cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2343
Views
0
Helpful
8
Replies

ASA Active/Standby (failover)

anishkmr0071
Level 1
Level 1

Hello everyone,

i have 2 ASA5520,

configured Active/Standby.

on the primary unit, it has 3 interfaces configured and connected(outside, inside--g0/1.200 and one more Lan interface)

so whenever we connect the secondary ASA, the Inside port shuts down by itself (both on the LAN switch port and asa inside port). all other interfaces on secondary function well and the primary unit detect the mate and start replicating. after replication ends. the inside port of the secondary unit will shut down by itself ( ASA inside port-g0/1.200) 

can anyone help with this issue?

8 Replies 8

Hi @anishkmr0071 

What is the configuration of the switch interfaces?

Does the interface on the switch err-disable?

Any logs associated with this event on the switch?

 

the interface is a trunk and not configured any port-security. but still, used shutdown and no shutdown commands. still, it's the same. 

this event happened long back. so, no recorded event for this issue on the switch.

balaji.bandi
Hall of Fame
Hall of Fame

Can you post logs to look at what is the issue - this is not expected behavior.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

anishkmr0071
Level 1
Level 1

Attached is the config, on switches and ASA.

 

i will try to find the logs. is there any specific commands you want me to try?

balaji.bandi
Hall of Fame
Hall of Fame

Can you post-show failover on the standby unit.  - how is your Gi0/3 ASA connected back to back or connected to switch ?

 

what you see on the switch - show logging post all logs

 

Do you have any rough diagram of how these devices connected to what port?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,

Gi0/3 on both ASA are connected directly, 

the inside interface on ASA is gi0/1.200.

pls, see the attached diagram and failover of secondary.

 

The issue seems to be at the inside interface as it showing as waiting.

 

could you please confirm if you can ping either from Active ASA to ping 10.253.0.2 or from Standby ASA to ping 10.253.0.1?

also could you confirm if you can see the mac address of inside interface on your switche/s?

does vlan 200 intself exisits on each single switche/s?

 

also could you run the command show monitor-interface

 

by default sub-interface are not in monitoring mode you have to configure it to monitor it.

post the configuration of swiches show span tree vlan 200
!
show span detail|i ieee|changes|occ|from|.exec

please do not forget to rate.

hi Salim,

1) cannot able to ping the 10.253.0.2 from 10.253.0.1

2) i can see the mac address of the primary ASA. but I cannot see the mac address of secondary ASA.

3) yes vlan 200 exist on all the switches. 

4) Attached show monitor-interface output

5) Output of show spanning-tree clan 200 

is there a command to reset the failover on secondary??