Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1584
Views
5
Helpful
6
Replies

Newbie Cisco ASA 5515,IPS Failover Test.

Go to solution
LC O
Level 1
Level 1

‎12-14-2016 11:12 AM - edited ‎03-10-2019 06:44 AM

I was wondering if someone can help me with the configuration of the cisco ips for failover we have 2 cisco asa 5515 IPS. I want to test the failover. When i look at this configuration. It appears that it is lan based failover. Correct me if i'm wrong my understanding for this failover operation is if gi0/2 went down the standby gi0/3 interface will be active. Now if i run show failover command it just shows primary standby ready which it doesnt have any ip address and secondary is active with external ip address and internal ip address. If anyone can help with this. I attached a screenshot of the show failover result command. Thank you in advance.

int gi0/2 is 10.0.1.10

int gi0/3 is 10.0.2.10

failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/2
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover replication http
failover link statefulfailover GigabitEthernet0/3
failover interface ip failover 10.0.1.10 255.255.255.0 standby 10.0.1.11
failover interface ip statefulfailover 10.0.2.10 255.255.255.0 standby 10.0.2.11

Labels:
Preview file
138 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to LC O

‎12-16-2016 09:09 PM

From your first posting, the Secondary is Active and the Primary is Standby Ready state. Simply log into the Secondary-Active in enable mode and type "no failover active".

You will be disconnected from the unit and when you log back in you should be connected to Primary-Active. 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-14-2016 12:10 PM

A couple of questions:

1. Do you have standby IPs configured on those interfaces?

2. Have you read this ASA Configuration Guide for Failover:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/ha-failover.html

Thank you for rating helpful posts!

0 Helpful

Go to solution
LC O
Level 1
Level 1
In response to nspasov

‎12-15-2016 01:45 PM

Thank you for quick response. Im going to read the failover link document. Apparently I inherit this task. I was told it's working and i need to do a failover. Here's the full configuration

Primary Cisco IPS 5515x


int gi0/2 is 10.0.1.10

int gi0/3 is 10.0.2.10

failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/2
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover replication http
failover link statefulfailover GigabitEthernet0/3
failover interface ip failover 10.0.1.10 255.255.255.0 standby 10.0.1.11
failover interface ip statefulfailover 10.0.2.10 255.255.255.0 standby 10.0.2.1

Secondary Cisco IPS 5515x

int gi0/2 is 10.0.1.11
int gi0/3 is 10.0.2.11

failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/2
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover replication http
failover link statefulfailover GigabitEthernet0/3
failover interface ip failover 10.0.1.10 255.255.255.0 standby 10.0.1.11
failover interface ip statefulfailover 10.0.2.10 255.255.255.0 standby 10.0.2.11

Preview file
85 KB
Preview file
124 KB

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to LC O

‎12-16-2016 09:09 PM

From your first posting, the Secondary is Active and the Primary is Standby Ready state. Simply log into the Secondary-Active in enable mode and type "no failover active".

You will be disconnected from the unit and when you log back in you should be connected to Primary-Active. 

0 Helpful

Go to solution
LC O
Level 1
Level 1
In response to Marvin Rhoads

‎01-11-2017 10:21 AM

Thank you, for all your response. I'm going to try the failover next week and will let you know if it 's successful or not. cross finger.

0 Helpful

Go to solution
ssingh3
Level 1
Level 1
In response to LC O

‎01-10-2017 09:18 PM

you can use the following command to configure standby IPs to the device

int Gi0/x

ip address <active ip> <subnet> standby <standby ip>

"standby" is the keyword and the IP mentioned after this keyword would be assigned to standby device(doesn't matter which is standby, primary or secondary)

HTH

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-15-2016 12:30 AM

In addition to what Neno correctly pointed out, I would add that standby IP addresses for the production traffic interfaces are optional.  It appears they are not setup on your pair, thus the report of "0.0.0.0" addresses on the Standby unit.

We often see this in situations where there are a very limited number of public IP addresses where the customer is unable or unwilling to dedicate an IP address for the sole purpose of monitoring the IP reachability of that particular interface on the standby unit. Fir private subnets I always use a standby IP address.

It works perfectly fine, it just gives the failover cluster one fewer data point in assessing the health of the mate.

Gi0/2 and Gi0/3 in your setup are used strictly for failover cluster monitoring and state replication respectively. They do not backup each other per se but rather handle different aspects of the failover cluster operations. Using a dedicated interface (like your Gi0/3) for stateful failover support is optional. If you do not have stateful failover setup, tcp session state will not be preserved across a failover event and any open sessions must be re-established.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card