ASA 5520 Failover

Posted on 2009-12-17
Last Modified: 2012-05-08
I just had a failover between my pair of 5520's and during the failover I dropped all my ipsec vpn connections. I have statefull failover configured which is supposed to keep all that up and running during a failover. Below is my failover configuration....

failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover polltime unit 1 holdtime 3
failover link failover GigabitEthernet0/3
failover interface ip failover standby
Question by:dtadmin

    Author Comment

    ciscoasa# sh failover
    Failover On
    Failover unit Primary
    Failover LAN Interface: failover GigabitEthernet0/3 (up)
    Unit Poll frequency 1 seconds, holdtime 3 seconds
    Interface Poll frequency 5 seconds, holdtime 25 seconds
    Interface Policy 1
    Monitored Interfaces 4 of 250 maximum
    Version: Ours 8.2(1), Mate 8.2(1)
    Last Failover at: 10:31:48 EDT Oct 14 2009
            This host: Primary - Active
                    Active time: 5536936 (sec)
                    slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                      Interface outside ( Normal
                      Interface inside ( Normal
                      Interface dmz ( Normal
                      Interface management ( No Link (Waiting)
                    slot 1: empty
            Other host: Secondary - Standby Ready
                    Active time: 19 (sec)
                    slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                      Interface outside ( Normal
                      Interface inside ( Normal
                      Interface dmz ( Normal
                      Interface management ( No Link (Waiting)
                    slot 1: empty

    Stateful Failover Logical Update Statistics
            Link : failover GigabitEthernet0/3 (up)
            Stateful Obj    xmit       xerr       rcv        rerr
            General         1956757756 0          683414477  24879
            sys cmd         1360202    0          1360200    0
            up time         0          0          0          0
            RPC services    0          0          0          0
            TCP conn        351859552  0          142287016  5688
            UDP conn        1603001232 0          539440288  19191
            ARP tbl         343508     0          215151     0
            Xlate_Timeout   0          0          0          0
            VPN IKE upd     31826      0          27979      0
            VPN IPSEC upd   95770      0          79380      0
            VPN CTCP upd    0          0          0          0
            VPN SDI upd     0          0          0          0
            VPN DHCP upd    0          0          0          0
            SIP Session     65666      0          4463       0

            Logical Update Queue Information
                            Cur     Max     Total
            Recv Q:         0       71      865082627
            Xmit Q:         0       1024    2197440693

    Author Comment

    from what I have posted above why did my IPsec connections drop during failover?
    LVL 57

    Accepted Solution

    They shouldnt?
    if you run a contstant ping out through the firewall - then force a failover - how many ping packets do you drop?

    Author Comment

    not too sure I want to try that during office hours. That would be something that needs to wait until after hours or a weekend.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Suggested Solutions

    We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    This video discusses moving either the default database or any database to a new volume.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    6 Experts available now in Live!

    Get 1:1 Help Now