I have never touched so many ASA’s within a month in all my life! It’s great don’t get me wrong, they are a huge weakness of mine and any experience I get with them helps me in my career. I was struggling with failover the past few days, not really the configuration of it, but some things I forgot about after all was said and done.
I deployed two devices and configured them separately at first, this was to get the code up-to-date with the newest 9.2 version. I configured the basics, inside/outside interfaces, asdm, ssh, etc, etc. After getting the code up-to-date then I decided I was going to configure failover. Now there is an order of operation that you have to keep in mind when you do this or your could essentially overwrite a good config with a bad one. So I read carefully and looked at many examples. When I was finished everything appeared to be good! Here was the show failover output:
ASA5515-01# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/5 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 114 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 03:55:44 CDT Oct 21 2014
This host: Primary – Active
Active time: 507514 (sec)
slot 0: ASA5515 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface outside (1.1.1.1): Normal (Waiting)
Interface inside (172.20.16.30): Normal (Waiting)
Interface Mgmt (172.20.17.10): Normal (Waiting)
slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
IPS, 7.1(4)E4, Up
Other host: Secondary – Standby Ready
Active time: 0 (sec)
slot 0: ASA5515 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Interface Mgmt (0.0.0.0): Normal (Waiting)
slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
IPS, 7.1(4)E4, UpStateful Failover Logical Update Statistics
Link : Unconfigured
It looks ok at first glance! This host is primary, the secondary is standby ready, Interfaces are reading “Normal”…Looks good. But wait, what is this Normal (Waiting) thing going on? It appears that maybe its not ok. So after some reading I look up this symptom and a common cause is that the units cannot reach other over the failover link, OK so now I do this:
ASA5515-01# show run | inc failover
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/5
failover interface ip FAILOVER 10.10.1.1 255.255.255.252 standby 10.10.1.2
ASA5515-01# ping 10.10.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA5515-01#
Well the ping to the other unit is a success! So what is the issue here? Well it was a case of “I should have configured failover first before I configured any interfaces” Lets take a look at something that wasn’t apparent to me at first:
Other host: Secondary – Standby Ready
Active time: 0 (sec)
slot 0: ASA5515 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Interface Mgmt (0.0.0.0): Normal (Waiting)
slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
IPS, 7.1(4)E4, Up
The interfaces on the secondary unit do not have any standby IP addresses assigned! This is defined by the (0.0.0.0) value next to the interfaces. So after running out a show run command, it is apparent that the interface IP addresses do not define a standby IP:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.20.16.30 255.255.255.0
This is because I never went back and reconfigured these after I put the units in failover mode. Reconfiguring these interfaces with the correct syntax lead to the issue being resolved. Here is the running configuration after the reconfiguration of the interfaces:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.240 standby 1.1.1.2
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.20.16.30 255.255.255.0 standby 172.20.16.31
And now a show failover output:
ASA5515-01/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/5 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 114 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 08:53:50 CDT Oct 27 2014
This host: Primary – Active
Active time: 23216 (sec)
slot 0: ASA5515 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface outside (1.1.1.1): Normal (Monitored)
Interface inside (172.20.16.30): Normal (Monitored)
Interface Mgmt (172.20.17.10): Normal (Monitored)
slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
IPS, 7.1(4)E4, Up
Other host: Secondary – Standby Ready
Active time: 180 (sec)
slot 0: ASA5515 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface outside (1.1.1.2): Normal (Monitored)
Interface inside (172.20.16.31): Normal (Monitored)
Interface Mgmt (172.20.17.11): Normal (Monitored)
slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
IPS, 7.1(4)E4, Up
The secondary unit now has standby IPs defined to the interfaces with a Normal (Monitored) state. NOW everything is good. To sum this up, if interfaces are already configured prior to configuring failover, you need to go back to each interface and define a standby IP.
