ASA Active/Standby (failover)

Hello everyone,

i have 2 ASA5520,

configured Active/Standby.

on the primary unit, it has 3 interfaces configured and connected(outside, inside--g0/1.200 and one more Lan interface)

so whenever we connect the secondary ASA, the Inside port shuts down by itself (both on the LAN switch port and asa inside port). all other interfaces on secondary function well and the primary unit detect the mate and start replicating. after replication ends. the inside port of the secondary unit will shut down by itself ( ASA inside port-g0/1.200) 

can anyone help with this issue?

Rob Ingram
Hi @anishkmr0071 

What is the configuration of the switch interfaces?

Does the interface on the switch err-disable?

Any logs associated with this event on the switch?


the interface is a trunk and not configured any port-security. but still, used shutdown and no shutdown commands. still, it's the same. 

this event happened long back. so, no recorded event for this issue on the switch.

Can you post logs to look at what is the issue - this is not expected behavior.



Attached is the config, on switches and ASA.


i will try to find the logs. is there any specific commands you want me to try?

Can you post-show failover on the standby unit.  - how is your Gi0/3 ASA connected back to back or connected to switch ?


what you see on the switch - show logging post all logs


Do you have any rough diagram of how these devices connected to what port?



Gi0/3 on both ASA are connected directly, 

the inside interface on ASA is gi0/1.200.

pls, see the attached diagram and failover of secondary.


The issue seems to be at the inside interface as it showing as waiting.


could you please confirm if you can ping either from Active ASA to ping or from Standby ASA to ping

also could you confirm if you can see the mac address of inside interface on your switche/s?

does vlan 200 intself exisits on each single switche/s?


also could you run the command show monitor-interface


by default sub-interface are not in monitoring mode you have to configure it to monitor it.

post the configuration of swiches show span tree vlan 200
show span detail|i ieee|changes|occ|from|.exec

hi Salim,

1) cannot able to ping the from

2) i can see the mac address of the primary ASA. but I cannot see the mac address of secondary ASA.

3) yes vlan 200 exist on all the switches. 

4) Attached show monitor-interface output

5) Output of show spanning-tree clan 200 

is there a command to reset the failover on secondary??