10-31-2023 12:36 PM
Hello,
I am currently configuring two Cisco ASA 1120s for Active/Standby failover. So far it is failing. This is what I have done so far. The version that these ASAs are running is Cisco Adaptive Security Appliance Software Version 9.16(4)42. They also have the same encryption license Encryption-3DES-AES. This is Currently what I have configured on both ASAs.
Active ASA:
failover
failover lan unit primary
failover lan interface Failover Ethernet1/8
failover replication http
failover link Failover Ethernet1/8
failover interface ip Failover 192.168.59.1 255.255.255.252 standby 192.168.59.2
no failover wait-disable
Standby ASA:
failover
failover lan unit secondary
failover lan interface Failover Ethernet1/8
failover link Failover Ethernet1/8
failover interface ip Failover 192.168.59.1 255.255.255.252 standby 192.168.59.2
no failover wait-disable
When I do a show failover on the active ASA this is the output.
ciscoasa# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: Failover Ethernet1/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 776 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.16(4)42, Mate 9.16(4)42
Serial Number: Ours JAD2, Mate JAD2
Last Failover at: 17:54:16 UTC Oct 31 2023
This host: Primary - Failed
Active time: 9 (sec)
slot 0: FPR-1120 hw/sw rev (50.46/9.16(4)42) status (Up Sys)
Interface outside (0.0.0.0): No Link (Waiting)
Interface inside (0.0.0.0): No Link (Waiting)
Interface asdm (0.0.0.0): No Link (Waiting)
Interface management (0.0.0.0): No Link (Waiting)
Other host: Secondary - Active
Active time: 5630 (sec)
slot 0: FPR-1120 hw/sw rev (50.46/9.16(4)42) status (Up Sys)
Interface outside (0.0.0.0): No Link (Waiting)
Interface inside (192.168.1.1): No Link (Waiting)
Interface asdm (0.0.0.0): Normal (Waiting)
Interface management (0.0.0.0): Normal (Waiting)
Stateful Failover Logical Update Statistics
Link : Failover Ethernet1/8 (up)
Stateful Obj xmit xerr rcv rerr
General 885 0 1060 0
sys cmd 885 0 885 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 174 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Umbrella Device-ID 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 15 4702
Xmit Q: 0 1 887
I erased half of the serial number for security reasons but other than that is the whole output.
Any help is appreciated.
Solved! Go to Solution.
11-01-2023 12:58 PM
It looks like the failover config is functioning properly but there is no failover IP configured on your inside interface of the primary unit causing the firewalls to failover due to a loss of connectivity. The secondary unit has the IP of 192.168.1.1 so it became the active unit.
11-01-2023 12:58 PM
It looks like the failover config is functioning properly but there is no failover IP configured on your inside interface of the primary unit causing the firewalls to failover due to a loss of connectivity. The secondary unit has the IP of 192.168.1.1 so it became the active unit.
11-01-2023 01:27 PM
Thank you for the insight I and my boss was actually able to figure this out. but thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide