Hello. I am using a pair of switches (SW1, SW2) for failover link between ASA nodes and for several data interfaces (C,D). Also I am using another pairs of switches (SW3,SW4 and SW5,SW6) for another data links on ASA nodes (inside,B). When I rebooted SW1 3rd Mar I expected that the failover will happen and ASA_5525_2 (STB) become Active. But something went wrong. It looked like split brain happened and both ASA nodes became active. I can't understand why nodes didn't hear hello packets through inside or B interfaces. (Maybe I interpreted the logs wrong way). So the network didn't work correctly until SW1 loaded complitely. A little more details: ASA is monitoring all interfaces (inside, B,C,D). ASA has OSPF relationships with SW3,SW4 and SW5,SW6. My configuration and logs: failover failover lan unit primary failover lan interface failover GigabitEthernet0/7 failover key ***** failover link failover GigabitEthernet0/7 failover interface ip failover 220.127.116.11 255.255.255.0 standby 18.104.22.168 "show failover history" on ASA_5525_1: 11:10:35 MSK Mar 3 2019 Active Failed Interface check 11:10:36 MSK Mar 3 2019 Failed Just Active HELLO not heard from mate 11:10:36 MSK Mar 3 2019 Just Active Active Drain HELLO not heard from mate 11:10:36 MSK Mar 3 2019 Active Drain Active Applying Config HELLO not heard from mate 11:10:36 MSK Mar 3 2019 Active Applying Config Active Config Applied HELLO not heard from mate 11:10:36 MSK Mar 3 2019 Active Config Applied Active HELLO not heard from mate "show failover history" ASA_5525_2: 11:10:36 MSK Mar 3 2019 Standby Ready Just Active Interface check 11:10:36 MSK Mar 3 2019 Just Active Active Drain Interface check 11:10:36 MSK Mar 3 2019 Active Drain Active Applying Config Interface check 11:10:36 MSK Mar 3 2019 Active Applying Config Active Config Applied Interface check 11:10:36 MSK Mar 3 2019 Active Config Applied Active Interface check 11:16:51 MSK Mar 3 2019 Active Cold Standby Failover state check 11:16:53 MSK Mar 3 2019 Cold Standby Sync Config Failover state check 11:17:01 MSK Mar 3 2019 Sync Config Sync File System Failover state check 11:17:01 MSK Mar 3 2019 Sync File System Bulk Sync Failover state check 11:17:14 MSK Mar 3 2019 Bulk Sync Standby Ready Failover state check <185>Mar 03 2019 11:10:30 ASA_5525 : %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface inside <185>Mar 03 2019 11:10:30 ASA_5525 : %ASA-1-105009: (Secondary) Testing on interface inside Passed <185>Mar 03 2019 11:10:36 ASA_5525 : %ASA-1-103001: (Primary) No response from other firewall (reason code = 4). <185>Mar 03 2019 11:10:35 ASA_5525 : %ASA-1-104002: (Primary) Switching to STANDBY - Interface check <185>Mar 03 2019 11:10:36 ASA_5525 : %ASA-1-104001: (Primary) Switching to ACTIVE - HELLO not heard from mate. Would you mind giving your opinion about my network design and reasons why this happened. I can use separated pair of switches for failover link but I haven't understood yet why whether I have to do it. I've read cisco guide https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/ha-failover.pdf Scenario 3—Recommended and it looks like my network topology. I need you help, please.
... View more
Hi. I have a network topology which you can see on image. All routers are Cisco 3745 with IOS (C3745-ADVENTERPRISEK9-M), Version 12.4(12). SW1 is L3-switch Cisco Catalyst WS-C3560E-24TD with IOS (C3560E-UNIVERSALK9-M 12.2(58)SE2). Configurations: R1 interface Loopback0 ip address 22.214.171.124 255.255.255.0 interface FastEthernet0/0 ip address 192.168.146.1 255.255.255.0 ip route 0.0.0.0 0.0.0.0 192.168.146.4 ip sla monitor 1 type echo protocol ipIcmpEcho 126.96.36.199 source-interface Loopback0 timeout 100 frequency 1 ip sla monitor schedule 1 start-time now life forever R4 interface Loopback0 ip address 188.8.131.52 255.255.255.0 interface FastEthernet0/0 ip address 192.168.146.4 255.255.255.0 interface Serial0/1 ip address 192.168.45.4 255.255.255.0 clockrate 64000 ip route 0.0.0.0 0.0.0.0 192.168.45.5 ip route 184.108.40.206 255.255.255.255 192.168.146.1 ip route 220.127.116.11 255.255.255.255 192.168.146.6 ip http client source-interface Loopback0 R5 interface Loopback0 ip address 18.104.22.168 255.255.255.0 interface FastEthernet0/0 ip address 192.168.57.5 255.255.255.0 interface Serial0/1 ip address 192.168.45.5 255.255.255.0 clockrate 64000 ip route 22.214.171.124 255.255.255.255 192.168.57.7 ip route 0.0.0.0 0.0.0.0 126.96.36.199 key chain OER key 1 key-string CISCO oer master keepalive 5 logging learn throughput delay protocol tcp port 80 src protocol 1 protocol udp port range 16384 32767 src periodic-interval 5 monitor-period 3 border 188.8.131.52 key-chain OER interface FastEthernet0/0 internal interface Serial0/1 external oer border local Loopback0 master 184.108.40.206 key-chain OER R6 interface Loopback0 ip address 220.127.116.11 255.255.255.0 interface FastEthernet0/0 ip address 192.168.146.6 255.255.255.0 ip route 0.0.0.0 0.0.0.0 192.168.146.4 ip sla monitor 2 type jitter dest-ipaddr 18.104.22.168 dest-port 16384 source-ipaddr 22.214.171.124 codec g729a codec-numpackets 10 codec-interval 10 ip sla monitor schedule 2 start-time now life forever SW1 enable password cisco ip routing interface Vlan57 ip address 192.168.57.7 255.255.255.0 interface Loopback0 ip address 126.96.36.199 255.255.255.0 interface GigabitEthernet0/23 switchport access vlan 57 interface GigabitEthernet0/24 no switchport ip address 10.1.42.40 255.255.255.0 ip route 0.0.0.0 0.0.0.0 192.168.57.5 ip http server ip http path flash: ip sla responder line vty 0 15 password cisco login In same time on R4 I enter command "copy http://cisco:firstname.lastname@example.org/c3560e-universalk9-mz.122-58.SE2.bin null:" After that I have problem. When PC with OS Windows 7 begins to work in corporate network, it sees "coflict ip addresses" and doesn't work with network. I've used wireshark and seen, when the PC send arp request a SW1 always send arp reply (see attached file). I think problem with command "ip sla responder", but I haven't searched information about it and I want understand this is bug or normal functioning. There isn't problem with Windows XP, because XP send no arp request, but gratuitous arp request and SW1 doesn't reply. Thank you beforehand.
... View more