ASA Active/Active Failover - why the interface status is unknown/waiting/failed/not-monitored?
Let’s look on my scenario where ASA1 and ASA2 have two contexts and ‘c1’ is primary on on ASA1 and ‘c2’ is primary on ASA2:
R1 R4
10.0.0.1 172.16.1.1
| |
| |
Fa1/0/9 Fa1/0/15
------------------------------------
| sw1 |
------------------------------------
Fa1/0/3 Fa1/0/7
| | | |
| | | |
eth0/1.20 eth0/1.30 eth0/1.20 eth0/1.30
10.0.0.10 172.16.1.11 10.0.0.11 172.16.1.10
------------- folink -------------
| asa1 | <--------->| asa2 |
| |---| |---| | | |---| |---| |
| |c1 | |c2 | | | |c1 | |c2 | |
| |-P-| |-S-| | | |-S-| |-P-| |
------------- -------------
20.0.0.20 172.16.2.20 20.0.0.22 172.16.2.22
eth0/0.10 eth0/0.40 eth0/0.10 eth0/0.40
| | | |
| | | |
Fa1/0/4 Fa1/0/8
------------------------------------
| sw1 |
------------------------------------
Fa1/0/11 Fa1/0/13
| |
| |
20.0.0.2 172.16.2.3
R2 R3
Traffic from R1 to R2 should go through ‘c1’ on ASA1 and from R4 to R3 through ‘c2’ on ASA2.
Let’s check the current status:
asa1/act# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: folink Ethernet0/3.99 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 110 maximum
Version: Ours 8.4(5)6, Mate 8.4(5)6
Group 1 last failover at: 18:39:52 UTC Oct 9 2014
Group 2 last failover at: 19:50:21 UTC Oct 9 2014
This host: Primary
Group 1 State: Active
Active time: 9930 (sec)
Group 2 State: Standby Ready
Active time: 2834 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)6) status (Up Sys)
c1 Interface outside (20.0.0.20): Normal (Not-Monitored)
c1 Interface inside (10.0.0.10): Normal (Not-Monitored)
c2 Interface outside (172.16.2.22): Normal (Not-Monitored)
c2 Interface inside (172.16.1.11): Normal (Not-Monitored)
slot 1: empty
Other host: Secondary
Group 1 State: Standby Ready
Active time: 105 (sec)
Group 2 State: Active
Active time: 7323 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)6) status (Up Sys)
c1 Interface outside (20.0.0.22): Failed (Not-Monitored)
c1 Interface inside (10.0.0.11): Failed (Not-Monitored)
c2 Interface outside (172.16.2.20): Normal (Not-Monitored)
c2 Interface inside (172.16.1.10): Failed (Not-Monitored)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : folink Ethernet0/3.99 (up)
Stateful Obj xmit xerr rcv rerr
General 1352 0 1333 0
sys cmd 1327 0 1327 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 1 0 1 0
UDP conn 0 0 0 0
ARP tbl 24 0 2 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 3 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 1333
Xmit Q: 0 1 1352
asa1/act#
1) not-monitored
When you see the status of your interfaces is ‘Not-Monitored’ you forgot to enable it on a context level. To fix it you need to enter to each context and enable it:
a) context ‘c1’
asa1/act#
asa1/act# changeto context c1
asa1/c1/act# conf t
asa1/c1/act(config)# monitor-interface inside
asa1/c1/act(config)# monitor-interface outside
asa1/c1/act(config)# end
asa1/c1/act#
asa1/c1/act# sh failover
Failover On
Last Failover at: 18:39:52 UTC Oct 9 2014
This context: Active
Active time: 10500 (sec)
Interface outside (20.0.0.20): Normal (Waiting)
Interface inside (10.0.0.10): Normal (Waiting)
Peer context: Failed
Active time: 105 (sec)
Interface outside (20.0.0.22): Failed (Waiting)
Interface inside (10.0.0.11): Failed (Waiting)
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 1 0 1 0
UDP conn 0 0 0 0
ARP tbl 24 0 2 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 1 0
asa1/c1/act#
b) context ‘c2’
asa1/c2/act# conf t
asa1/c2/act(config)# monitor-interface inside
asa1/c2/act(config)# monitor-interface outside
asa1/c2/act# sh failover
Failover On
Last Failover at: 20:02:39 UTC Oct 9 2014
This context: Active
Active time: 2978 (sec)
Interface outside (172.16.2.20): Unknown (Waiting)
Interface inside (172.16.1.10): Normal (Waiting)
Peer context: Failed
Active time: 8044 (sec)
Interface outside (172.16.2.22): Unknown (Waiting)
Interface inside (172.16.1.11): Failed (Waiting)
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 4 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 1 0
asa1/c2/act#
2) Normal (Waiting)/Unknown (Waiting)/Failed (Waiting)
As you see now all interfaces are monitored but their status is unknown. If you checked the configuration and everything is fine, the most probably reason of wrong status is switch misconfiguration.
