Use of the word 'failover'

matscosolutions · ‎06-15-2015

Hello, I am investigating why an ASA that has two circuits didn't failover when the primary line failed.

Looking at the config of the ASA the interface that connects the ASA to the secondary has been given

the name 'failover'. I am able to ping my own interface, but not the other end, and there are no arp entries

on this interface.

So does giving the name 'failover' to the interface alter the behavior and render the interface useless for

passing regular traffic ? I think it does, but....

Thanks

Simon Fitzgerald

Akshay Rastogi · ‎06-15-2015

Hi Simon,

There are three kind of interfaces in Failover configuration. Failover link, Stateful link Interface. Other interfaces are considered as Data Interfaces.

- Failover Interface is used to pass Configuration and Interfaces status from Active Unit to Standby Unit.

- Stateful link to pass connections and Data Interfaces to pass traffic.

Using keyword 'failover' with 'failover lan interface' command does not change any behavior of interface. You can give any name to it. Admin might have given that name to signify that it is a failover link.

Note : IP addresses assigned to Failover link does not swap with Failover. Primary would keep the same IP even if it becomes Standby.

If you are not able to ping the Secondary Failover link IP address, then there is some communication issue. If there is switch in between, then check if all physical links or switch is fine.

ASA does not failover if Failover link goes down. It starts the interface check to see if the unit is down. These interface checks are performed on Data interfaces. If it does have issue with data interfaces then it would failover.

Please use the link below to understand the failover process :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_failover.html

Let me know if you have any query on this.

Thanks & Regards,

Akshay Rastogi

matscosolutions · ‎06-16-2015

Thanks Akshay, this firewall is not actually configured for failover and is standalone.

They have hooked a secondary circuit to it and named that WAN interface 'failover'.

In the link you sent they suggest this operates differently to other interfaces so this is probably the issue.

You can use any unused interface (physical, redundant, or EtherChannel) as the failover link; however, you cannot specify an interface that is currently configured with a name. The failover link interface is not configured as a normal networking interface; it exists for failover communication only. This interface can only be used for the failover link (and optionally also for the state link)."

Akshay Rastogi · ‎06-22-2015

Hi,

Yes, you're right. It is different from other link as i had mentioned(there are other links as well lilke data link which passes traffic). Failover link is to replicate configuration to standby device. You can use the same failover link as stateful link as well (usually not recommended if traffic and config is high)

You do not have to give the failover link name under any interface as 'nameif'. When you configure 'failover lan interface <any failover link name> gig0/3', this name would automatically appear as name next to the interface when you run 'sh ip'.

If you give any name under interface with 'nameif' command, then you are making that interface as data interface to pass the regular traffic.

Please let me know if you have any query.

Regards,

Akshay Rastogi