Re: monitor-interface in ASA Context

johnlloyd_13 · ‎11-09-2023

hi,

i'm configuring a new FPR 3100 with ASA OS.

it's an ASA in multiple context mode and was doing some failover test and ping to the internet.

it didn't failover to secondary after shutdown trunk switch port facing the ASA FW LAN and WAN. it only worked after configuring the 'monitor-interface' on the LAN and WAN.

my question is do i need to apply this config on all context sub-interfaces?

will it cause failover flapping issue when one or two sub-interfaces in a specific context had a problem?

asa/pri/act/TEST# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Port-channel2.199 172.16.4.5 YES manual up up <<< LAN/inside: PORT-CHANNEL TO TRUNK SWITCH PORT
Port-channel2.999 178.2.10.1 YES manual up up <<< WAN/outside: PORT-CHANNEL TO TRUNK SWITCH PORT

asa/pri/act/TEST# sh run | i monitor    <<< INTERNET EDGE FW
no monitor-interface TEST_VRF    <<<< LAN/inside
no monitor-interface INTERNET    <<< WAN/outside

Router#ping vrf TEST_VRF 8.8.8.8 source 172.16.4.1 repeat 1000 <<< PING FROM DOWNSTREAM ROUTER, NO FAILOVER
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.41
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!................................
................

asa/pri/act/TEST(config)# monitor-interface TEST_VRF
asa/pri/act/TEST(config)# monitor-interface INTERNET

Router#ping vrf TEST_VRF 8.8.8.8 source 172.16.4.1 repeat 1000 <<< FAILOVER TO SECONDARY FW WORKED
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.4.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (999/1000), round-trip min/avg/max = 15/15/21 ms

Marius Gunnerud · ‎11-09-2023

my question is do i need to apply this config on all context sub-interfaces?

This depends on if you want a failover to occur if there is a protocol failure on any of the sub-interfaces. Otherwise you would only need the command on the interfaces you want to monitor and trigger in a failure situation, (your most important interfaces).

will it cause failover flapping issue when one or two sub-interfaces in a specific context had a problem?

Not entirely sure what you mean by this, but once a failover occurs, the previously active device will not become active again unless you manually failover or there is another failure situation on the current active device.

Also, if you have not done so already, it is a good practice to configure standby IPs on the interfaces for situations where it is the failover link that has failed.

--
Please remember to select a correct answer and rate helpful posts

johnlloyd_13 · ‎11-09-2023

hi,

i'll probably just configure monitor on the "INTERNET" sub-interface/nameif since there's a lot of "inside" subif.