I am unable to establish failover on my asa 5520 [Archive]

View Full Version : I am unable to establish failover on my asa 5520

rionel

03-19-2008, 01:32 PM

What could be possible wrong with my config?

Primary
failover
failover lan unit primary
failover lan interface ASA_Failover GigabitEthernet0/3
failover link ASA_Failover GigabitEthernet0/3
failover interface ip ASA_Failover 192.168.199.2 255.255.255.252 standby 192.168.199.3

FW00# sh fail state

State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Not Detected Comm Failure 06:33:57 CST Mar 1 2007

====Configuration State===
====Communication State===

Secondary:
interface GigabitEthernet0/3
description LAN/STATE Failover Interface

failover
failover lan unit secondary
failover lan interface ASA_Failover GigabitEthernet0/3
failover link ASA_Failover GigabitEthernet0/3
failover interface ip ASA_Failover 192.168.199.2 255.255.255.252 standby 192.168.199.3

FW01# sh fail state

State Last Failure Reason Date/Time
This host - Secondary
Active None
Other host - Primary
Not Detected None

netleets

08-12-2008, 11:07 PM

This appears to be a physical connectivity issue on the failover interface. Assuming the interface is turned up and has L2 and L3 connectivity, try creating a capture on that interface to see if you can see traffic from the other device.

config t
access-list cap-acl permit ip any any
capture cap-failover interface ASA_Failover access-list cap-acl
sh cap cap-failover

If you do not see traffic from the other firewall, you have a physical connectivity issue. If you do see traffic, please post the results in this forum and we will figure it out.

For more information on captures, check out the post on my forum:
netleetsDOTcom

netleets

09-07-2008, 07:07 PM

Was this able to help you?

brad

09-09-2008, 08:43 PM

With a 5-month delay, I'm guessing no :)

cisco-tips

12-27-2008, 10:34 AM

I think the problem is on the IP addresses you use for the failover link. Since its a .252 subnet, its better to use 192.168.199.1 for the Active unit and 192.168.199.2 for the Failover unit. 199.3 is the broadcast address so this might be the problem.

What could be possible wrong with my config?

Primary
failover
failover lan unit primary
failover lan interface ASA_Failover GigabitEthernet0/3
failover link ASA_Failover GigabitEthernet0/3
failover interface ip ASA_Failover 192.168.199.2 255.255.255.252 standby 192.168.199.3

FW00# sh fail state

State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Not Detected Comm Failure 06:33:57 CST Mar 1 2007

====Configuration State===
====Communication State===

Secondary:
interface GigabitEthernet0/3
description LAN/STATE Failover Interface

failover
failover lan unit secondary
failover lan interface ASA_Failover GigabitEthernet0/3
failover link ASA_Failover GigabitEthernet0/3
failover interface ip ASA_Failover 192.168.199.2 255.255.255.252 standby 192.168.199.3

FW01# sh fail state

State Last Failure Reason Date/Time
This host - Secondary
Active None
Other host - Primary
Not Detected None