labdunn
asked on
Failover ASA
I am trying to setup a pair of ASA5510's in an active/passive failover. When I issue the failover command from the secondary 5510 I see these messages
Detected an Active mate
Beginning configuration replication from mate.
Warning: no actions specified. All actions disabled.
Warning: no actions specified. All actions disabled.
End configuration replication from mate.
When I use "show failover | include host" I see this
This host: Secondary - Failed
Other host: Primary - Active
The secondary node seems to have all the configuration from the primary. At the time the primary had a few VPN connections active. Those too seemed to be reflected on the secondary. I think the status of the secondary node needs to be "Standby Ready". Both are running ios V 9.1(5(21). Can anyone tell me where I went wrong or how to troubleshoot this?
e0/0 is the outside interface
e0/1 is the inside interface
e0/2 and e0/3 are the common ports
Below are the commands I used to setup failover on the two nodes. Outside IP addresses are fictional.
On Primary node
interface Ethernet0/0
mac-address 0003.000b.0001 standby 0003.000b.0002
nameif outside
security-level 0
ip address 18.174.151.249 255.255.255.0 standby 18.174.151.152
!
interface Ethernet0/1
mac-address 0003.000a.0001 standby 0003.000a.0002
nameif inside
security-level 100
ip address 172.16.190.249 255.255.255.0 standby 172.16.190.149
interface Redundant1
description LAN/STATE Failover Interface
member-interface Ethernet0/2
member-interface Ethernet0/3
failover
failover lan unit primary
failover lan interface FailoverLink Redundant1
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover link FailoverLink Redundant1
failover interface ip FailoverLink 192.168.168.173 255.255.255.252 standby 192.168.168.174
On Secondary Node
Interface e0/2
No shut
Interface e0/3
No shut
Interface Redundant 1
Member-interface et 0/2
Member-interface et 0/3
Failover lan unit secondary
Failover lan interface FailoverLink Redundant1
failover interface ip FailoverLink 192.168.168.173 255.255.255.252 standby 192.168.168.174
failover
Detected an Active mate
Beginning configuration replication from mate.
Warning: no actions specified. All actions disabled.
Warning: no actions specified. All actions disabled.
End configuration replication from mate.
When I use "show failover | include host" I see this
This host: Secondary - Failed
Other host: Primary - Active
The secondary node seems to have all the configuration from the primary. At the time the primary had a few VPN connections active. Those too seemed to be reflected on the secondary. I think the status of the secondary node needs to be "Standby Ready". Both are running ios V 9.1(5(21). Can anyone tell me where I went wrong or how to troubleshoot this?
e0/0 is the outside interface
e0/1 is the inside interface
e0/2 and e0/3 are the common ports
Below are the commands I used to setup failover on the two nodes. Outside IP addresses are fictional.
On Primary node
interface Ethernet0/0
mac-address 0003.000b.0001 standby 0003.000b.0002
nameif outside
security-level 0
ip address 18.174.151.249 255.255.255.0 standby 18.174.151.152
!
interface Ethernet0/1
mac-address 0003.000a.0001 standby 0003.000a.0002
nameif inside
security-level 100
ip address 172.16.190.249 255.255.255.0 standby 172.16.190.149
interface Redundant1
description LAN/STATE Failover Interface
member-interface Ethernet0/2
member-interface Ethernet0/3
failover
failover lan unit primary
failover lan interface FailoverLink Redundant1
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover link FailoverLink Redundant1
failover interface ip FailoverLink 192.168.168.173 255.255.255.252 standby 192.168.168.174
On Secondary Node
Interface e0/2
No shut
Interface e0/3
No shut
Interface Redundant 1
Member-interface et 0/2
Member-interface et 0/3
Failover lan unit secondary
Failover lan interface FailoverLink Redundant1
failover interface ip FailoverLink 192.168.168.173 255.255.255.252 standby 192.168.168.174
failover
Jan Bacher
are the interfaces e0/2, e0/3 and redundant1 up?
^^ agreed post the full output of 'show failover' from the standby firewall. Either an interface is down, or theres a failure that's putting it in a failed state.
P
P
ASKER
e0/2 and e/3 are both connected to each other by a 1' jumper cable. Here's the results of show failover state.
show failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Ifc Failure 13:46:10 MST Jun 12 2015
outside: No Link
inside: No Link
====Configuration State===
Sync Done
====Communication State===
Mac set
I'm not certain what I'm reading but it seems like it could be telling me the outside and inside interfaces of the secondary ASA are not connected? Both ASA were put in the rack and cabled by another person. I'm not certain they are properly connected. I'm sure the link lights for the inside and outside interfaces were lit but I'm not certain they are in their proper vlans. I won't be onsite for several days and won't be able to get any information from the secondary probably until next week.
show failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Ifc Failure 13:46:10 MST Jun 12 2015
outside: No Link
inside: No Link
====Configuration State===
Sync Done
====Communication State===
Mac set
I'm not certain what I'm reading but it seems like it could be telling me the outside and inside interfaces of the secondary ASA are not connected? Both ASA were put in the rack and cabled by another person. I'm not certain they are properly connected. I'm sure the link lights for the inside and outside interfaces were lit but I'm not certain they are in their proper vlans. I won't be onsite for several days and won't be able to get any information from the secondary probably until next week.
right, but i'd like to see the interface state. are all three interfaces up? two of them?
do you have remote access?
do you have remote access?
ASKER
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I took one of the interfaces out of the failover group and the problem was corrected. Thank you for your help.