• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 588
  • Last Modified:

ASA 5520 Failover

I just had a failover between my pair of 5520's and during the failover I dropped all my ipsec vpn connections. I have statefull failover configured which is supposed to keep all that up and running during a failover. Below is my failover configuration....

failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover polltime unit 1 holdtime 3
failover link failover GigabitEthernet0/3
failover interface ip failover 172.17.1.1 255.255.255.0 standby 172.17.1.7
0
dtadmin
Asked:
dtadmin
  • 3
1 Solution
 
dtadminAuthor Commented:
ciscoasa# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 10:31:48 EDT Oct 14 2009
        This host: Primary - Active
                Active time: 5536936 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface outside (207.136.182.5): Normal
                  Interface inside (10.0.0.254): Normal
                  Interface dmz (10.3.0.254): Normal
                  Interface management (0.0.0.0): No Link (Waiting)
                slot 1: empty
        Other host: Secondary - Standby Ready
                Active time: 19 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface outside (207.136.182.6): Normal
                  Interface inside (10.0.0.253): Normal
                  Interface dmz (10.3.0.253): Normal
                  Interface management (0.0.0.0): No Link (Waiting)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : failover GigabitEthernet0/3 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         1956757756 0          683414477  24879
        sys cmd         1360202    0          1360200    0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        351859552  0          142287016  5688
        UDP conn        1603001232 0          539440288  19191
        ARP tbl         343508     0          215151     0
        Xlate_Timeout   0          0          0          0
        VPN IKE upd     31826      0          27979      0
        VPN IPSEC upd   95770      0          79380      0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     65666      0          4463       0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       71      865082627
        Xmit Q:         0       1024    2197440693
0
 
dtadminAuthor Commented:
from what I have posted above why did my IPsec connections drop during failover?
0
 
Pete LongConsultantCommented:
They shouldnt?
if you run a contstant ping out through the firewall - then force a failover - how many ping packets do you drop?
0
 
dtadminAuthor Commented:
not too sure I want to try that during office hours. That would be something that needs to wait until after hours or a weekend.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now