

14:50:51 UTC Jun 19 2013

Active Drain               Active Applying Config     No Active unit found

14:50:51 UTC Jun 19 2013

Active Applying Config     Active Config Applied      No Active unit found

14:50:51 UTC Jun 19 2013

Active Config Applied      Active                     No Active unit found

14:50:56 UTC Jun 19 2013

Active                     Cold Standby               Failover state check

14:51:11 UTC Jun 19 2013

Cold Standby               Disabled                   HA state progression failed

==========================================================================

4 Replies 4

andyjames
Level 1
Level 1

Hi Jack,

As it was running before I'm guessing the active box has a correct configuration but it looks as though there is a problem with either the communication or the config going on to the standby box. Are they directly connected or is it through a switch? I'd check the active and standby addresses are correct for both.

Andy.

Hey thanks for responding! They are both hooked up to eachother dirrectly through a CAT5 cable. Here is the failover link config... I know the secondary has "no failover" set. The box switches back to no failover after me issuing the "Failover" command.

Primary

failover

failover lan unit primary

failover lan interface LANFAIL GigabitEthernet0/3

failover key *****

failover link LANFAIL GigabitEthernet0/3

failover interface ip LANFAIL 172.16.1.1 255.255.255.0 standby 172.16.1.2

Secondary

no failover

failover lan unit secondary

failover lan interface LANFAIL GigabitEthernet0/3

failover key *****

failover link LANFAIL GigabitEthernet0/3

failover interface ip LANFAIL 172.16.1.1 255.255.255.0 standby 172.16.1.2

Here is a log dump of what is happening on the secondary when I try the failover command.

, my state Negotiation, peer state Not Detected.

%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=411,op=22,my=Negotiation,peer=Not Detected.

%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_CLIENT_NEGOTIATED_VERSION, my state Negotiation, peer state Not Detected.

%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=53,op=1,my=Negotiation,peer=Not Detected.

%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_NEGOTIATION, my state Negotiation, peer state Not Detected.

%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=130,my=Negotiation,peer=Active.

%ASA-6-720028: (VPN-Secondary) HA status callback: Peer state Active.

%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_STATE, my state Negotiation, peer state Active.

%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=200,op=16,my=Just Active,peer=Active.

%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_ACTIVE_FAST, my state Just Active, peer state Active.

%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=201,op=16,my=Active Drain,peer=Active.

%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_ACTIVE_DRAIN, my state Active Drain, peer state Active.

%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=202,op=16,my=Active Applying Config,peer=Active.

%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_ACTIVE_PRECONFIG, my state Active Applying Config, peer state Active.

%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=203,op=16,my=Active Config Applied,peer=Active.

%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_ACTIVE_POSTCONFIG, my state Active Config Applied, peer state Active.

%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=204,op=16,my=Active,peer=Active.

%ASA-6-720039: (VPN-Secondary) VPN failover client is transitioning to active state

%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_ACTIVE, my state Active, peer state Active.

%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=405,op=130,my=Active,peer=Active.

%ASA-6-720027: (VPN-Secondary) HA status callback: My state Active.

%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_MY_STATE, my state Active, peer state Active.

%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=10,my=Cold Standby,peer=Disabled.

%ASA-6-720028: (VPN-Secondary) HA status callback: Peer state Disabled.

%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_STATE, my state Cold Standby, peer state Disabled.

%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=401,op=0,my=Disabled,peer=Disabled.

%ASA-6-720024: (VPN-Secondary) HA status callback: Control channel is down.

%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_CTL_COMM, my state Disabled, peer state Disabled.

%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=402,op=0,my=Disabled,peer=Disabled.

%ASA-6-720025: (VPN-Secondary) HA status callback: Data channel is down.

%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_DATA_COMM, my state Disabled, peer state Disabled.

%ASA-1-105001: (Secondary) Disabling failover.

%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=51,op=29,my=Disabled,peer=Disabled.

