Which cable for ASA failover?

You don't need a special cable .

I think ASA supports both the straiht-through and the crossover, but the crossover for sure.

Can you post your failover config of both unit.

And be sure your interfaces are not shutdown.

ntasa01# sh conf : Saved : Written by enable_15 at 09:08:16.980 PDT Thu May 24 2007 ! ASA Version 7.0(6) ! hostname ntasa01 enable password **************** encrypted names dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address 168.143.121.4 255.255.255.0 standby 168.143.121.5 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.15.30.1 255.255.255.0 standby 10.15.30.2 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 description LAN/STATE Failover Interface ! interface Management0/0 nameif management security-level 100 ip address 10.12.14.253 255.255.255.0 management-only ! passwd **************** encrypted ftp mode passive clock timezone PST -8 clock summer-time PDT recurring 2 Sun Mar 1:59 1 Sun Nov 3:00 pager lines 24 logging asdm informational mtu management 1500 mtu outside 1500 mtu inside 1500 failover failover lan unit primary failover lan interface failover Ethernet0/3 failover link failover Ethernet0/3 failover interface ip failover 172.16.2.1 255.255.255.252 standby

172.16.2.2 asdm image disk0:/asdm506.bin no asdm history enable arp timeout 14400 nat (inside) 1 10.15.30.0 255.255.255.0 static (inside,outside) 10.15.30.193 168.143.121.193 netmask 255.255.255.255 static (inside,outside) 10.15.30.194 168.143.121.194 netmask 255.255.255.255 route management 192.168.2.0 255.255.255.0 10.12.14.254 1 route outside 0.0.0.0 0.0.0.0 168.143.121.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute username ***** password **************** encrypted privilege 15 aaa authentication serial console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable http 10.12.14.2 255.255.255.255 management http 192.168.2.192 255.255.255.255 management snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 192.168.2.192 255.255.255.255 management telnet 10.12.14.2 255.255.255.255 management telnet timeout 15 ssh timeout 15 console timeout 0 ntp server 192.168.2.2 Cryptochecksum:801337793f18d2af0c0105f054a6e8f0

ntasa02# sh conf : Saved : Written by enable_15 at 07:43:15.088 PDT Thu May 24 2007 ! ASA Version 7.0(6) ! hostname ntasa02 enable password **************** encrypted names dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address 168.143.121.5 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.15.30.2 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 description LAN Failover Interface ! interface Management0/0 nameif management security-level 100 ip address 10.12.14.252 255.255.255.0 management-only ! passwd **************** encrypted ftp mode passive clock timezone PST -8 clock summer-time PDT recurring 2 Sun Mar 1:59 1 Sun Nov 3:00 pager lines 24 logging asdm informational mtu management 1500 mtu inside 1500 mtu outside 1500 failover failover lan unit secondary failover lan interface failover Ethernet0/3 failover interface ip failover 172.16.2.2 255.255.255.252 standby

172.16.2.1 asdm image disk0:/asdm506.bin no asdm history enable arp timeout 14400 route management 192.168.2.0 255.255.255.0 10.12.14.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute username ***** password **************** encrypted privilege 15 aaa authentication telnet console LOCAL aaa authentication serial console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.2.192 255.255.255.255 management http 10.12.14.2 255.255.255.255 management snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 192.168.2.192 255.255.255.255 management telnet 10.12.14.2 255.255.255.255 management telnet timeout 15 ssh timeout 15 console timeout 0 ntp server 192.168.2.2 Cryptochecksum:ab8d7fc833b79bd4bcb69bfe67d4fe1b

This line must be the same on both units. The first IP is for the primary and the other for the secondary

So you have to change it on the secondary for

OK, I did that. Now, I see:

ntasa01# sh failover Failover On Failover unit Primary Failover LAN Interface: failover Ethernet0/3 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 15 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 7.0(6), Mate 7.0(6) Last Failover at: 07:57:39 PDT May 24 2007 This host: Primary - Active Active time: 255225 (sec) slot 0: ASA5510 hw/sw rev (2.0/7.0(6)) status (Up Sys) slot 1: empty Interface management (10.12.14.253): Normal (Waiting) Interface outside (168.143.121.4): Normal Interface inside (10.15.30.1): Normal Other host: Secondary - Standby Ready Active time: 81899 (sec) slot 0: ASA5510 hw/sw rev (2.0/7.0(6)) status (Up Sys) slot 1: empty Interface management (0.0.0.0): Normal (Waiting) Interface outside (168.143.121.5): Normal Interface inside (10.15.30.2): Normal

Stateful Failover Logical Update Statistics Link : failover Ethernet0/3 (up) Stateful Obj xmit xerr rcv rerr General 22 0 16 0 sys cmd 16 0 16 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 6 0 0 0 Xlate_Timeout 0 0 0 0 VPN IKE upd 0 0 0 0 VPN IPSEC upd 0 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0

Logical Update Queue Information Cur Max Total Recv Q: 0 2 16 Xmit Q: 0 2 150

But:

ntasa01# sh failover state ====My State=== Primary | Active | ====Other State=== Secondary | Standby | ====Configuration State=== Sync Done ====Communication State=== Mac set =========Failed Reason============== My Fail Reason: Other Fail Reason: Comm Failure

And I can no longer ping or telnet to the management interface on the secondary unit ntasa02 I can ping e0/0 and e0/1 on it, so it isn't dead.

Thanks for getting me on the right track... you're more useful than Cisco! :-)

Well you don't have a standby IP for your management unit. So when the synchro occured the secondary management ip got deleted.

Interface management (0.0.0.0): Normal (Waiting)

Put this instead on your management interface

ip address 10.12.14.253 255.255.255.0 standby 10.12.14.252

Ahh, OK. So I can only manage it via the console until/unless it takes over as primary?

What about this?

Is that just a holdover, or something that needs to be cleared?

Thanks so much!

Not exactly , but let clear things a little bit here.

You have to see your failover kit as a single unit with a single configuration, The only difference in the configuration is the failover lines. The unit with the line "failover lan unit primary" becomes the Primary unit and always stays the Primary unit. Primary is a physicall identification of the unit. Same thing applies for the "failover lan unit secondary" .The unit with this line is the Secondary unit and always stays the Secondary unit. What may jump from one unit to the other is the failover state, Active or Standby. So the Primary may be in the Active state or in the Stanby state.

And when you configure an ip address on an interface of a failover kit, the first address is always the Active address and the standby address, well the Standby address. So the ip addresses are not linked to a physical unit, they will jump from one unit to the other each time a failover occurs. So you can't say that this address is the address of my secondary unit , without first verifying in what state is your secondary unit.

Usually the normal way to configure a failover kit is first to configure the primary , then on the secondary, you only configure the failover lines and do a no shut on the failover interface. Then you hook-up the two units and the secondary will get it's configuration from the primary.

In your case , you configured both unit before the failover. So when the configuration synchronisation occured , the secondary configuration was replaced by the primary (wich was the active unit. The active unit config always prevail). So if you look at the ip address of your management interface on the Active unit , you have "ip address 10.12.14.253 255.255.255.0" meaning that there is no stanby address.

So when the synchronisation occured , your secondary unit got rid of it's ip address

That's why your failover is in a Failed state , your management interfaces can't communicate

And when i say to replace your address by

you must do this on your Active unit , and then do a wr mem to synchronise your changes with the Standby. If you made this change only on the Standby unit it didn't accomplish anyhting.

After that you will be able to manage both unit through the management interface if you want, but normally you wouldn't need that. Because if you do a change on the Standby unit it will not be saved, and you will have a message saying your configuration is not synchronised.