![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
Diagram
ISP / \ | | (outside) R1 --- R2------[admin] | | (inside) ------- SW
CLI
show failover
Failover On Failover unit Primary Failover LAN Interface: folink GigabitEthernet1/5 (up) Reconnect timeout 0:00:00 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 6 of 40 maximum MAC Address Move Notification Interval not set Version: Ours 9.8(2)38, Mate 9.8(2)38 Serial Number: Ours ????, Mate ???? Last Failover at: 11:46:36 HKST Oct 5 2018 This host: Primary - Active Active time: 14310 (sec) slot 1: ASA5506 hw/sw rev (2.1/9.8(2)38) status (Up Sys) Interface outside_1 (192.168.3.254): Normal (Monitored) Interface outside_2 (192.168.3.254): No Link (Waiting) Interface inside_1 (192.168.2.254): Normal (Monitored) Interface inside_2 (192.168.2.254): No Link (Waiting) Interface outside (192.168.3.254): Normal (Not-Monitored) Interface management (192.168.8.13): Normal (Not-Monitored) Interface inside (192.168.2.254): Normal (Not-Monitored) slot 2: SFR5506 hw/sw rev (N/A/6.2.2-81) status (Up/Up) ASA FirePOWER, 6.2.2-81, Up, (Monitored) slot 2: SFR5506 hw/sw rev (N/A/6.2.2-81) status (Up/Up) ASA FirePOWER, 6.2.2-81, Up, (Monitored) Other host: Secondary - Standby Ready Active time: 0 (sec) slot 1: ASA5506 hw/sw rev (2.1/9.8(2)38) status (Up Sys) Interface outside_1 (192.168.3.253): Normal (Monitored) Interface outside_2 (192.168.3.253): No Link (Waiting) Interface inside_1 (192.168.2.253): Normal (Monitored) Interface inside_2 (192.168.2.253): No Link (Waiting) Interface outside (192.168.3.253): Normal (Not-Monitored) Interface management (192.168.8.14): Normal (Not-Monitored) Interface inside (192.168.2.253): Normal (Not-Monitored) slot 2: SFR5506 hw/sw rev (N/A/6.2.2-81) status (Up/Up) ASA FirePOWER, 6.2.2-81, Up, (Monitored) slot 2: SFR5506 hw/sw rev (N/A/6.2.2-81) status (Up/Up) ASA FirePOWER, 6.2.2-81, Up, (Monitored) Stateful Failover Logical Update Statistics Link : Unconfigured.
show monitor-interface
This host: Primary - Active Interface outside_1 (192.168.3.254): Normal (Monitored) Interface outside_2 (192.168.3.254): No Link (Waiting) Interface inside_1 (192.168.2.254): Normal (Monitored) Interface inside_2 (192.168.2.254): No Link (Waiting) Other host: Secondary - Standby Ready Interface outside_1 (192.168.3.253): Normal (Monitored) Interface outside_2 (192.168.3.253): No Link (Waiting) Interface inside_1 (192.168.2.253): Normal (Monitored) Interface inside_2 (192.168.2.253): No Link (Waiting)
show failover state
State Last Failure Reason Date/Time This host - Primary Active None Other host - Secondary Standby Ready Ifc Failure 15:11:45 HKST Oct 5 2018 outside_2: No Link inside_2: No Link ====Configuration State=== Sync Done ====Communication State=== Mac set
設定 Master / Slave
注意
[1]
DHCP Client cannot be enabled on interface, Gi1/1(outside)
failover is not compatible with above configurations,
user must manually remove or fix them as instructed before failover can be enabled.
[2]
...
什麼時候發生 failover
- Active unit failed (power or hardware)
No hello messages are received on any monitored interface or the failover link.
- Interface failure on active unit above threshold
[Master Unit]
# Designates the unit as the primary unit
failover lan unit primary
# Specifies the interface to be used as the failover interface.
# if_name argument assigns a name to the interface specified by the interface_id argument
# On the ASA 5505 or ASASM, the interface_id specifies a VLAN.
# failover lan interface if_name interface_id
failover lan interface folink Gi1/5
# 非必要
# All information sent over the failover and state links is sent in clear text
# unless you secure the communication with an IPsec tunnel or a failover key.
failover key *****
# The "active IP address" for the failover link always stays with the primary unit,
# while the standby IP address stays with the secondary unit.
failover interface ip folink 10.0.0.11 255.255.255.0 standby 10.0.0.12
# Enables failover
# 會有幾十秒沒有反應
failover
[secondary unit]
# exactly as you entered it on the primary
failover lan interface if_name interface_id
# exactly as you entered it on the primary
failover interface ip if_name ip_address mask standby ip_address
failover lan unit secondary
failover
Disabling and Enabling Interface Monitoring
This feature enables you to exclude interfaces attached to less critical networks from affecting your failover policy.
By default, monitoring physical interfaces is enabled and monitoring subinterfaces is disabled.
Hello messages are exchanged during every interface poll frequency time period between the ASA failover pair.
no monitor-interface outside # bridge
no monitor-interface inside
no monitor-interface management
The failover interface poll time is 3 to 15 seconds.
For example,
if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds).
Monitored failover interfaces can have the following status:
Unknown — Initial status. This status can also mean the status cannot be determined.
Normal — The interface is receiving traffic.
Testing — Hello messages are not heard on the interface for five poll times.
Link Down — The interface or VLAN is administratively down.
No Link — The physical link for the interface is down.
Failed — No traffic is received on the interface, yet traffic is heard on the peer interface.
If the ASA does not receive a hello packet from the corresponding interface on the peer unit for over half of the hold time, then the additional interface testing begins. If a hello packet or a successful test result is not received within the specified hold time, the interface is marked as failed. Failover occurs if the number of failed interfaces meets the failover criteria.
Forcing Failover
# Forces a failover when entered on the active unit in a failover pair.
# The active unit becomes the standby unit.
no failover active
# Forces a failover when entered on the standby unit in a failover pair.
# The standby unit becomes the active unit.
failover active