%ASA-6-720010: (VPN-Secondary) VPN failover client is being disabled

%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_DISABLED, my state Disabled, peer state Disabled.

%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=405,op=10,my=Disabled,peer=Disabled.

%ASA-6-720027: (VPN-Secondary) HA status callback: My state Disabled.

%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_MY_STATE, my state Disabled, peer state Disabled.

The same issue with me. check the config.. Fail over not working.

ASA-2# show running-config
: Saved

:
: Serial Number: FLM2013FVLR
: Hardware: FPR4K-SM-12, 58269 MB RAM, CPU Xeon E5 series 2194 MHz, 1 CPU (24 cores)
:
ASA Version 9.6(1)
!
hostname ASA-2
enable password YdxZuMgZnGXj4fkF encrypted
names
zone DMZ
zone inside
zone outside

!
interface Ethernet1/1
shutdown
nameif inside
security-level 100
ip address 10.10.10.3 255.255.255.0
!
interface Ethernet1/2
shutdown
nameif outside
security-level 0
ip address 192.168.20.10 255.255.255.0
!
interface Ethernet1/3
management-only
shutdown
nameif management
security-level 0
no ip address
!
interface Ethernet1/4
description LAN/STATE Failover Interface
!
ftp mode passive
object-group network source
network-object 0.0.0.0 0.0.0.0
object-group network destination
network-object 0.0.0.0 0.0.0.0
object-group network source-address
network-object 0.0.0.0 0.0.0.0
object-group network destination-address
network-object 0.0.0.0 0.0.0.0
object-group network lan
network-object 0.0.0.0 0.0.0.0
object-group network WAN
network-object 0.0.0.0 0.0.0.0
object-group network 192.168.20.1
network-object 192.168.20.1 255.255.255.255
access-list 110 extended permit ip object-group lan object-group WAN
access-list 111 extended permit ip object-group lan object-group WAN
access-list 120 extended permit ip any any
access-list 121 extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
failover lan unit secondary
failover lan interface folink Ethernet1/4
failover link folink Ethernet1/4
failover interface ip folink 30.30.30.1 255.255.255.0 standby 30.30.30.2

 

 

 

ASA-2# show failover history
==========================================================================
From State To State Reason
==========================================================================
11:41:41 UTC Dec 12 2017
Not Detected Disabled No Error

11:46:57 UTC Dec 12 2017
Disabled Negotiation Set by the config command

11:46:59 UTC Dec 12 2017
Negotiation Cold Standby Detected an Active mate

11:47:00 UTC Dec 12 2017
Cold Standby Disabled HA state progression faile d

12:01:02 UTC Dec 12 2017
Disabled Negotiation Set by the config command

12:01:04 UTC Dec 12 2017
Negotiation Cold Standby Detected an Active mate

12:01:05 UTC Dec 12 2017
Cold Standby Disabled HA state progression faile d

12:01:49 UTC Dec 12 2017
Disabled Negotiation Set by the config command

12:01:51 UTC Dec 12 2017
Negotiation Cold Standby Detected an Active mate

12:01:52 UTC Dec 12 2017
Cold Standby Disabled HA state progression failed

12:03:58 UTC Dec 12 2017
Disabled Negotiation Set by the config command

12:04:00 UTC Dec 12 2017
Negotiation Cold Standby Detected an Active mate

12:04:01 UTC Dec 12 2017
Cold Standby Disabled HA state progression failed

12:04:29 UTC Dec 12 2017
Disabled Negotiation Set by the config command

12:04:30 UTC Dec 12 2017
Negotiation Cold Standby Detected an Active mate

12:04:31 UTC Dec 12 2017
Cold Standby Disabled HA state progression failed

12:37:07 UTC Dec 12 2017
Disabled Negotiation Set by the config command

12:37:10 UTC Dec 12 2017
Negotiation Cold Standby Detected an Active mate

12:37:11 UTC Dec 12 2017
Cold Standby Disabled HA state progression failed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: