Re: no failover active command is not working as expected

AhmadKhader · ‎09-28-2024

I have ASA with Active/Standby configuration. I can see the primary is active and the secondary is standby ready. also, the configuration is replicated.

When I try the command "no failover active" to make the active work as standby, in order to go with the upgrade steps. It does not work as expected. I can see the SSH session terminated. But when I connect to the session again I can see there is no changes from the active/standby wise. The active ASA remains active and the standby stays standby.

MHM Cisco World · ‎09-28-2024

There is issue with failover link

Do you connect failover link back to back or via SW?

MHM

AhmadKhader · ‎09-28-2024

Directly connected.

MHM Cisco World · ‎09-28-2024

Share

Show failover

Show failover state

Before run command abd after for both unit

MHM

AhmadKhader · ‎09-28-2024

Sorry, it is connected over the network.

Should I collect the same outputs?

MHM Cisco World · ‎09-29-2024

So it not direct?

İf yes

Share output of above and also share

Show interface IP brief

MHM

AhmadKhader · ‎09-29-2024

- Before the command:

show failover

Failover On

Failover unit Primary

Failover LAN Interface: Failover GigabitEthernet1/8 (up)

Reconnect timeout 0:00:00

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 3 seconds, holdtime 15 seconds

Interface Policy 1

Monitored Interfaces 1 of 160 maximum

MAC Address Move Notification Interval not set

Version: Ours 9.8(2)20, Mate 9.8(2)20

Serial Number: Ours JAD1948072L, Mate JAD2003056A

Last Failover at: 10:30:00 AST Sep 29 2024

This host: Primary - Active

Active time: 1722 (sec)

slot 1: ASA5516 hw/sw rev (3.1/9.8(2)20) status (Up Sys)

Interface outside (213.186.170.183): Normal (Not-Monitored)

Interface inside (10.100.10.4): Normal (Monitored)

Interface management (0.0.0.0): No Link (Not-Monitored)

slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)

ASA FirePOWER, 5.4.1-211, Up, (Not-Monitored)

slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)

ASA FirePOWER, 5.4.1-211, Up, (Not-Monitored)

Other host: Secondary - Standby Ready

Active time: 0 (sec)

slot 1: ASA5516 hw/sw rev (3.1/9.8(2)20) status (Up Sys)

<--- More --->

Interface outside (0.0.0.0): Normal (Not-Monitored)

Interface inside (10.100.10.5): Normal (Monitored)

Interface management (0.0.0.0): Normal (Not-Monitored)

slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)

ASA FirePOWER, 5.4.1-211, Up, (Not-Monitored)

slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)

ASA FirePOWER, 5.4.1-211, Up, (Not-Monitored)

Stateful Failover Logical Update Statistics

Link : Failover GigabitEthernet1/8 (up)

Stateful Obj xmit xerr rcv rerr

General 66810 0 2704713 33092

sys cmd 32477 0 32476 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 18808 0 962690 18510

UDP conn 14032 0 1540737 14582

ARP tbl 916 0 147504 0

Xlate_Timeout 0 0 0 0

IPv6 ND tbl 0 0 0 0

VPN IKEv1 SA 0 0 0 0

VPN IKEv1 P2 0 0 0 0

VPN IKEv2 SA 7 0 13562 0

VPN IKEv2 P2 8 0 176 0

<--- More --->

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

SIP Session 0 0 0 0

SIP Tx 0 0 0 0

SIP Pinhole 0 0 0 0

Route Session 27 0 1 0

Router ID 0 0 0 0

User-Identity 535 0 7567 0

CTS SGTNAME 0 0 0 0

CTS PAC 0 0 0 0

TrustSec-SXP 0 0 0 0

IPv6 Route 0 0 0 0

STS Table 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 37 4592432

Xmit Q: 0 731 82267

show failover state

State Last Failure Reason Date/Time

This host - Primary

Active None

Other host - Secondary

Standby Ready Comm Failure 10:52:00 AST Sep 29 2024

====Configuration State===

Sync Done

Sync Done - STANDBY

====Communication State===

Mac set

-After applying the command:

sh failover

Failover On

Failover unit Secondary

Failover LAN Interface: Failover GigabitEthernet1/8 (up)

Reconnect timeout 0:00:00

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 3 seconds, holdtime 15 seconds

Interface Policy 1

Monitored Interfaces 1 of 160 maximum

MAC Address Move Notification Interval not set

Version: Ours 9.8(2)20, Mate 9.8(2)20

Serial Number: Ours JAD2003056A, Mate JAD1948072L

Last Failover at: 10:59:23 AST Sep 29 2024

This host: Secondary - Active

Active time: 37 (sec)

slot 1: ASA5516 hw/sw rev (3.1/9.8(2)20) status (Up Sys)

Interface outside (213.186.170.183): Normal (Not-Monitored)

Interface inside (10.100.10.4): Normal (Monitored)

Interface management (0.0.0.0): No Link (Not-Monitored)

slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)

ASA FirePOWER, 5.4.1-211, Up, (Not-Monitored)

slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)

ASA FirePOWER, 5.4.1-211, Up, (Not-Monitored)

Other host: Primary - Standby Ready

Active time: 1763 (sec)

slot 1: ASA5516 hw/sw rev (3.1/9.8(2)20) status (Up Sys)

<--- More --->

Interface outside (0.0.0.0): Normal (Not-Monitored)

Interface inside (10.100.10.5): Normal (Monitored)

Interface management (0.0.0.0): Normal (Not-Monitored)

slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)

ASA FirePOWER, 5.4.1-211, Up, (Not-Monitored)

slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)

ASA FirePOWER, 5.4.1-211, Up, (Not-Monitored)

Stateful Failover Logical Update Statistics

Link : Failover GigabitEthernet1/8 (up)

Stateful Obj xmit xerr rcv rerr

General 1098 0 5826 1088

sys cmd 37 0 37 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 531 0 3165 971

UDP conn 370 0 2096 117

ARP tbl 24 0 150 0

Xlate_Timeout 0 0 0 0

IPv6 ND tbl 0 0 0 0

VPN IKEv1 SA 0 0 0 0

VPN IKEv1 P2 0 0 0 0

VPN IKEv2 SA 4 0 1 0

VPN IKEv2 P2 0 0 0 0

<--- More --->

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

SIP Session 0 0 0 0

SIP Tx 0 0 0 0

SIP Pinhole 0 0 0 0

Route Session 22 0 0 0

Router ID 0 0 0 0

User-Identity 110 0 377 0

CTS SGTNAME 0 0 0 0

CTS PAC 0 0 0 0

TrustSec-SXP 0 0 0 0

IPv6 Route 0 0 0 0

STS Table 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 17 9224

Xmit Q: 0 5 1495

sh failover state

State Last Failure Reason Date/Time

This host - Secondary

Active None

Other host - Primary

Standby Ready None

====Configuration State===

Sync Done - STANDBY

====Communication State===

Mac set

AhmadKhader · ‎09-29-2024

Before the command:

show failover

Failover On

Failover unit Primary

Failover LAN Interface: Failover GigabitEthernet1/8 (up)

Reconnect timeout 0:00:00

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 3 seconds, holdtime 15 seconds

Interface Policy 1

Monitored Interfaces 1 of 160 maximum

MAC Address Move Notification Interval not set

Version: Ours 9.8(2)20, Mate 9.8(2)20

Serial Number: Ours JAD1948072L, Mate JAD2003056A

Last Failover at: 10:30:00 AST Sep 29 2024

This host: Primary - Active

Active time: 1722 (sec)

slot 1: ASA5516 hw/sw rev (3.1/9.8(2)20) status (Up Sys)

Interface outside (213.186.170.183): Normal (Not-Monitored)

Interface inside (10.100.10.4): Normal (Monitored)

Interface management (0.0.0.0): No Link (Not-Monitored)

slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)

ASA FirePOWER, 5.4.1-211, Up, (Not-Monitored)

slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)

ASA FirePOWER, 5.4.1-211, Up, (Not-Monitored)

Other host: Secondary - Standby Ready

Active time: 0 (sec)

slot 1: ASA5516 hw/sw rev (3.1/9.8(2)20) status (Up Sys)

<--- More --->

Interface outside (0.0.0.0): Normal (Not-Monitored)

Interface inside (10.100.10.5): Normal (Monitored)

Interface management (0.0.0.0): Normal (Not-Monitored)

slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)

ASA FirePOWER, 5.4.1-211, Up, (Not-Monitored)

slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)

ASA FirePOWER, 5.4.1-211, Up, (Not-Monitored)

Stateful Failover Logical Update Statistics

Link : Failover GigabitEthernet1/8 (up)

Stateful Obj xmit xerr rcv rerr

General 66810 0 2704713 33092

sys cmd 32477 0 32476 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 18808 0 962690 18510

UDP conn 14032 0 1540737 14582

ARP tbl 916 0 147504 0

Xlate_Timeout 0 0 0 0

IPv6 ND tbl 0 0 0 0

VPN IKEv1 SA 0 0 0 0

VPN IKEv1 P2 0 0 0 0

VPN IKEv2 SA 7 0 13562 0

VPN IKEv2 P2 8 0 176 0

<--- More --->

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

SIP Session 0 0 0 0

SIP Tx 0 0 0 0

SIP Pinhole 0 0 0 0

Route Session 27 0 1 0

Router ID 0 0 0 0

User-Identity 535 0 7567 0

CTS SGTNAME 0 0 0 0

CTS PAC 0 0 0 0

TrustSec-SXP 0 0 0 0

IPv6 Route 0 0 0 0

STS Table 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 37 4592432

Xmit Q: 0 731 82267

show failover state

State Last Failure Reason Date/Time

This host - Primary

Active None

Other host - Secondary

Standby Ready Comm Failure 10:52:00 AST Sep 29 2024

====Configuration State===

Sync Done

Sync Done - STANDBY

====Communication State===

Mac set

After the command:

sh failover

Failover On

Failover unit Secondary

Failover LAN Interface: Failover GigabitEthernet1/8 (up)

Reconnect timeout 0:00:00

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 3 seconds, holdtime 15 seconds

Interface Policy 1

Monitored Interfaces 1 of 160 maximum

MAC Address Move Notification Interval not set

Version: Ours 9.8(2)20, Mate 9.8(2)20

Serial Number: Ours JAD2003056A, Mate JAD1948072L

Last Failover at: 10:59:23 AST Sep 29 2024

This host: Secondary - Active

Active time: 37 (sec)

slot 1: ASA5516 hw/sw rev (3.1/9.8(2)20) status (Up Sys)

Interface outside (213.186.170.183): Normal (Not-Monitored)

Interface inside (10.100.10.4): Normal (Monitored)

Interface management (0.0.0.0): No Link (Not-Monitored)

slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)

ASA FirePOWER, 5.4.1-211, Up, (Not-Monitored)

slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)

ASA FirePOWER, 5.4.1-211, Up, (Not-Monitored)

Other host: Primary - Standby Ready

Active time: 1763 (sec)

slot 1: ASA5516 hw/sw rev (3.1/9.8(2)20) status (Up Sys)

<--- More --->

Interface outside (0.0.0.0): Normal (Not-Monitored)

Interface inside (10.100.10.5): Normal (Monitored)

Interface management (0.0.0.0): Normal (Not-Monitored)

slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)

ASA FirePOWER, 5.4.1-211, Up, (Not-Monitored)

slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)

ASA FirePOWER, 5.4.1-211, Up, (Not-Monitored)

Stateful Failover Logical Update Statistics

Link : Failover GigabitEthernet1/8 (up)

Stateful Obj xmit xerr rcv rerr

General 1098 0 5826 1088

sys cmd 37 0 37 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 531 0 3165 971

UDP conn 370 0 2096 117

ARP tbl 24 0 150 0

Xlate_Timeout 0 0 0 0

IPv6 ND tbl 0 0 0 0

VPN IKEv1 SA 0 0 0 0

VPN IKEv1 P2 0 0 0 0

VPN IKEv2 SA 4 0 1 0

VPN IKEv2 P2 0 0 0 0

<--- More --->

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

SIP Session 0 0 0 0

SIP Tx 0 0 0 0

SIP Pinhole 0 0 0 0

Route Session 22 0 0 0

Router ID 0 0 0 0

User-Identity 110 0 377 0

CTS SGTNAME 0 0 0 0

CTS PAC 0 0 0 0

TrustSec-SXP 0 0 0 0

IPv6 Route 0 0 0 0

STS Table 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 17 9224

Xmit Q: 0 5 1495

sh failover state

State Last Failure Reason Date/Time

This host - Secondary

Active None

Other host - Primary

Standby Ready None

====Configuration State===

Sync Done - STANDBY

====Communication State===

Mac set

balaji.bandi · ‎09-29-2024

May be worth post what ASA code running, some failover outputs.

check my blog some testing's - if all ok.

https://www.balajibandi.com/?p=244

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Aref Alsouqi · ‎10-02-2024

Based on the output you shared it seems to work as expected?

- Before the command:

show failover
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet1/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 3 seconds, holdtime 15 seconds
Interface Policy 1
Monitored Interfaces 1 of 160 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(2)20, Mate 9.8(2)20
Serial Number: Ours JAD1948072L, Mate JAD2003056A
Last Failover at: 10:30:00 AST Sep 29 2024
This host: Primary - Active

-After applying the command:

sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: Failover GigabitEthernet1/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 3 seconds, holdtime 15 seconds
Interface Policy 1
Monitored Interfaces 1 of 160 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(2)20, Mate 9.8(2)20
Serial Number: Ours JAD2003056A, Mate JAD1948072L
Last Failover at: 10:59:23 AST Sep 29 2024
This host: Secondary - Active

After you applied the "no failover active" command, the output shows that the local active firewall is actually the secondary firewall which has also a different serial number.

One command can be handy with ASA failover is "prompt hostname priority state". If you apply this command, you can then see the hostname and the failover state on CLI.