Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2769
Views
0
Helpful
3
Replies

Proper failover test of ASA 5515

Ve Con
Level 1
Level 1

‎02-12-2016 08:11 AM - edited ‎02-21-2020 05:43 AM

Any suggestion for proper failover test on the ASA?   I am writing a failover test plan, i wonder if i just issuing the failover command or pull out the power cable on the primary (or standby) ASA, which method is more efficient or I should do both method?

After plugging back the power cable (assume I use this method) to the ASA, what command (or what should I check) should I issue to verify the ASA configuration is back to normal/optimal? I assume if pull the power of the primary, the standby will become the primary, and when I plug the power cable back to the offline ASA, when it is back online, it will become the primary again (not sure if my assumption is true).

Any help and inputs are much appreciated

0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎02-13-2016 09:28 AM

Issuing the failover command is kind of "marketing failover" as the the ASA does a grecefull failover to the other unit.

A better test plan could be:

  1. Make sure both ASAs are fully functioning and the network is fully converged.
  2. Switch off the active ASA, wait for the network to converge, test everything that is needed.
  3. Switch the ASA on again and wait for failover to establish again.
  4. Unplug a cable in the traffic path of the active ASA. If available, use a cable that is not directly attached to the ASA for having a remote failure. Wait for the other ASA to take over and test again.
  5. Replug the cable, wait for both ASAs to get to normal state again
  6. Make the primary ASA active again, done!

0 Helpful

Ve Con
Level 1
Level 1
In response to Karsten Iwen

‎03-02-2016 12:07 PM

Thanks, Karsten for the great inputs.

One thing i would like to know at step 3, what is the command that I should issue to check to see if the fail-back happened successfully (if not just observing the port status on the ASDM)?  Should the primary ASA take its ownership as primary again automatically when it's switched back on?

I think after step 3, i should perform the same test that I did on step 2.

Step 4 should be repeating of step 2 on the standby (other) ASA.  Not sure if this test case make sense to perform at all as it's only the standby (or shown as standby).

0 Helpful

Karsten Iwen
VIP
VIP
In response to Ve Con

‎03-02-2016 01:38 PM

"show failover" is the command to check if both units have build a proper FO-system.

There is no preemption, after 3) the active role should not change automatically.

4) tests a different scenario which can show different failures compared to 2) based on your setup/topology. But regardless of a unit-, an interface- or a path-failure, you should always be back in operation after the network converged to the new active ASA.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card