ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
harrydanger
Member
Posts:
115
Joined:
Sat Oct 25, 2008 3:43 am

ASA Failover/redundancy issue

Tue Jun 28, 2016 6:18 pm

Greetings All.

Im having a really curly issue involving a pair of cisco ASA in HA Active/passive

Essentially the two devices are located at separate sites connected across a VLAN . They are running EIGRP, configured in the same process as our two CORE switches. They look to be configured OK. No config changes.

The problem
When i unplug the internal interface on the active (secondary) device the primary does not ever become active and I see no reason why. I also see no EIGRP events on the CORE. I lose connectivity to the devices completely so have limited troubleshooting scope.

everything I see looks ok. I have verified the vlan is stretched ok, that the switch port communicates on this vlan.

Any troubleshooting ideas would be welcome.

SH FAILOVER STATE

Code: Select all
ausyd-chf-asa01#    sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Secondary
               Active         Ifc Failure              06:25:55 EST Jun 17 2016
                              Internal: No Link
Other host -   Primary
               Standby Ready  Comm Failure             15:44:47 EST Jun 17 2016

====Configuration State===
        Sync Done
        Sync Done - STANDBY
====Communication State===
        Mac set



SH FAILOVER
Code: Select all
ausyd-chf-asa01# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 6 of 160 maximum
Version: Ours 9.0(2), Mate 9.0(2)
Last Failover at: 06:35:08 EST Jun 17 2016
        This host: Secondary - Active
                Active time: 8844123 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/9.0(2)) status (Up Sys)
                  Interface Internal (x.x.x.x): Normal (Monitored)
                  Interface FDI_Interconnect (x.x.x.x): Normal (Monitored)
                  Interface iTransact_Server (x.x.x.x): Normal (Monitored)
                  Interface iTransact_Mgmt (x.x.x.x): Normal (Monitored)
                  Interface iTransact_Log (x.x.x.x): Normal (Monitored)
                  Interface iTransact_Dev (x.x.x.x): Normal (Monitored)
                  Interface management (x.x.x.x): No Link (Not-Monitored)
                slot 1: empty
        Other host: Primary - Standby Ready
                Active time: 0 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/9.0(2)) status (Up Sys)
                  Interface Internal (x.x.x.x): Normal (Monitored)
                  Interface FDI_Interconnect (x.x.x.x): Normal (Monitored)
                  Interface iTransact_Server (x.x.x.x): Normal (Monitored)
                  Interface iTransact_Mgmt (x.x.x.x): Normal (Monitored)
                  Interface iTransact_Log (x.x.x.x): Normal (Monitored)
                  Interface iTransact_Dev (x.x.x.x): Normal (Monitored)
                  Interface management (x.x.x.x): Normal (Not-Monitored)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : FAILOVER GigabitEthernet0/3 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         218920620  0          1886278481 1369265
        sys cmd         12049973   0          12009360   0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        166856398  0          1368108551 0
        UDP conn        37849048   0          350753688  0
        ARP tbl         2013883    0          154965396  0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKEv1 SA    0          0          0          0
        VPN IKEv1 P2    0          0          0          0
        VPN IKEv2 SA    0          0          0          0
        VPN IKEv2 P2    0          0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          386        0
        Route Session   151314     0          441073     1369265
        User-Identity   4          0          27         0
        CTS SGTNAME     0          0          0          0
        CTS PAC         0          0          0          0
        TrustSec-SXP    0          0          0          0
        IPv6 Route      0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       85      1927012268
        Xmit Q:         0       28      223148575


hubertzw
New Member
Posts:
8
Joined:
Tue Jan 11, 2011 9:05 am

Re: ASA Failover/redundancy issue

Thu Dec 22, 2016 8:55 pm

Hi,

could you show 'sh failover' once you unplug the interface? Can the primary box sees interfaces' status on active(secondary) one?
Are you sure you unplug "Internal" interface (monitored one)?

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 53 guests