ā10-25-2022 05:32 AM
HI all,
I have a Network Diagram as below. I configure firewall as active/standby transparent mode (attached is firewall configuration file).
But when I use command "Sh Failover" the result show as below:
------------------------------------
Failover On
Failover unit Primary
Failover LAN Interface: f-over Ethernet1/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 1288 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.14(1), Mate 9.14(1)
Serial Number: Ours JAD260807CX, Mate JAD260808PV
Last Failover at: 09:21:48 UTC Oct 25 2022
This host: Primary - Active
Active time: 528 (sec)
slot 0: FPR-1140 hw/sw rev (48.46/9.14(1)) status (Up Sys)
Interface mgmt1 (192.168.1.1): Normal (Not-Monitored)
Interface inside (10.10.30.111): No Link (Waiting)
Interface outside (10.10.30.111): No Link (Waiting)
Other host: Secondary - Sync Config
Active time: 0 (sec)
slot 0: FPR-1140 hw/sw rev (48.46/9.14(1)) status (Up Sys)
Interface mgmt1 (0.0.0.0): Unknown (Not-Monitored)
Interface inside (0.0.0.0): Unknown (Waiting)
Interface outside (0.0.0.0): Unknown (Waiting)
-------------------------------------------
and the failover isn't work if I disconnect 1 cable in active firewall.
Anybody know about this case and how to reslove this.
Thank you so much!!!
Solved! Go to Solution.
ā11-04-2022 09:42 PM
HI all,
I already found out the solution.
1. We need create separeate port channels for 4 cable as below link:
2. We need to use VLAN or Install L2SW between Firewall and Router. We need a boardcast domain between for failover function work proprely. Check link below for more detail. In my case I use Vlan.
ā10-25-2022 07:48 AM
is that output after the link is removed? is this Firepower imaged with ASA ?
check some guided config :
ā10-25-2022 08:12 AM
No, It is result when normal. I concern about "normal (waiting)" status. As I check in some document I see as below
It is transparent mode and I just can set IP address for BVI only
ā10-25-2022 08:14 AM
as I check, this firewall use "ASA Version 9.14(1)"
ā10-25-2022 08:17 AM
When the active unit fails over to the standby unit, the connected switch port running Spanning Tree Protocol (STP) can go into a blocking state for 30 to 50 seconds when it senses the topology change. To avoid traffic loss while the port is in a blocking state, you can configure one of the following workarounds depending on the switch port mode:
ā¢
Access modeāEnable the STP PortFast feature on the switch:
interface interface_id
spanning-tree portfast
The PortFast feature immediately transitions the port into STP forwarding mode upon linkup. The port still participates in STP. So if the port is to be a part of the loop, the port eventually transitions into STP blocking mode.
ā¢
Trunk modeāBlock BPDUs on the security appliance on both the inside and outside interfaces:
access-list id ethertype deny bpdu
access-group id in interface inside_name
access-group id in interface outside_name
Blocking BPDUs disables STP on the switch. Be sure not to have any loops involving the security appliance in your network layout.
If neither of the above options are possible, then you can use one of the following less desirable workarounds that impacts failover functionality or STP stability:
ā¢
Disable failover interface monitoring.
ā¢
Increase failover interface holdtime to a high value that will allow STP to converge before the security appliances fail over.
ā¢
Decrease STP timers to allow STP to converge faster than the failover interface holdtime.
ā10-25-2022 07:42 PM
Hi @MHM Cisco World,
I try to follow your advise but seem not work. Do you have any solution else?
ā10-27-2022 02:15 AM
anybody can help me this case, anything need to warning at router side. For now, I configure portchannel with lacp protocol. Any idea to fix this case?
ā11-04-2022 09:42 PM
HI all,
I already found out the solution.
1. We need create separeate port channels for 4 cable as below link:
2. We need to use VLAN or Install L2SW between Firewall and Router. We need a boardcast domain between for failover function work proprely. Check link below for more detail. In my case I use Vlan.
ā11-05-2022 03:23 AM
can you share the last topology because I dont see SW in your original post.
ā11-06-2022 06:30 PM
the last topology as picture below
the router can configure as the switch with "switchport access vlan 200" command. I just set IP address for vlan 200 and route it on static router table.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide