Cisco ASA – Redundant Failover and Stateful Link Issues

We have ASA 5585-X and i create back-to-back (without intermediate switch/hub) two 1G cable between two ASA to create failover + stateful link using g0/6 and g0/7 interface.

Interface config

!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
!
interface Redundant1
 description LAN/STATE Failover Interface
 member-interface GigabitEthernet0/6
 member-interface GigabitEthernet0/7
!

Failover config

failover
failover lan unit primary
failover lan interface FailoverLink Redundant1
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover link FailoverLink Redundant1
failover interface ip FailoverLink 192.168.100.1 255.255.255.0 standby 192.168.100.2

Everything working good but when i remove g0/6 cable to test Redundancy i am seeing error Secondary Failed in failover state command

asa-1/act/pri# sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         None
Other host -   Secondary
               Failed         Ifc Failure              12:34:14 UTC Sep 1 2017
                              outside: No Link
                              inside: No Link

====Configuration State===
        Sync Done
====Communication State===
        Mac set

when i try to failover i got this error.

asa-1/act/pri# no failover active
WARNING: NO Standby detected in the network, or standby is in FAILED state.
Switching this unit to Standby can bring down the Network without any Active
So Abording Switchover.

here is the status of Redundant link

asa-1/act/pri# sh int redundant1
Interface Redundant1 "FailoverLink", is up, line protocol is up
  Hardware is bcm56801 rev 01, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Input flow control is unsupported, output flow control is off
        Description: LAN/STATE Failover Interface
        MAC address 4055.3980.0458, MTU 1500
        IP address 192.168.100.1, subnet mask 255.255.255.0
        8427 packets input, 756122 bytes, 0 no buffer
        Received 4 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause/resume input
        0 L2 decode drops
        0 switch ingress policy drops
        8604 packets output, 910986 bytes, 0 underruns
        0 pause/resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 rate limit drops
        0 switch egress policy drops
        0 input reset drops, 0 output reset drops
  Traffic Statistics for "FailoverLink":
        8436 packets input, 604402 bytes
        8615 packets output, 756668 bytes
        0 packets dropped
      1 minute input rate 9 pkts/sec,  659 bytes/sec
      1 minute output rate 9 pkts/sec,  830 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 9 pkts/sec,  659 bytes/sec
      5 minute output rate 9 pkts/sec,  821 bytes/sec
      5 minute drop rate, 0 pkts/sec
  Redundancy Information:
        Member GigabitEthernet0/7(Active), GigabitEthernet0/6
        Last switchover at 12:33:37 UTC Sep 1 2017

Best Answer

"Everything working good but when i remove g0/6 cable..." --> Does this mean failover is working for you when g0/6 cable is plugged? Please plug back the cable and run the commands show failover and show failover state

I noticed that outside and inside interfaces on Standby ASA have No Link, this means the physical links for these interfaces on Standby ASA are down, causing the issue. Please check this.

Best Answer

Related Solutions

Cisco ASA site-to-site VPN failover

Cisco – What causes total output drops on a cisco switch interface

Related Topic