I ran into an interesting situation tonight, and am trying to piece
together what happened and what should happen. Pretty simple setup:
2 ASA's running in active standby. These ASA's have a number of
interfaces and sub-interfaces all of which are monitored in the
failover configuration. There are IPS units physically inline between
these ASA's on most of the interfaces. The failover interface itself
is of course a straight connection between the ASA's
So, the IPS on the primary side "locked up" and it is set to
fail-closed. From the inside network, the interfaces on the primary
ASA were completely unreachable. I was unable to ping the interfaces
at all. I was expecting that when this happened, the ASA's would
trigger failover because several of the monitored interfaces were not
reachable but they didn't. When logging into the standby unit,
everything showed "normal" ...all the monitored interfaces were
normal. As soon as I manually failed it over, that changed and the
interfaces that were unreachable on the other side showed up as
"failed".
So basically, the ASA's were unable to communicate with each other
over several of the monitored data-interfaces, but the status still
showed "normal" until a manual failover was done. If the failover link
is fine, but the ASA's cannot communicate via the monitored data
interfaces shouldn't that trigger a failover event?
-- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan Blogs and organic groups at http://www.ccie.netReceived on Sun Mar 24 2013 - 23:17:39 ART
This archive was generated by hypermail 2.2.0 : Wed Apr 03 2013 - 19:06:19 ART