Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1587
Views
0
Helpful
2
Replies

Tracking Route from a Standby unit in a Active/Standby ASA array

obadillaa
Level 1
Level 1

‎04-03-2019 10:44 AM - edited ‎02-21-2020 09:00 AM

 

We have configured in an Active/standby array of ASAs a route tracking service to some destinations, each destination has a main and a secondary link.

Tracking service is not the issue, we found in our syslog server events from our active unit saying it is denying inbound icmp packets going to our standby unit. These icmp packets are coming from the destinations configured in our tracking service.

So, as we see it, our Active unit (as excepted) as well as our Standby unit (weird) are executing the route tracking service, and Active unit is rejecting replies sent to Standby.

 

Following log is from Active unit (values were changed for privacy):

Apr 03 2019 11:18:36: %ASA-3-106014: Deny inbound icmp src {Interface-Name}:{TrackingDestination-IP1} dst {Interface-Name}:{StandbyUnit-IP} (type 0, code 0)
Apr 03 2019 11:18:36: %ASA-3-106014: Deny inbound icmp src {Interface-Name}:{TrackingDestination-IP2} dst {Interface-Name}:{StandbyUnit-IP} (type 0, code 0)
Apr 03 2019 11:18:36: %ASA-3-106014: Deny inbound icmp src {Interface-Name}:{TrackingDestination-IP3} dst {Interface-Name}:{StandbyUnit-IP} (type 0, code 0)
Apr 03 2019 11:18:36: %ASA-3-106014: Deny inbound icmp src {Interface-Name}:{TrackingDestination-IP4} dst {Interface-Name}:{StandbyUnit-IP} (type 0, code 0)
Apr 03 2019 11:18:36: %ASA-3-106014: Deny inbound icmp src {Interface-Name}:{TrackingDestination-IP5} dst {Interface-Name}:{StandbyUnit-IP} (type 0, code 0)
Apr 03 2019 11:18:36: %ASA-3-106014: Deny inbound icmp src {Interface-Name}:{TrackingDestination-IP6} dst {Interface-Name}:{StandbyUnit-IP} (type 0, code 0)
Apr 03 2019 11:18:36: %ASA-3-106014: Deny inbound icmp src {Interface-Name}:{TrackingDestination-IP7} dst {Interface-Name}:{StandbyUnit-IP} (type 0, code 0)

 

Standby unit should not be tracking routes (unless it become Active). Is there a way to stop this tracking process in the standby unit?

 

0 Helpful
2 Replies 2

Julio E. Moisa
VIP
VIP

‎04-03-2019 10:46 AM

Hi

Could you please share the failover configuration and the show failover output?

 

Thank you 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

obadillaa
Level 1
Level 1
In response to Julio E. Moisa

‎04-03-2019 11:07 AM

{hostname}/pri/act# sho failover
Failover On
Failover unit Primary
Failover LAN Interface: fo_st_link Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 9 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours x.x(x)xx, Mate x.x(x)xx
Last Failover at: 18:37:44 CST Mar 29 2019
This host: Primary - Active
Active time: 407617 (sec)
slot 0: ASA5525 hw/sw rev (1.0/x.x(x)xx) status (Up Sys)
Interface OUTSIDE (a.a.a.251): Normal (Monitored)
Interface INSIDE (b.b.b.34): Normal (Monitored)
Interface {Interface-Name} (c.c.c.49): Normal (Monitored) <----Interface used for tracking service
Interface management (0.0.0.0): No Link (Waiting)
Other host: Secondary - Standby Ready
Active time: 6421 (sec)
slot 0: ASA5525 hw/sw rev (1.0/x.x(x)xx) status (Up Sys)
Interface OUTSIDE (a.a.a.252): Normal (Monitored)
Interface INSIDE (b.b.b.35): Normal (Monitored)
Interface {Interface-Name} (c.c.c.50): Normal (Monitored) <----Interface used for tracking service
Interface management (0.0.0.0): No Link (Waiting)

Stateful Failover Logical Update Statistics
Link : fo_st_link Port-channel1 (up)
Stateful Obj xmit xerr rcv rerr
General 39867278 0 432424 822
sys cmd 215458 0 215455 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 5044678 0 26521 28
UDP conn 34514537 0 189973 771
ARP tbl 86698 0 401 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 619 0 10 0
VPN IKEv1 P2 2146 0 31 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Route Session 913 0 0 23
Router ID 0 0 0 0
User-Identity 2229 0 33 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 30 453276
Xmit Q: 0 158 44626509

 

--- Failover Cfg ---

failover
failover lan unit primary
failover lan interface fo_st_link Port-channel1
failover link fo_st_link Port-channel1
failover interface ip fo_st_link d.d.d.253 255.255.255.252 standby d.d.d.254
failover ipsec pre-shared-key *****

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card