Failover link

Hello,
On an ASA 5520 active, standby pair, what will result if the failover link or interface goes down or fails. Will both devices become active?
If yes, how to prevent this. We want it in such a way that if such a situation happens, there should be only Active and the other one should be standby.
Thanks in advance!

If ASA units connected with cross over then no failover will take place.
if using LAN based failover then you will end up with Active-Active and traffic will fail.
Thanks
Ajay

Similar Messages

Active/Standby And failover link configuration mode

Hi everyone,
When config failover link of ASA in Active Standby mode.
When we config failover int say gi0/1
config t
int gi0/1
failover lan int gi0/1
Need to confirm we do this from interface config mode only or we can do this from global config also ????????
Whe we assign IP to this int we do that from global config mode ????
Regards
Mahesh
Message was edited by: mahesh parmar
Message was edited by: mahesh parmar

Hi,
Actually the ASA lets you insert a lot of command what ever mode you are under.
In the output you posted is a very important thing to notice
configure mode commands/options:
WORD Specify the interface name
As you can see, the output lists only one option and before that it mentions that this is a "configure mode" command
So even if you entered the command under the interface configuration mode, it would still be entered as a global/configure command mode.
Take the following thing for example
I want to check what configuration options I have with the command "failover"
So I enter the following to my ASA
ASA(config)# failover ?
configure mode commands/options:
interface              Configure the IP address to be used for failover and/or
                              stateful update information
interface-policy    Set the policy for failover due to interface failures
key                       Configure the failover shared secret or key
lan                       Specify the unit as primary or secondary or configure the
                               interface and vlan to be used for failover communication
mac                      Specify the virtual mac address for a dynamic interface
polltime                Configure failover poll interval
timeout                 Specify the failover reconnect timeout value for
                               asymmetrically routed sessions
exec mode commands/options:
active          Make this system to be the active unit of the failover pair
exec            Execute command on the designated unit
reload-standby Force standby unit to reboot
reset           Force a unit or failover group to an unfailed state
As you can see, the ASA tells us that there are different additional command parameters after the "failover" command that can be used. Some of them can be used either in Exec or Configuration mode.
- Jouni

Failover link in a C65K VSS with ASA-SM

Hi
Just experienced a coombined tcp flood/ udp flood attack, which caused both ASAs to go active :-(
Active:
01:56:05 ASA-SM1 : %ASA-1-105043: (Primary) Failover interface failed
01:56:09 ASA-SM1 : %ASA-1-105042: (Primary) Failover interface OK
01:56:32 ASA-SM1 : %ASA-1-103001: (Primary) No response from other firewall (reason code = 3).
01:56:47 ASA-SM1 : %ASA-1-103001: (Primary) No response from other firewall (reason code = 4).
The standby ASA said ' failover off' but a reload of the standby fixed the dual active problem:
Standby:
ASA-SM1# sh failo
Failover Off
Failover unit Secondary
Failover LAN Interface: folink Vlan998 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
ASA-SM1# sh failo state
                    State          Last Failure Reason      Date/Time
This host -   Secondary
                     Disabled       None
Other host -   Primary
                    Not Detected   Comm Failure    01:55:59
'Service-policy in' on the uplink interface (was 512/10 before):
embryonic-conn-max 256 per-client-embryonic-max 5
Questions:
1. possible causes for the com failure (memory exhaust ?) Any good commands for checking ?
2. The failover link:
In an ASA appliance setup it is recomended to etasblish a dedicated physical failover link between til ASAs - What about ASA-SM in a VSS setup - does it make sense to establish a f.ex physical 1G link for failover, and if yes: won't there be a loop issue with this and the fo vlan on the VSL link ?
3. What is "interface policy 1" in the 'sh failo' command output ?
Thanks
Jesper

Hello Adrian,
Don't know if this is the cause of your issue, but I was thinking about scenario in which after your ISP interface is doing DOWN and UP your IP address is being changed.
IOS itself is not deleting isakmp SA because the interface on which you have crypto map attached is down, so the SA will be still up on IOS. On ASA itself since you have default configuration you have DPD (dead peer detection) turned on probably after 10 seconds crypto sa will go down since no DPD reply received.
IOS will continue to send encrypted traffic towards ASA, but for ASA tunnel is dead and it will ignore these packets (there should be something in logs), but router will never know it since it has DPDs turned off.
It could also happen if you are getting the same IP address from you ISP, but Internet outages are longer than 30seconds.
Solution would be to turn on DPDs on IOS:
crypto isakmp keepalives TIME_IN_SECONDS periodic
Defailts about DPDs:
https://supportforums.cisco.com/docs/DOC-8554
Regards,

PO for LAN failover and stateful failover link?

Hi.. We have 2 x ASA 5520s running ver 9.0. We plan to aggregate the 2 interfaces used for LAN failover and stateful failover into a lacp PO. So both the ASAs are connected to each other directly using these 2 interfaces and then we logically make it a one PO. We then assign the PO intface an ip. Is this supported?

You can use any unused interface (physical, redundant, or EtherChannel) as the failover link. (Source)
That said, It would be an uncommon implementation. I almost always see them on separate physical interfaces.

Failover link inteface redundant

hola estoy tratando de configurar un asa active/standby pero a su vez tratanto de que la interface failover link sea una interface redudant segun la documentacio es posible pero al configurar me indica que una interface compartida no es factible , no encuentro la configuracion correcta son dos ASA5525X version
Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 7.0(2)

Hola Julio
claro no hay problema esta es la configuracion actual de mis interfaces y interfaces redundantes quiero utilizar la interfaces G0/5 y G/6 como mi interface failover , no estoy seguro si funcionara?
interface GigabitEthernet0/5
no nameif
no security-level
no ip address
interface GigabitEthernet0/6
no nameif
no security-level
no ip address
interface GigabitEthernet0/7
description LAN/STATE Failover Interface
interface Redundant1
member-interface GigabitEthernet0/2
member-interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.18.100.X 255.255.255.0 standby 172.18.100.X
interface Redundant2
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/3
nameif vpn-outside
security-level 0
ip address 10.245.245.x 255.255.255.0 standby 10.245.245.x
interface Redundant3
description Failover
member-interface GigabitEthernet0/5
member-interface GigabitEthernet0/6
no nameif
no security-level
no ip address
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/7
failover polltime unit msec 500 holdtime 3
failover key *****
failover replication http
failover link failover GigabitEthernet0/7
failover interface ip failover 172.32.254.1 255.255.255.252 standby 172.32.254.2
al configurar esta es la secuencia de error
VPN5525X-VLP(config)# no failover lan interface failover GigabitEthernet0/7
VPN5525X-VLP(config)# no failover link failover GigabitEthernet0/7
VPN5525X-VLP(config)# failover lan interface failover redunda
VPN5525X-VLP(config)# failover lan interface failover redundant3
INFO: Non-failover interface config is cleared on Redundant3 and its sub-interfaces
VPN5525X-VLP(config)# failover link failover Redunan
VPN5525X-VLP(config)# failover link failover Redundant3
VPN5525X-VLP(config)#
VPN5525X-VLP(config)#
VPN5525X-VLP(config)# exit
VPN5525X-VLP# sh run fa
ya esta configurado pero no estoy seguro si funcionara, Julio que asi configurado.
VPN5525X-VLP# sh run failover
failover
failover lan unit primary
failover lan interface failover Redundant3
failover polltime unit msec 500 holdtime 3
failover key *****
failover replication http
failover link failover Redundant3
VPN5525X-VLP#

Redundant Failover link on ASA5500 Series?

Cisco recommends connecting failover link over L2 switch in thier document.
But if L2 switch fails, both ASA's failover I/F will down.
I wonder if there is any way to get redundancy for failover link, like etherchannel.
Or should I prepare two L2 switches to avoid both ASA's I/F down?
Any hints appriciated.

Even if both of the failover interfaces go down it wont affect the traffic flow. Also if the switch is being monitored this will get detected and can be solved easily. If you still want redundant failover links, using seperate switches will be good idea.

ASA failover link over the etherchannel connected switches

Hello,
We have two ASA firewalls located in different locations.
Firewalls are in Active/Standby modes.
Failover links of firewalls are connected to two different switches.
These switches are connected to each other with two dark fibers aggregated to Etherchannel (source-mac address mode)
When one of fiber links fails and then immediately is connected again, secondary ASA is going to Active state and then to Standy state again.
Please see the output bellow.
The holddown timer is set to 15 seconds.
What could be the cause of this state change?
ciscoasa# sh failover history
==========================================================================
From State To State Reason
==========================================================================
22:54:20 GET Apr 4 2014
Standby Ready Just Active HELLO not heard from mate
22:54:20 GET Apr 4 2014
Just Active Active Drain HELLO not heard from mate
22:54:20 GET Apr 4 2014
Active Drain Active Applying Config HELLO not heard from mate
22:54:20 GET Apr 4 2014
Active Applying Config Active Config Applied HELLO not heard from mate
22:54:20 GET Apr 4 2014
Active Config Applied Active HELLO not heard from mate
22:54:42 GET Apr 4 2014
Active Cold Standby Failover state check
22:54:43 GET Apr 4 2014
Cold Standby Sync Config Failover state check
22:55:36 GET Apr 4 2014
Sync Config Sync File System Failover state check
22:55:36 GET Apr 4 2014
Sync File System Bulk Sync Failover state check
22:55:51 GET Apr 4 2014
Bulk Sync Standby Ready Failover state check

Maybe spanning tree recalculation. I know you said there was an etherchannel but I would make sure it is built properly. Also run "Show spanning-tree detail" on the switches after you unplug/replug and check when the last topology change was.

ASA redundant failover links

Hi,
We are setting up a new ASA which is in multi context mode. I was wondering if it is possible to setup redundant failover and state links? I know that it is possible to run failover on one link and state on another, or both over the same link, but is it possible to have both failover and state running on 2 links? For example, failover and state on ten1/0 as well as failover and state on ten1/1.
Hope I have explained my question well enough. If not I will try to explain better.
thanks

I would suggest to make a redundant logical link and attach two physical links to it. Than during failover link configuration specify your redundant link as a failover link. Not sure if it works but dont see any obstacles for this solution to fail..

Want to configure BACKUP VPN in asa 5505 for failover link

Hi,
Current i'm having 2 isps one tata and another one reliance iwant to configure the backup vpn for reliance ip for same peer ip which tata vpn had configured
i mandatory to configure same SA,ENCRPTION,IPSEC POLICY,KEY,LIFETIME...etc for failover vpn also.

Hi michael,
First of thanks for reply.
Can we do it by public certificate or DNS entry e.g. both ISP Public ip address entry will be in DNS and user will hit particular DNS name. You r right that once link down so user will disconnect but when he will retry then he will connect via another link.
Is it possible??
Ashish

ASA 5580 with EtherChannel 20Gbs, Does the Failover link must match the same Speed?

Hello,
I have an ASA 5580, I am plannning on setting two EtherChannels (inside and outside), each channel will include two TenGigabit interfaces.
My questions is that if the links that I am gonig to use for the failover and link, should also be 20Gbs each, or it is ok to use 10Gbs for each link?
According to the Configuration guide 8.4
Use the following failover interface speed guidelines for the ASAs:
• Cisco ASA 5510
– Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due
to the CPU speed limitation.
• Cisco ASA 5520/5540/5550
– Stateful link speed should match the fastest data link.
• Cisco ASA 5580/5585
– Use only non-management 1 Gigabit ports for the stateful link because management ports have
lower performance and cannot meet the performance requirement for Stateful Failover.
Thanks in advance

Hi,
I have 2x ASA5580-20 with 8x1GE interfaces and additional 2x 10GE interfaces each. Software version running is v8.4.4.1.
I am planning to use them in multiple context (active/active) transparent mode. Taking into account the FW performance of 5Gbps real-world traffic per ASA5580-20, which on the following interface configurations would make the most sense?
Option 1:
2x10GE = 20GE Etherchannel for Data
1x1GE LAN Failover
1x1GE STATE Failover
Option 2:
1x 10GE Data
1x 10GE LAN & STATE Failover
Option 3:
2x10GE = 20GE Etherchannel for Data
4x1GE = 4GE Etherchannel for LAN/STATE Failover (possibly up to 8x1GE)
(etherchannel for LAN/STATE Failover actually does not make much sense, since only one interface wll be used anyway)
Option 4:
1x10GE LAN & STATE Failover
8x1GE = 8 GE Etherchannel for Data
I have read several guides (e.g. link1, link2, link3). Some state that 1GE Failover interfaces would suffice for the ASA5580, others recommend a link as fast as the data link. Almost none of them account for higher bandwidth etherchannels.
What is recommended in this case? Both Firewalls will be connected to one VSS Switch Pair, so it would make sense to cross-connect with at least 2 links on each VSS member.
The ASA does not support connecting an EtherChannel to a switch stack. If the ASA EtherChannel is connected cross stack, and if the Master switch is powered down, then the EtherChannel connected to the remaining switch will not come up. (http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html)
Thanks in advance for your feedback!

Active/Standby Failover with pair of 5510s and redundant L2 links

Hi
I just got two ASA5510-SEC-BUN-K9 and I'm wondering is it possible to implement an Active/Standby Failover configuration (Routed mode) with two ASA5510 and redundant pair of switches from both inside and outside interfaces? In other words, I would like to have two L2 links from each ASA (in pair od ASAa) to each L2 switch (in pair of redundant L2 Switches). The configuration I would like to achive is just like one in Cisco Security Appliance Command Line Configuration Guide, page B-23, figure B-8, with only difference that I wouldn't go with multiple security contexts (I want Active/Standby failover).
Thanks in advance
Zoran Milenkovic

Hello Zoran,
Absolutely. You can have 2 ASAs configured in Active/Standby mode. For reference, here is a link which has a network connectivity diagram based on PIX, however, connectivity would still be same with ASAs-
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1053462
The difference is that on ASA, you can only have LAN-Based failover, hence you'll need to use one additional interface on both ASAs for failover-link. You can connect these two failover-link interfaces directly using a cross cable.
Apart from this, please refer to following link on how to go with configuration of Lan-based Active/Standby failover-
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1064158
Also make sure that both ASAs have required hardware/software/license based on following link-
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1047269
Hope this helps.
Regards,
Vibhor.

Need to "move" failover to different interface/port

Sorry if this is the wrong area, we have so seldom had questions that were not otherwise handled I don't frequent this area.
How difficult is it to change the interface used for active/standby failover? It's a working, already configured pair with standby, but I need to move the crossover cable and tell them to use a different interface.
ASA 5510 pair, already set up and working with failover that was originally configured on Ethernet port 0/3 by the senior network admin. It appears that from his use of interfaces or ports he used things straight out of examples on the web, including the interfaces used.
The senior network admin retired last spring and left me "in charge", gee, thanks.
I need to make some changes and need an Ethernet port for a new important project.
The Management 0/0 interface is unused and shutdown. We manage via inside interface from a specific subnet inside so don't need the dedicated management interface.
I want to move failover FROM Ethernet 0/3 TO Management 0/0
*This is the current setup:
Result of the command: "sh run failover"
failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover link failover Ethernet0/3
failover interface ip failover 169.254.255.1 255.255.255.252 standby 169.254.255.2
*And this is the current interface configuration for 0/3 and Management:
interface Ethernet0/3
description LAN/STATE Failover Interface
interface Management0/0
speed 100
duplex full
shutdown
nameif management
security-level 0
no ip address
ospf cost 10
I know it can run on the Management 0/0 interface because I see a lot of "how to configure" as if the ASA is brand new and several examples out there indeed show it being setup on Management.
I'm looking for how to take an ASA pair that is currently configured and has a working functional failover configuration and simply "move failover" to a different hole or change the interfaces used for the "heartbeat" as it were.
I assume it's not hard - but I also assume there's a specific sequence of events that must take place to prevent the pair from going into failover and switching lead roles...........
For example - would I shut off or turn off failover, and if so how, and on which ASA (frankly, I'm not sure how to access the secondary or standby if this must be done from or on the standby unit as I've never done that "deep" a config before)
CLI is fine - I'd be just as comfortable in either ASDM or cli.
I sure hope this makes sense - I'm more of a troubleshooter and fixer than a designer or network engineer....
And many many thanks - getting this moved will free up the interface I need and can really make a big dent in my project list while the supervisor is on vacation this week! I'd love to have this done and working before his return.
Oh, in case it does matter as I've been told, this is the Currently running license and versions shown here:
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 6.4(7)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
VRDSMFW1 up 141 days 4 hours
failover cluster up 141 days 4 hours
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: Ethernet0/0 : address is 0024.972b.e020, irq 9
1: Ext: Ethernet0/1 : address is 0024.972b.e021, irq 9
2: Ext: Ethernet0/2 : address is 0024.972b.e022, irq 9
3: Ext: Ethernet0/3 : address is 0024.972b.e023, irq 9
4: Ext: Management0/0 : address is 0024.972b.e01f, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 250 perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5510 Security Plus license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : 250 perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 4 perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5510 Security Plus license.
Serial Number: ABC12345678
Running Permanent Activation Key: eieioandapartridgeinapeartree
Configuration register is 0x1
Configuration last modified by me at 15:03:07.132 CDT Mon Sep 15 2014

If there was a "smack-self-on-forehead" icon here I'd use it now.
Of course, totally logical - if you disconnect a monitored connection on the standby it's not about to take over as primary because it's had a failure and can't do the job, forcing the primary or active to remain that way. There's the key that would allow all other changes.
Since the settings or config lines are in place already, then if I'm correct it's a matter of then just modifying what's there, and of course removing the name of the Management interface (no nameif) and making sure it's not shut down (no shutdown), etc.
You are a handy person to have around. Thanks.
By the way, *thanks to prior answers received here* and reading responses to others who had questions I can say I've set a record for this agency and done what no one else had been able to do - I've taken a troublesome LAN-to-LAN connection and made it trouble-free with a solid connection that is just 7.5 hours away from being up 90 days with no interruption, no collapse of any SA and improved performance. I have 2 others out of our 34 that aren't too far behind that. The boss has recognized this after seeing his monthly up-time reports.
Once I get this done failover change made I will be setting up a "DMZ" of sorts and trying out my hand at telling the 5510s to forward specific traffic aimed at a specific public IP address to a specific server. (But that's another topic............)

Need to add a new segment on a live ASA5520 with a failover setup running

Hi ,
how do I add a new segment on my ASA5520 that is currently on a lan based active/standby failover. ?
Will it trigger the failover if I add another interface and will be just as simple as unshutting a normal interface and adding an IP with the same configuration as the other interfaces for failover .
all of my existing segment has a redundant switch and for the new segment that I will be creating is just a straight forward with only 1 switch on the segment.
fw-inside-1# show run int
interface GigabitEthernet0/0
description OUTSIDE Interface_1
no nameif
no security-level
no ip address
interface GigabitEthernet0/1
description APPS Interface_1
no nameif
no security-level
no ip address
interface GigabitEthernet0/2
description DB Interface_1
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
interface GigabitEthernet1/0
description OUTSIDE Interface_2
no nameif
no security-level
no ip address
interface GigabitEthernet1/1
description APPS Interface_2
no nameif
no security-level
no ip address
interface GigabitEthernet1/2
description DB Interface_2
no nameif
no security-level
no ip address
interface GigabitEthernet1/3 <<<<<<<<<<<<<<<<<< I will use this interface for the new segment.
shutdown
no nameif
no security-level
no ip address
interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet1/0
nameif outside
security-level 0
ip address 10.50.5.10 255.255.255.0 standby 10.50.5.11
interface Redundant2
member-interface GigabitEthernet0/1
member-interface GigabitEthernet1/1
nameif apps
security-level 80
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2
interface Redundant3
member-interface GigabitEthernet0/2
member-interface GigabitEthernet1/2
nameif db
security-level 90
ip address 172.16.4.1 255.255.255.0 standby 172.16.4.2
fw-inside-1#
fw-inside-1# show run fail
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/3
failover polltime unit 5 holdtime 15
failover link Failover GigabitEthernet0/3
failover interface ip Failover 10.0.0.1 255.255.255.252
fw-inside-1#
Since I will not be having a redundant switch on the new segment I will use the below config
interface GigabitEthernet1/3
no shut
nameif
security-level 75
ip address 172.16.3.1 255.255.255.0 standby 172.16.3.2
Then I will connect cables..
Please let me know if you have any suggestions or links.
Regards

You should first configure your interface, then cable both units and after that no shut it on the ASA. Additionally you can remove your new interface from failover-monitoring as a precaution if somerhing goes wrong.
Sent from Cisco Technical Support iPad App

NAC High Availability: Users getting disconnected during failover

Hi,
We have a pair of CAS in in-band virtual-gateway mode in high availability mode.
We are still running some tests but we have noticed that the clients are losing connectivity during the failover.
* The service ip is always active (never stops responding pings).
* The stand-by CAS becomes active immediatly after we shut down the primary, we see it on the CAM.
* The client however looses connectivity with the internal network for almost two minutes.
I'm guessing this isn't normal, but would like to know what is the expected behaviour on this.
Thanks and regards,

We configured another pair today and we are noticing the same behaviour, however it seems random... sometimes the user barely looses connection, other times it will take from 2-5 minutes for it to come back.
We are only using eth2 for the failover link since we only have one serial port.
When we test we make sure both servers are up and then we reboot the primary. The secondary becomes active immediately. When both are up again we repeat the process.
any other ideas? something we should check?
Thanks!

ASA 5512 8.6(1) failover via Management0/0

I am configuring a brand new pair of ASA 5512s running 8.6(1). Traditionally we hae been using the Management port as the dedicated failover link, but that seems to not be possible on the 5512s.
ASA (config-if)# no management-only
ERROR: It is not allowed to make changes to this option for management interface on this platform.
I have not been able to find anything in the official documentation mentioning this restriction.
Does anybody know if this is indeed the case or if I am just missing something?
Thanks
Joerg Grau

Hi,
I think this is what you are looking for
Management Port Configuration ChangesThe ASA 5500-X Series introduced a shared management port for firewall and IPS services.,There are certain caveats to follow during migration from the ASA 5500 Series.• The shared management port cannot be used as a data port. All through-the-box traffic arriving at the management port will be dropped implicitly. This cannot be disabled.• The shared management port cannot be used as a part of a high availability configuration.If the ASA management port (M0/0) on the ASA 5500 Series appliance was being used as a data port, the configuration associated with that port should be moved to one of the gigabit data ports numbered above G0/3.
Source:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps6120/guide_c07-727453.html
Though I guess you have to take into consideration when we compare the old ASA5500 Series and the new ASA5500-X that the new series actually has 2 more physical interfaces than all previous corresponding models had.
Though it still might feel a waste of a Gigabit interface in a sense.
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question.
- Jouni

Failover link

Similar Messages

Maybe you are looking for