Not much, but I remember that the ASAs go on a list of steps to declare
an interface as failed, that include sending traffic to last known
talkers and eventually to broadcast some echo request. The whole process
takes a while and may be unknown is a transition state.
Problem with determining which one is failing in an unused segment is
that there's nobody out there to talk to ? So the failure would look the
same to both parties. I guess that the DG should answer if there's one,
but if it is an internal segment, the ASA might be it.
This of course if it is not a link down event, which being a subif is
out of the question.
-Carlos
Joe Astorino @ 25/03/2013 01:03 -0300 dixit:
> Also of note, the IPS' are actually not Cisco at all and not managed
> by me. They are IPS units from sourcefire managed by a 3rd party.
>
> On Sun, Mar 24, 2013 at 11:44 PM, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:
>> It should indeed, but I agree, I too had this issue March 8, 2013 (yes, I remember the exact date as it was catastrophic).
>>
>> We have 5585-20's in HA A/S, with IPS 4270's inline with fail-close as well.
>>
>> I came unglued when this occurred, and Cisco stated this was a "software" issue but without any attributing bug. We are were running 9.0.1 on the ASA's (now 9.1.1-4), and could not reproduce the issue on our 5585-20/4270 lab hardware with the same IOS. The default failover is set for 1 interface, but to your point, if it doesn't mark it down, it won't failover. In the lab, it worked as expected. In production, it did not, but now does.
>>
>> May I ask what code on the ASA's your running?
>>
>> BTW- the IPS's locked up due to a bug in the 7.1(6)E4 IPS engine when signature 694 was pushed. Interesting to see if any of these variables were constants in your environment.
>>
>> I'm taking the Security IE lab on Wednesday of this week, and these little nuances made me a bit nervous!
>>
>> Cheers.
>>
>> Regards,
>> Jay McMickle CCIE #35355
>> Sent from my iPhone
>>
>> On Mar 24, 2013, at 10:17 PM, Joe Astorino <joeastorino1982_at_gmail.com> wrote:
>>
>>> I ran into an interesting situation tonight, and am trying to piece
>>> together what happened and what should happen. Pretty simple setup:
>>>
>>> 2 ASA's running in active standby. These ASA's have a number of
>>> interfaces and sub-interfaces all of which are monitored in the
>>> failover configuration. There are IPS units physically inline between
>>> these ASA's on most of the interfaces. The failover interface itself
>>> is of course a straight connection between the ASA's
>>>
>>> So, the IPS on the primary side "locked up" and it is set to
>>> fail-closed. From the inside network, the interfaces on the primary
>>> ASA were completely unreachable. I was unable to ping the interfaces
>>> at all. I was expecting that when this happened, the ASA's would
>>> trigger failover because several of the monitored interfaces were not
>>> reachable but they didn't. When logging into the standby unit,
>>> everything showed "normal" ...all the monitored interfaces were
>>> normal. As soon as I manually failed it over, that changed and the
>>> interfaces that were unreachable on the other side showed up as
>>> "failed".
>>>
>>> So basically, the ASA's were unable to communicate with each other
>>> over several of the monitored data-interfaces, but the status still
>>> showed "normal" until a manual failover was done. If the failover link
>>> is fine, but the ASA's cannot communicate via the monitored data
>>> interfaces shouldn't that trigger a failover event?
>>>
>>> --
>>> Regards,
>>>
>>> Joe Astorino
>>> CCIE #24347
>>> http://astorinonetworks.com
>>>
>>> "He not busy being born is busy dying" - Dylan
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>
>
>
-- Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina Blogs and organic groups at http://www.ccie.netReceived on Mon Mar 25 2013 - 07:31:54 ART
This archive was generated by hypermail 2.2.0 : Wed Apr 03 2013 - 19:06:19 ART