9 replies to this topic

[wtcajk]

Hi Guys,

Please let me know why I cant see outside intreface NORMAL without something in a braket for both groups.VLAN assignements are correct, failover is running fine except this one.Please guide asap.


ASA-1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: fover Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Group 1 last failover at: 23:25:27 UTC Apr 8 2012
Group 2 last failover at: 23:25:25 UTC Apr 8 2012

  This host: Primary
  Group 1    State:   Active
Active time: 134 (sec)
  Group 2    State:   Standby Ready
Active time: 0 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.2(5)) status (Up Sys)
  admin Interface outside (47.47.5.253): Normal (Waiting)  .........should be normal without ()
  admin Interface DMZ4 (47.47.4.253): Normal (Not-Monitored)
  admin Interface inside (47.47.2.253): Normal (Not-Monitored)
  R1 Interface outside (47.47.5.250): Normal  -------------------------------This is correct
  R1 Interface DMZ3 (47.47.3.254): Normal (Not-Monitored)
  R1 Interface inside (47.47.2.252): Normal (Not-Monitored)
slot 1: empty
  
  
----------------------------------------------------------------------------------

ASA-2(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: fover Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Group 1 last failover at: 23:25:29 UTC Apr 8 2012
Group 2 last failover at: 23:25:24 UTC Apr 8 2012

  This host: Secondary
  Group 1    State:   Standby Ready
Active time: 0 (sec)
  Group 2    State:   Active
Active time: 199 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.2(5)) status (Up Sys)
admin Interface outside (47.47.5.254): Normal -------------------------------This is correct
  admin Interface DMZ4 (47.47.4.254): Normal (Not-Monitored)
  admin Interface inside (47.47.2.254): Normal (Not-Monitored)
R1 Interface outside (47.47.5.251): Normal (Waiting) ................should be normal without ()
  R1 Interface DMZ3 (47.47.3.253): Normal (Not-Monitored)
  R1 Interface inside (47.47.2.251): Normal (Not-Monitored)
slot 1: empty

Edited by wtcajk, 08 April 2012 - 03:50 PM.

[cooolbreeze]

Vlans are probably not matching on the switch ports.

[wtcajk]

vlans are correctly configured.orelse failover wont work...dont know where exactly the issue leying

[cooolbreeze]

how about the trunk between the switches, does it have the correct vlans allowed?

[wtcajk]

Trunks ports are configured like this,So no worries about it,dont know whats the exact issue

interface FastEthernet0/x
no shut
switchport trunk encapsulation dot1q
switchport mode trunk

[cooolbreeze]

i have tested this multiple times, this is mostly VLAN issue. Check your vlan data base, I can tell you from experience that if VLAN is not created it would show WAITING forever, because the firewall can sense that the interface is UP, however its not passing traffic due to layer 2 config.

[gYuMaHgYu]

Hi, wtcajk

It could be bug CSCtq35045. Check cisco bug toolkit.
Also give us some output from log and debug.

CSCtq35045 Bug Details
HA: Monitored interfaces fail to move out of waiting state Symptom:

Standby ASA in failover may show interface status as waiting. You will not be able to ping the active interface IP from the standby firewall.

Conditions:

This is seen in multi context mode with the same interface shared across multiple contexts. The shared interface will be in a waiting state after a failover event and will never recover.

You may see spoof syslogs related to the failover IP addresses on this interface. Bug causes the standby ASA to think that it owns the active macs. So it treats packets that it generates destined to the active mac as spoof packets.

Workaround:

Upgrade to fixed code

I have this problem on some ASA Software versions.

[wtcajk]

Thnak you gYuMaHgYu  , i will check on this.

[ernestogon]

Look for the following command in the configuration:

Rack1SW1(config)#vlan dot1q tag native

If it is there then you need to remove it.

That might be the issue.

[aztec13]

wtcajk, on 08 April 2012 - 03:48 PM, said:

Hi Guys,

Please let me know why I cant see outside intreface NORMAL without something in a braket for both groups.VLAN assignements are correct, failover is running fine except this one.Please guide asap.


ASA-1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: fover Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Group 1 last failover at: 23:25:27 UTC Apr 8 2012
Group 2 last failover at: 23:25:25 UTC Apr 8 2012

  This host: Primary
  Group 1    State:   Active
Active time: 134 (sec)
  Group 2    State:   Standby Ready
Active time: 0 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.2(5)) status (Up Sys)
  admin Interface outside (47.47.5.253): Normal (Waiting)  .........should be normal without ()
  admin Interface DMZ4 (47.47.4.253): Normal (Not-Monitored)
  admin Interface inside (47.47.2.253): Normal (Not-Monitored)
  R1 Interface outside (47.47.5.250): Normal  -------------------------------This is correct
  R1 Interface DMZ3 (47.47.3.254): Normal (Not-Monitored)
  R1 Interface inside (47.47.2.252): Normal (Not-Monitored)
slot 1: empty
  
  
----------------------------------------------------------------------------------

ASA-2(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: fover Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Group 1 last failover at: 23:25:29 UTC Apr 8 2012
Group 2 last failover at: 23:25:24 UTC Apr 8 2012

  This host: Secondary
  Group 1    State:   Standby Ready
Active time: 0 (sec)
  Group 2    State:   Active
Active time: 199 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.2(5)) status (Up Sys)
admin Interface outside (47.47.5.254): Normal -------------------------------This is correct
  admin Interface DMZ4 (47.47.4.254): Normal (Not-Monitored)
  admin Interface inside (47.47.2.254): Normal (Not-Monitored)
R1 Interface outside (47.47.5.251): Normal (Waiting) ................should be normal without ()
  R1 Interface DMZ3 (47.47.3.253): Normal (Not-Monitored)
  R1 Interface inside (47.47.2.251): Normal (Not-Monitored)
slot 1: empty

wtcajk, on 08 April 2012 - 03:48 PM, said:

Hi Guys,

Please let me know why I cant see outside intreface NORMAL without something in a braket for both groups.VLAN assignements are correct, failover is running fine except this one.Please guide asap.


ASA-1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: fover Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Group 1 last failover at: 23:25:27 UTC Apr 8 2012
Group 2 last failover at: 23:25:25 UTC Apr 8 2012

  This host: Primary
  Group 1    State:   Active
Active time: 134 (sec)
  Group 2    State:   Standby Ready
Active time: 0 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.2(5)) status (Up Sys)
  admin Interface outside (47.47.5.253): Normal (Waiting)  .........should be normal without ()
  admin Interface DMZ4 (47.47.4.253): Normal (Not-Monitored)
  admin Interface inside (47.47.2.253): Normal (Not-Monitored)
  R1 Interface outside (47.47.5.250): Normal  -------------------------------This is correct
  R1 Interface DMZ3 (47.47.3.254): Normal (Not-Monitored)
  R1 Interface inside (47.47.2.252): Normal (Not-Monitored)
slot 1: empty
  
  
----------------------------------------------------------------------------------

ASA-2(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: fover Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Group 1 last failover at: 23:25:29 UTC Apr 8 2012
Group 2 last failover at: 23:25:24 UTC Apr 8 2012

  This host: Secondary
  Group 1    State:   Standby Ready
Active time: 0 (sec)
  Group 2    State:   Active
Active time: 199 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.2(5)) status (Up Sys)
admin Interface outside (47.47.5.254): Normal -------------------------------This is correct
  admin Interface DMZ4 (47.47.4.254): Normal (Not-Monitored)
  admin Interface inside (47.47.2.254): Normal (Not-Monitored)
R1 Interface outside (47.47.5.251): Normal (Waiting) ................should be normal without ()
  R1 Interface DMZ3 (47.47.3.253): Normal (Not-Monitored)
  R1 Interface inside (47.47.2.251): Normal (Not-Monitored)
slot 1: empty

do you have "mac-address auto" configured ?