cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3296
Views
5
Helpful
9
Replies

Enabling interface monitoring for ASA Failover

stuartkendrick
Level 1
Level 1

I have a pair of FirePower 1010 (using the ASA OS load) running in Active/Standby

Failover & failback works fine when triggered with the 'no active failover' and 'failover active' commands

But Failover is not triggered when link goes down on either the inside or the outside interface ... the Active unit stays Active, even though it isn't functional anymore

 

How might I trouble-shoot this?  Is there another 'show' command I'm missing which would give me further insight?  Or a 'debug' command which might shed light on the algorithm which the ASA code is using?

 

ferry-x-test-vpn# sh run all monitor-interface
monitor-interface inside
monitor-interface outside
monitor-interface management
monitor-interface service-module
ferry-x-test-vpn#

ferry-x-test-vpn# show run all failover
failover
failover lan unit primary
failover lan interface Failover-Link Port-channel1
failover polltime unit 1 holdtime 15
failover polltime interface 5 holdtime 25
failover interface-policy 1
no failover standby config-lock
failover replication rate 7000
failover link Failover-Link Port-channel1
failover interface ip Failover-Link 172.16.0.1 255.255.255.0 standby 172.16.0.2
no failover wait-disable
ferry-x-test-vpn#


ferry-x-test-vpn# show fail
Failover On
Failover unit Primary
Failover LAN Interface: Failover-Link Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 320 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.14(2), Mate 9.14(2)
Serial Number: Ours xxx, Mate yyy
Last Failover at: 08:29:06 PST Jan 16 2021
This host: Primary - Active
Active time: 962 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.14(2)) status (Up Sys)
Interface inside (10.11.12.63): Normal (Monitored)
Interface outside (128.253.12.63): Normal (Waiting)
Interface management (10.11.12.51): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 54 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.14(2)) status (Up Sys)
Interface inside (10.11.12.64): Normal (Monitored)
Interface outside (128.253.12.64): Normal (Waiting)
Interface management (10.11.12.53): Normal (Monitored)
[...]

 

--sk

 

 

9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame
Interface outside (128.253.12.64): Normal (Waiting)

This is waiting - until getting in to Monitored it will not meet the fail-over condition, check the Layer 2 /3 connectivity.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

monitor is divided into two:-
A- physical interface link down 
B- not receive the hello message form other peer 

here in your case the ASA do detect the down of link BECAUSE as I suspect it connect to other Peer through SW. so ASA don't receive the hello message but the physical link is not down so 
Normal (waiting) appear.
how can I solve this ?
simply reduce the hold time of receiving message. this make ASA reduce time to detect the the second failure phase.


OK, so I've been experimenting with this, I have (4) questions, numbered below.

BTW: I have upgraded the OS to 9.15.1.1

I start here

ferry-x-test-vpn# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: Failover-Link Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 5 seconds
Interface Poll frequency 1 seconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 320 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.15(1)1, Mate 9.15(1)1
Serial Number: Ours xxx, Mate yyy
Last Failover at: 05:28:17 PST Jan 18 2021
This host: Primary - Active
Active time: 18 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.63): Normal (Monitored)
Interface inside (10.11.3.63): Normal (Monitored)
Interface management (10.11.12.51): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 102 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.64): Normal (Monitored)
Interface inside (10.11.3.64): Normal (Monitored)
Interface management (10.11.12.53): Normal (Monitored)

ferry-x-test-vpn#

ferry-x-test-vpn# sh fail
Failover On
Failover unit Secondary
Failover LAN Interface: Failover-Link Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 5 seconds
Interface Poll frequency 1 seconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 320 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.15(1)1, Mate 9.15(1)1
Serial Number: Ours yyy, Mate xxx
Last Failover at: 05:28:14 PST Jan 18 2021
This host: Secondary - Standby Ready
Active time: 102 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.64): Normal (Monitored)
Interface inside (10.11.3.64): Normal (Monitored)
Interface management (10.11.12.53): Normal (Monitored)
Other host: Primary - Active
Active time: 23 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.63): Normal (Monitored)
Interface inside (10.11.3.63): Normal (Monitored)
Interface management (10.11.12.51): Normal (Monitored)

ferry-x-test-vpn#

 

 

 

Now I disable the switch port feeding the 'inside' interface of the Primary/Active member

ferry-x-test-vpn# sh fail
Failover On
Failover unit Secondary
Failover LAN Interface: Failover-Link Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 5 seconds
Interface Poll frequency 1 seconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 320 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.15(1)1, Mate 9.15(1)1
Serial Number: Ours yyy, Mate xxx
Last Failover at: 05:32:10 PST Jan 18 2021
This host: Secondary - Active
Active time: 14 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.63): Normal (Waiting)
Interface inside (10.11.3.63): Normal (Waiting)
Interface management (10.11.12.51): Normal (Monitored)
Other host: Primary - Failed
Active time: 229 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.64): Normal (Waiting)
Interface inside (10.11.3.64): Failed (Waiting)
Interface management (10.11.12.53): Normal (Monitored)

ferry-x-test-vpn#

ferry-x-test-vpn# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: Failover-Link Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 5 seconds
Interface Poll frequency 1 seconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 320 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.15(1)1, Mate 9.15(1)1
Serial Number: Ours xxx, Mate yyy
Last Failover at: 05:32:06 PST Jan 18 2021
This host: Primary - Failed
Active time: 229 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.64): Normal (Waiting)
Interface inside (10.11.3.64): Failed (Waiting)
Interface management (10.11.12.53): Normal (Monitored)
Other host: Secondary - Active
Active time: 17 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.63): Normal (Waiting)
Interface inside (10.11.3.63): Normal (Waiting)
Interface management (10.11.12.51): Normal (Monitored)

ferry-x-test-vpn#

 

#1 Why do the ASA now flag the 'outside' interface as 'Waiting'?
I would have predicted that the 'outside' interface would remain 'Monitored'

 

 

 


Now I re-enable the switch port servicing the 'inside' interface of the Primary / Standby unit
ferry-x-test-vpn# show fail
Failover On
Failover unit Secondary
Failover LAN Interface: Failover-Link Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 5 seconds
Interface Poll frequency 1 seconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 320 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.15(1)1, Mate 9.15(1)1
Serial Number: Ours yyy, Mate xxx
Last Failover at: 05:32:10 PST Jan 18 2021
This host: Secondary - Active
Active time: 183 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.63): Normal (Waiting)
Interface inside (10.11.3.63): Normal (Waiting)
Interface management (10.11.12.51): Normal (Monitored)
Other host: Primary - Standby Ready
Active time: 229 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.64): Normal (Waiting)
Interface inside (10.11.3.64): Normal (Waiting)
Interface management (10.11.12.53): Normal (Monitored)

ferry-x-test-vpn#
ferry-x-test-vpn# show fail
Failover On
Failover unit Primary
Failover LAN Interface: Failover-Link Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 5 seconds
Interface Poll frequency 1 seconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 320 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.15(1)1, Mate 9.15(1)1
Serial Number: Ours xxx, Mate yyy
Last Failover at: 05:32:06 PST Jan 18 2021
This host: Primary - Standby Ready
Active time: 229 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.64): Normal (Waiting)
Interface inside (10.11.3.64): Normal (Waiting)
Interface management (10.11.12.53): Normal (Monitored)
Other host: Secondary - Active
Active time: 204 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.63): Testing (Waiting)
Interface inside (10.11.3.63): Normal (Waiting)
Interface management (10.11.12.51): Normal (Monitored)

ferry-x-test-vpn#

 

#2 Why has the 'outside' interface on Secondary/Active changed to Testing? (this taken ~30 -60s *after* enabling the switch port)
I would have predicted no change in state for the 'outside' interface

 

 

 


After a few minutes, the state of the 'outside' interface changes to 'Waiting'
ferry-x-test-vpn# show fail
Failover On
Failover unit Secondary
Failover LAN Interface: Failover-Link Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 5 seconds
Interface Poll frequency 1 seconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 320 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.15(1)1, Mate 9.15(1)1
Serial Number: Ours yyy, Mate xxx
Last Failover at: 05:32:10 PST Jan 18 2021
This host: Secondary - Active
Active time: 323 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.63): Normal (Waiting)
Interface inside (10.11.3.63): Normal (Waiting)
Interface management (10.11.12.51): Normal (Monitored)
Other host: Primary - Standby Ready
Active time: 229 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.64): Normal (Waiting)
Interface inside (10.11.3.64): Normal (Waiting)
Interface management (10.11.12.53): Normal (Monitored)

ferry-x-test-vpn#

ferry-x-test-vpn# show fail
Failover On
Failover unit Primary
Failover LAN Interface: Failover-Link Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 5 seconds
Interface Poll frequency 1 seconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 320 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.15(1)1, Mate 9.15(1)1
Serial Number: Ours xxx, Mate yyy
Last Failover at: 05:32:06 PST Jan 18 2021
This host: Primary - Standby Ready
Active time: 229 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.64): Normal (Waiting)
Interface inside (10.11.3.64): Normal (Waiting)
Interface management (10.11.12.53): Normal (Monitored)
Other host: Secondary - Active
Active time: 327 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.63): Normal (Waiting)
Interface inside (10.11.3.63): Normal (Waiting)
Interface management (10.11.12.51): Normal (Monitored)

ferry-x-test-vpn#

 

#3 Why are the states of the 'outside' and 'inside' still in 'Waiting'?
I would have predicted that they would be 'Monitored'

 

 

 

 

Now, I want to force a failback. If I type 'failover active' on the Primary / Standby unit, nothing happens
ferry-x-test-vpn# show fail
Failover On
Failover unit Secondary
Failover LAN Interface: Failover-Link Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 5 seconds
Interface Poll frequency 1 seconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 320 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.15(1)1, Mate 9.15(1)1
Serial Number: Ours yyy, Mate xxx
Last Failover at: 05:32:10 PST Jan 18 2021
This host: Secondary - Active
Active time: 323 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.63): Normal (Waiting)
Interface inside (10.11.3.63): Normal (Waiting)
Interface management (10.11.12.51): Normal (Monitored)
Other host: Primary - Standby Ready
Active time: 229 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.64): Normal (Waiting)
Interface inside (10.11.3.64): Normal (Waiting)
Interface management (10.11.12.53): Normal (Monitored)

ferry-x-test-vpn# failover active
ferry-x-test-vpn#

 

Whereas, if I type 'failover active' on the Secondary/Active unit, then the failback occurs
ferry-x-test-vpn# show fail
Failover On
Failover unit Primary
Failover LAN Interface: Failover-Link Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 5 seconds
Interface Poll frequency 1 seconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 320 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.15(1)1, Mate 9.15(1)1
Serial Number: Ours xxx, Mate yyy
Last Failover at: 05:32:06 PST Jan 18 2021
This host: Primary - Standby Ready
Active time: 229 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.64): Normal (Waiting)
Interface inside (10.11.3.64): Normal (Waiting)
Interface management (10.11.12.53): Normal (Monitored)
Other host: Secondary - Active
Active time: 327 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.63): Normal (Waiting)
Interface inside (10.11.3.63): Normal (Waiting)
Interface management (10.11.12.51): Normal (Monitored)

ferry-x-test-vpn#
ferry-x-test-vpn# failover ?

active Make this system to be the active unit of the failover pair
exec Execute command on the designated unit
reload-standby Force standby unit to reboot
reset Force a unit or failover group to an unfailed state
ferry-x-test-vpn#
ferry-x-test-vpn#
ferry-x-test-vpn# failover active
Connection to ferry-b-test-vpn-mgmt closed by remote host.
Connection to ferry-b-test-vpn-mgmt closed.
skendric@guru:~$

 

Now, the ASA are back to their 'as-built' state:
ferry-x-test-vpn# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: Failover-Link Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 5 seconds
Interface Poll frequency 1 seconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 320 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.15(1)1, Mate 9.15(1)1
Serial Number: Ours xxx, Mate yyy
Last Failover at: 05:39:25 PST Jan 18 2021
This host: Primary - Active
Active time: 39 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.63): Normal (Monitored)
Interface inside (10.11.3.63): Normal (Monitored)
Interface management (10.11.12.51): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 434 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.64): Normal (Monitored)
Interface inside (10.11.3.64): Normal (Monitored)
Interface management (10.11.12.53): Normal (Monitored)

ferry-x-test-vpn#

ferry-x-test-vpn# sh fail
Failover On
Failover unit Secondary
Failover LAN Interface: Failover-Link Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 5 seconds
Interface Poll frequency 1 seconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 320 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.15(1)1, Mate 9.15(1)1
Serial Number: Ours yyy, Mate xxx
Last Failover at: 05:39:24 PST Jan 18 2021
This host: Secondary - Standby Ready
Active time: 434 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.64): Normal (Monitored)
Interface inside (10.11.3.64): Normal (Monitored)
Interface management (10.11.12.53): Normal (Monitored)
Other host: Primary - Active
Active time: 74 (sec)
slot 0: FPR-1010 hw/sw rev (48.46/9.15(1)1) status (Up Sys)
Interface outside (128.253.12.63): Normal (Monitored)
Interface inside (10.11.3.63): Normal (Monitored)
Interface management (10.11.12.51): Normal (Monitored)

ferry-x-test-vpn#

 

