Skip to main content

ASA Active/Active Failover - why the interface status is unknown/waiting/failed/not-monitored?


Let’s look on my scenario where ASA1 and ASA2 have two contexts and ‘c1’ is primary on on ASA1 and ‘c2’ is primary on ASA2:


          R1                         R4  
       10.0.0.1                  172.16.1.1
          |                          |
          |                          |
       Fa1/0/9                    Fa1/0/15  
       ------------------------------------
      |               sw1                 | 
       ------------------------------------ 
        Fa1/0/3                    Fa1/0/7
         |   |                      |   | 
         |   |                      |   |
 eth0/1.20  eth0/1.30       eth0/1.20  eth0/1.30
 10.0.0.10  172.16.1.11     10.0.0.11  172.16.1.10 
     -------------    folink    ------------- 
    |    asa1     | <--------->|    asa2     |
    | |---| |---| |            | |---| |---| |
    | |c1 | |c2 | |            | |c1 | |c2 | |
    | |-P-| |-S-| |            | |-S-| |-P-| |
     -------------              -------------
  20.0.0.20  172.16.2.20     20.0.0.22  172.16.2.22
  eth0/0.10  eth0/0.40       eth0/0.10  eth0/0.40
         |   |                      |   |
         |   |                      |   |
        Fa1/0/4                    Fa1/0/8
       ------------------------------------ 
      |               sw1                  | 
       ------------------------------------
       Fa1/0/11                   Fa1/0/13  
           |                          |
           |                          |
        20.0.0.2                  172.16.2.3
           R2                         R3

Traffic from R1 to R2 should go through ‘c1’ on ASA1 and from R4 to R3 through ‘c2’ on ASA2.
Let’s check the current status:
 
 
asa1/act# sh failover 
Failover On 
Failover unit Primary
Failover LAN Interface: folink Ethernet0/3.99 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 110 maximum
Version: Ours 8.4(5)6, Mate 8.4(5)6
Group 1 last failover at: 18:39:52 UTC Oct 9 2014
Group 2 last failover at: 19:50:21 UTC Oct 9 2014

  This host:    Primary
  Group 1       State:          Active
                Active time:    9930 (sec)
  Group 2       State:          Standby Ready
                Active time:    2834 (sec)

                slot 0: ASA5510 hw/sw rev (2.0/8.4(5)6) status (Up Sys)
                  c1 Interface outside (20.0.0.20): Normal (Not-Monitored)
                  c1 Interface inside (10.0.0.10): Normal (Not-Monitored)
                  c2 Interface outside (172.16.2.22): Normal (Not-Monitored)
                  c2 Interface inside (172.16.1.11): Normal (Not-Monitored)
                slot 1: empty

  Other host:   Secondary
  Group 1       State:          Standby Ready
                Active time:    105 (sec)
  Group 2       State:          Active
                Active time:    7323 (sec)

                slot 0: ASA5510 hw/sw rev (2.0/8.4(5)6) status (Up Sys)
                  c1 Interface outside (20.0.0.22): Failed (Not-Monitored)
                  c1 Interface inside (10.0.0.11): Failed (Not-Monitored)
                  c2 Interface outside (172.16.2.20): Normal (Not-Monitored)
                  c2 Interface inside (172.16.1.10): Failed (Not-Monitored)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : folink Ethernet0/3.99 (up)
        Stateful Obj    xmit       xerr       rcv        rerr      
        General         1352       0          1333       0         
        sys cmd         1327       0          1327       0         
        up time         0          0          0          0         
        RPC services    0          0          0          0         
        TCP conn        1          0          1          0         
        UDP conn        0          0          0          0         
        ARP tbl         24         0          2          0         
        Xlate_Timeout   0          0          0          0         
        IPv6 ND tbl     0          0          0          0         
        SIP Session     0          0          0          0         
        Route Session   0          0          0          0         
        User-Identity   0          0          3          0         

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       1       1333
        Xmit Q:         0       1       1352
asa1/act#

1) not-monitored

When you see the status of your interfaces is ‘Not-Monitored’ you forgot to enable it on a context level. To fix it you need to enter to each context and enable it:

a) context ‘c1’
 
asa1/act# 
asa1/act# changeto context c1
asa1/c1/act# conf t
asa1/c1/act(config)# monitor-interface inside 
asa1/c1/act(config)# monitor-interface outside 
asa1/c1/act(config)# end 
asa1/c1/act# 
asa1/c1/act# sh failover 
Failover On 
Last Failover at: 18:39:52 UTC Oct 9 2014
        This context: Active
                Active time: 10500 (sec)
                  Interface outside (20.0.0.20): Normal (Waiting)
                  Interface inside (10.0.0.10): Normal (Waiting)
        Peer context: Failed
                Active time: 105 (sec)
                  Interface outside (20.0.0.22): Failed (Waiting)
                  Interface inside (10.0.0.11): Failed (Waiting)

Stateful Failover Logical Update Statistics
        Status: Configured.
        Stateful Obj    xmit       xerr       rcv        rerr      
        RPC services    0          0          0          0         
        TCP conn        1          0          1          0         
        UDP conn        0          0          0          0         
        ARP tbl         24         0          2          0         
        Xlate_Timeout   0          0          0          0         
        IPv6 ND tbl     0          0          0          0         
        SIP Session     0          0          0          0         
        Route Session   0          0          0          0         
        User-Identity   0          0          1          0         
asa1/c1/act#

b) context ‘c2’
 
asa1/c2/act# conf t
asa1/c2/act(config)# monitor-interface inside 
asa1/c2/act(config)# monitor-interface outside 
asa1/c2/act# sh failover 
Failover On 
Last Failover at: 20:02:39 UTC Oct 9 2014
        This context: Active
                Active time: 2978 (sec)
                  Interface outside (172.16.2.20): Unknown (Waiting)
                  Interface inside (172.16.1.10): Normal (Waiting)
        Peer context: Failed
                Active time: 8044 (sec)
                  Interface outside (172.16.2.22): Unknown (Waiting)
                  Interface inside (172.16.1.11): Failed (Waiting)

Stateful Failover Logical Update Statistics
        Status: Configured.
        Stateful Obj    xmit       xerr       rcv        rerr      
        RPC services    0          0          0          0         
        TCP conn        0          0          0          0         
        UDP conn        0          0          0          0         
        ARP tbl         4          0          0          0         
        Xlate_Timeout   0          0          0          0         
        IPv6 ND tbl     0          0          0          0         
        SIP Session     0          0          0          0         
        Route Session   0          0          0          0         
        User-Identity   0          0          1          0         
asa1/c2/act#

2) Normal (Waiting)/Unknown (Waiting)/Failed (Waiting)

As you see now all interfaces are monitored but their status is unknown. If you checked the configuration and everything is fine, the most probably reason of wrong status is switch misconfiguration. You need to check if the interface is in the correct vlan or if the vlan is allowed on trunk. 
 
asa1/act# sh failover 
Failover On 
Failover unit Primary
Failover LAN Interface: folink Ethernet0/3.99 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 110 maximum
Version: Ours 8.4(5)6, Mate 8.4(5)6
Group 1 last failover at: 18:39:52 UTC Oct 9 2014
Group 2 last failover at: 20:02:39 UTC Oct 9 2014

  This host:    Primary
  Group 1       State:          Active
                Active time:    12853 (sec)
  Group 2       State:          Active
                Active time:    5036 (sec)

                slot 0: ASA5510 hw/sw rev (2.0/8.4(5)6) status (Up Sys)
                  c1 Interface outside (20.0.0.20): Normal (Waiting)
                  c1 Interface inside (10.0.0.10): Normal (Waiting)
                  c2 Interface outside (172.16.2.20): Unknown (Waiting)
                  c2 Interface inside (172.16.1.10): Normal (Waiting)
                slot 1: empty

  Other host:   Secondary
  Group 1       State:          Failed
                Active time:    105 (sec)
  Group 2       State:          Failed
                Active time:    8044 (sec)

                slot 0: ASA5510 hw/sw rev (2.0/8.4(5)6) status (Up Sys)
                  c1 Interface outside (20.0.0.22): Failed (Waiting)
                  c1 Interface inside (10.0.0.11): Failed (Waiting)
                  c2 Interface outside (172.16.2.22): Unknown (Waiting)
                  c2 Interface inside (172.16.1.11): Failed (Waiting)
                slot 1: empty

In my case I discovered that two interfaces of ASA2 had a wrong configuration. Once I fixed it the context were able to monitor its peer interfaces:
 
MP-SW(config)#int range fa1/0/7, fa1/0/8          
MP-SW(config-if-range)#switchport trunk encapsulation dot1q 
MP-SW(config-if-range)#switchport mode trunk 
MP-SW(config-if-range)#end
MP-SW#
 
asa1/act# sh failover 
Failover On 
Failover unit Primary
Failover LAN Interface: folink Ethernet0/3.99 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 110 maximum
Version: Ours 8.4(5)6, Mate 8.4(5)6
Group 1 last failover at: 18:39:52 UTC Oct 9 2014
Group 2 last failover at: 20:02:39 UTC Oct 9 2014

  This host:    Primary
  Group 1       State:          Active
                Active time:    13029 (sec)
  Group 2       State:          Active
                Active time:    5212 (sec)

                slot 0: ASA5510 hw/sw rev (2.0/8.4(5)6) status (Up Sys)
                  c1 Interface outside (20.0.0.20): Normal (Waiting)
                  c1 Interface inside (10.0.0.10): Normal (Waiting)
                  c2 Interface outside (172.16.2.20): Unknown (Waiting)
                  c2 Interface inside (172.16.1.10): Normal (Waiting)
                slot 1: empty

  Other host:   Secondary
  Group 1       State:          Failed
                Active time:    105 (sec)
  Group 2       State:          Failed
                Active time:    8044 (sec)

                slot 0: ASA5510 hw/sw rev (2.0/8.4(5)6) status (Up Sys)
                  c1 Interface outside (20.0.0.22): Normal (Waiting)
                  c1 Interface inside (10.0.0.11): Normal (Waiting)
                  c2 Interface outside (172.16.2.22): Normal (Waiting)
                  c2 Interface inside (172.16.1.11): Normal (Waiting)
                slot 1: empty

We see the interfaces are still negotiating their status but after few minutes we should see status Normal(Monitored):
 
asa1/act# sh failover 
Failover On 
Failover unit Primary
Failover LAN Interface: folink Ethernet0/3.99 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 110 maximum
Version: Ours 8.4(5)6, Mate 8.4(5)6
Group 1 last failover at: 18:39:52 UTC Oct 9 2014
Group 2 last failover at: 20:42:30 UTC Oct 9 2014

  This host:    Primary
  Group 1       State:          Active
                Active time:    13079 (sec)
  Group 2       State:          Standby Ready
                Active time:    5226 (sec)

                slot 0: ASA5510 hw/sw rev (2.0/8.4(5)6) status (Up Sys)
                  c1 Interface outside (20.0.0.20): Normal (Monitored)
                  c1 Interface inside (10.0.0.10): Normal (Monitored)
                  c2 Interface outside (172.16.2.22): Normal (Monitored)
                  c2 Interface inside (172.16.1.11): Normal (Monitored)
                slot 1: empty

  Other host:   Secondary
  Group 1       State:          Standby Ready
                Active time:    105 (sec)
  Group 2       State:          Active
                Active time:    8080 (sec)

                slot 0: ASA5510 hw/sw rev (2.0/8.4(5)6) status (Up Sys)
                  c1 Interface outside (20.0.0.22): Normal (Monitored)
                  c1 Interface inside (10.0.0.11): Normal (Monitored)
                  c2 Interface outside (172.16.2.20): Normal (Monitored)
                  c2 Interface inside (172.16.1.10): Normal (Monitored)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : folink Ethernet0/3.99 (up)
        Stateful Obj    xmit       xerr       rcv        rerr      
        General         1776       0          1753       0         
        sys cmd         1747       0          1747       0         
        up time         0          0          0          0         
        RPC services    0          0          0          0         
        TCP conn        1          0          1          0         
        UDP conn        0          0          0          0         
        ARP tbl         28         0          2          0         
        Xlate_Timeout   0          0          0          0         
        IPv6 ND tbl     0          0          0          0         
        SIP Session     0          0          0          0         
        Route Session   0          0          0          0         
        User-Identity   0          0          3          0         

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       1       1753
        Xmit Q:         0       1       1776
asa1/act#
Labels:

Comments

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an
8 comments
Read more

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.   ! aaa new - model aaa authentication dot1x default group radius ! ! int Fas1 / 0 / 2 authentication host - mode single - host authentication port - control auto mab ! I haven’t configured ACS yet but let’s see what error message I receive:   SW1 ( config - if ) # mab - ev ( Fa1 / 0 / 2 ): Received MAB context create from AuthMgr mab - ev ( Fa1 / 0 / 2 ): Created MAB client context 0x1100000F mab : initial state mab_initialize has enter mab - ev ( Fa1 / 0 / 2 ): Sending create new context event to EAP from MAB for 0x1100000F ( 0000.0000 . 0000 ) mab - sm ( Fa1 / 0 / 2 ): Received event 'MAB_START' on handle 0x1100000F mab : during state mab_initia
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo
1 comment
Read more