You need to check if the interface is in the correct vlan or if the vlan is allowed on trunk.
asa1/act# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: folink Ethernet0/3.99 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 110 maximum
Version: Ours 8.4(5)6, Mate 8.4(5)6
Group 1 last failover at: 18:39:52 UTC Oct 9 2014
Group 2 last failover at: 20:02:39 UTC Oct 9 2014
This host: Primary
Group 1 State: Active
Active time: 12853 (sec)
Group 2 State: Active
Active time: 5036 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)6) status (Up Sys)
c1 Interface outside (20.0.0.20): Normal (Waiting)
c1 Interface inside (10.0.0.10): Normal (Waiting)
c2 Interface outside (172.16.2.20): Unknown (Waiting)
c2 Interface inside (172.16.1.10): Normal (Waiting)
slot 1: empty
Other host: Secondary
Group 1 State: Failed
Active time: 105 (sec)
Group 2 State: Failed
Active time: 8044 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)6) status (Up Sys)
c1 Interface outside (20.0.0.22): Failed (Waiting)
c1 Interface inside (10.0.0.11): Failed (Waiting)
c2 Interface outside (172.16.2.22): Unknown (Waiting)
c2 Interface inside (172.16.1.11): Failed (Waiting)
slot 1: empty
In my case I discovered that two interfaces of ASA2 had a wrong configuration. Once I fixed it the context were able to monitor its peer interfaces:
MP-SW(config)#int range fa1/0/7, fa1/0/8
MP-SW(config-if-range)#switchport trunk encapsulation dot1q
MP-SW(config-if-range)#switchport mode trunk
MP-SW(config-if-range)#end
MP-SW#
asa1/act# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: folink Ethernet0/3.99 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 110 maximum
Version: Ours 8.4(5)6, Mate 8.4(5)6
Group 1 last failover at: 18:39:52 UTC Oct 9 2014
Group 2 last failover at: 20:02:39 UTC Oct 9 2014
This host: Primary
Group 1 State: Active
Active time: 13029 (sec)
Group 2 State: Active
Active time: 5212 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)6) status (Up Sys)
c1 Interface outside (20.0.0.20): Normal (Waiting)
c1 Interface inside (10.0.0.10): Normal (Waiting)
c2 Interface outside (172.16.2.20): Unknown (Waiting)
c2 Interface inside (172.16.1.10): Normal (Waiting)
slot 1: empty
Other host: Secondary
Group 1 State: Failed
Active time: 105 (sec)
Group 2 State: Failed
Active time: 8044 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)6) status (Up Sys)
c1 Interface outside (20.0.0.22): Normal (Waiting)
c1 Interface inside (10.0.0.11): Normal (Waiting)
c2 Interface outside (172.16.2.22): Normal (Waiting)
c2 Interface inside (172.16.1.11): Normal (Waiting)
slot 1: empty
We see the interfaces are still negotiating their status but after few minutes we should see status Normal(Monitored):
asa1/act# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: folink Ethernet0/3.99 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 110 maximum
Version: Ours 8.4(5)6, Mate 8.4(5)6
Group 1 last failover at: 18:39:52 UTC Oct 9 2014
Group 2 last failover at: 20:42:30 UTC Oct 9 2014
This host: Primary
Group 1 State: Active
Active time: 13079 (sec)
Group 2 State: Standby Ready
Active time: 5226 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)6) status (Up Sys)
c1 Interface outside (20.0.0.20): Normal (Monitored)
c1 Interface inside (10.0.0.10): Normal (Monitored)
c2 Interface outside (172.16.2.22): Normal (Monitored)
c2 Interface inside (172.16.1.11): Normal (Monitored)
slot 1: empty
Other host: Secondary
Group 1 State: Standby Ready
Active time: 105 (sec)
Group 2 State: Active
Active time: 8080 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)6) status (Up Sys)
c1 Interface outside (20.0.0.22): Normal (Monitored)
c1 Interface inside (10.0.0.11): Normal (Monitored)
c2 Interface outside (172.16.2.20): Normal (Monitored)
c2 Interface inside (172.16.1.10): Normal (Monitored)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : folink Ethernet0/3.99 (up)
Stateful Obj xmit xerr rcv rerr
General 1776 0 1753 0
sys cmd 1747 0 1747 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 1 0 1 0
UDP conn 0 0 0 0
ARP tbl 28 0 2 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 3 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 1753
Xmit Q: 0 1 1776
asa1/act#
55
Kudos
55
Kudos