#4 The behavior of the 'failover active' commands seems to contradict the CLI help output:
ferry-x-test-vpn# failover ?

active Make this system to be the active unit of the failover pair
exec Execute command on the designated unit
reload-standby Force standby unit to reboot
reset Force a unit or failover group to an unfailed state
ferry-x-test-vpn# failover

 

i.e. in order to failback, I must execute the 'failover active' command on the member which I do *not* want to hold the Active role

I find this puzzling. How do you think about this command, in a way which reconciles its behavior with the CLI help output?

 

--sk

interface 
divided into Inside and Outside sub interface one with each it VLAN 
so if you turn down the interface you will effect both inside and outside.

I don't believe I have any subinterfaces configured:

 

ferry-x-test-vpn# sh run int eth1/1
!
interface Ethernet1/1
description To edge-x-switch
no switchport
nameif outside
security-level 0
ip address 128.253.12.63 255.255.255.0 standby 128.253.12.64
ferry-x-test-vpn# sh run int eth1/2
!
interface Ethernet1/2
description To internal-x-switch
no switchport
nameif inside
security-level 100
ip address 10.11.3.63 255.255.255.0 standby 10.11.3.64
ferry-x-test-vpn#

ferry-x-test-vpn# show vlan
ferry-x-test-vpn#

 

--sk

OK, 
let explain this together,
first make active ASA as X and standby as Y "as name of ASA"
gfjhgfh.png
NOTE:-all show share here 
NOTE:- don't use failover active it not use for test

1- do show failed on both 
2- down the interface in active ASA only not in both active & standby 
3-do show failed on both

Hi MHM,

 

I don't understand what you are suggesting here

 

Diagram

- I mostly agree that your diagram reflects my situation

* Quibble:  only (2) Ethernet links comprise the 'Failover' communication path between the two ASA

* Quibble:  there are (2) internal switches (tied together with a port-channel) and (2) external switches (tied together with a port-channel)

* Question:  I don't understand the difference between the Blue and Yellow clouds:  do these represent Blue and Yellow VLANs?

FWIW:  in this configuration, there is no VLAN tagging:  a single VLAN on the outside, a single VLAN on the inside

 

Test Methodology:

- It seems to me that I have performed the test protocol you suggested, as documented in my previous post

 

==> Would you offer more words around what you are suggesting or explaining?

 

ferry-x-test-vpn# sh int | include Interface|Description
Interface Vlan1 "", is down, line protocol is down
Interface Ethernet1/1 "outside", is up, line protocol is up
    Description: To edge-x-esx
Interface Ethernet1/2 "inside", is up, line protocol is up
    Description: To wst-x-rtr
Interface Ethernet1/3 "", is admin down, line protocol is down
Interface Ethernet1/4 "", is admin down, line protocol is down
Interface Ethernet1/5 "", is up, line protocol is up
    Description: To ferry-b-test
Interface Ethernet1/6 "", is up, line protocol is up
    Description: To ferry-b-test
Interface Ethernet1/7 "", is admin down, line protocol is down
Interface Ethernet1/8 "", is admin down, line protocol is down
Interface Management1/1 "management", is up, line protocol is up
Interface BVI1 is up, line protocol is up
Interface Port-channel1 "Failover-Link", is up, line protocol is up
Description: LAN/STATE Failover Interface
ferry-x-test-vpn#

 

--sk

As Cisco mention in CCNP book,
if the data-pass link  is down

-Since the two ASA connect via SW the SW-ASA'active will be down and SW'standby will up
-active will go to be failover status immediately    
-standby will not receive the hello any more and do test (additional test of link include  up/down test, ARP test, broadcast test)

so here the Inside will be failed 
outside because of failover process it will go to waiting

finally must be 
if we down the inside OR outside link we will get 
after a period
active 
active ->standby 
inside normal(monitored) -> failed (waiting) 
outside normal(monitored) -> normal (waiting) -> normal (monitored) "see this last status after the ASA become standby not before that
standby
standby-> active

 

please confirm that final status after link down as above.

inside normal(monitored) -> normal(waiting)

the yellow and blue cloud I use it as indication of different VLAN in topology 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: