cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
826
Views
0
Helpful
2
Replies

questions about asa 5520 failover

west33637
Level 1
Level 1

first question - do the 2 asa's failover control interface have to be directly connected to each other using a crossover cable? or can they logically connected through our layer 2 switching infrastructure? what about through a metro-e LAN?

2nd question - can you set the speed-duplex of the Failover control interface? Im guessing you can set this after defining the Failover interface and putting an IP address on it.

3rd question - I believe I understand what happens in a situation where an interface fails. and pls correct me if Im wrong, My understanding is that when a link fails on the primary ASA, it'll go through several tests to show that the interface failure is properly detected before initiating a failover. Then when the failure is confirmed, it initiates a failover to the secondary.

What happens when the failover control interface fails? does the standby stop receiving keepalives and then become active immediately? or does the standby have to go through all those interface tests before becoming active?

4th question - These failover interface tests seem quite lengthy. I read a document that said the ARP tests alone reads its ARP table for the last ten acquired entries. It then sends an ARP request to those machines one at a time, and then counts packets for up to 5 seconds.

My question is how long do these failover interface tests typically take? and whats the point of stateful failover if your inside interface goes down and the ASA takes 30 seconds doing failover interface tests before initiating failover. Wont the TCP sessions be terminated by the time the ASA gets around to initiating failover?

Thanks

1 Accepted Solution

Accepted Solutions

Kureli Sankar
Cisco Employee
Cisco Employee

1. Avoid using cross over cable.  That is Cisco's recommendation.There has to be layer 2 adjacency.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1051178

Note When  you use a crossover cable for the LAN failover link, if the LAN  interface fails, the link is brought down on both peers. This condition  may hamper troubleshooting efforts because you cannot easily determine  which interface failed and caused the link to come dow

2. Yes you can after configuring failover like you said.

3. If the failover interface fails - if you have cross over then it will show it as failed on both units. In this case no failover will occur.  If this is not cross over and the switchport goes down connecting the active unit then there will be failover and you may end up with two active units and traffic breaking situation.

These kind of failover secenarios are hard to predict without watching the logs and exactly knowing what happened. You can read this thread that went back and forth for a while:

https://supportforums.cisco.com/message/3262111#3262111

Refer this link for failover trigger: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1091386

4. Here is the link for failover time:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1148472
you can customize these poll times.

You can configure the frequency of the hello
messages and the hold time before failover occurs. A faster poll time
and shorter hold time speed the detection of unit failures and make
failover occur more quickly, but it can also cause "false" failures due
to network congestion delaying the keepalive packets. See Configuring Unit Health Monitoring for more information about configuring unit health monitoring.


TEST: you can establish ssh connection through the active and shut the inside interface port down on the switch
and trigger a failover and still be connected to your ssh session as if nothing happened.

-KS

View solution in original post

2 Replies 2

Kureli Sankar
Cisco Employee
Cisco Employee

1. Avoid using cross over cable.  That is Cisco's recommendation.There has to be layer 2 adjacency.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1051178

Note When  you use a crossover cable for the LAN failover link, if the LAN  interface fails, the link is brought down on both peers. This condition  may hamper troubleshooting efforts because you cannot easily determine  which interface failed and caused the link to come dow

2. Yes you can after configuring failover like you said.

3. If the failover interface fails - if you have cross over then it will show it as failed on both units. In this case no failover will occur.  If this is not cross over and the switchport goes down connecting the active unit then there will be failover and you may end up with two active units and traffic breaking situation.

These kind of failover secenarios are hard to predict without watching the logs and exactly knowing what happened. You can read this thread that went back and forth for a while:

https://supportforums.cisco.com/message/3262111#3262111

Refer this link for failover trigger: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1091386

4. Here is the link for failover time:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1148472
you can customize these poll times.

You can configure the frequency of the hello
messages and the hold time before failover occurs. A faster poll time
and shorter hold time speed the detection of unit failures and make
failover occur more quickly, but it can also cause "false" failures due
to network congestion delaying the keepalive packets. See Configuring Unit Health Monitoring for more information about configuring unit health monitoring.


TEST: you can establish ssh connection through the active and shut the inside interface port down on the switch
and trigger a failover and still be connected to your ssh session as if nothing happened.

-KS

Thanks for this very insightful response

Review Cisco Networking for a $25 gift card