fonzeppelin
Зарегистрирован: 10 мар 2022, 15:01 Сообщения: 5
|
Приветствую. Коллеги, помогите, пожалуйста, разобраться, я новичок в этой теме. Есть кластер ASA, состоящий из двух ASA 5525-x. Вчера одна ASA ушла в ребут и всё переключилось на другую, но при этом у части пользователей не работал Интернет. На кластере ещё настроена автономная система (все публикации, NAT и т.д.). Почему ушла в ребут, не смог посмотреть, не было настроено логирование, поэтому не могу посмотреть, что вчера произошло. Буду признателен, если кто подскажет куда смотреть. Настройки на обеих ASA идентичные. Может, что не так с failover? Высылаю часть конфига, где настройки failover и вывод команды show failover:
ASA-1
#sh run
interface GigabitEthernet0/5 description LAN/STATE Failover Interface
failover failover lan unit secondary failover lan interface Failover GigabitEthernet0/5 failover key 12345 failover link Failover GigabitEthernet0/5 failover interface ip Failover 10.11.11.1 255.255.255.0 standby 10.11.11.10 no failover wait-disable
interface Port-channel1.900 vlan 900 nameif inside security-level 100 ip address 10.1.1.245 255.255.255.0 standby 10.1.1.246
#sh failover Failover On Failover unit Secondary Failover LAN Interface: Failover GigabitEthernet0/5 (up) Reconnect timeout 0:00:00 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 1 of 216 maximum MAC Address Move Notification Interval not set Version: Ours 9.6(2), Mate 9.6(2) Serial Number: Ours FCH21027VDL, Mate FCH21027VR7 Last Failover at: 10:46:15 MSK May 16 2022 This host: Secondary - Active Active time: 43820 (sec) slot 0: ASA5525 hw/sw rev (3.0/9.6(2)) status (Up Sys) Interface managment (192.168.1.1): Normal (Monitored) Interface as (x.x.x.x): Normal (Not-Monitored) Interface DMZ (x.x.x.x): Normal (Not-Monitored) Interface inside (10.1.1.245): Normal (Not-Monitored) slot 1: SFR5525 hw/sw rev (N/A/6.5.0-115) status (Up/Up) ASA FirePOWER, 6.5.0-115, Up, (Monitored) Other host: Primary - Standby Ready Active time: 0 (sec) slot 0: ASA5525 hw/sw rev (3.0/9.6(2)) status (Up Sys) Interface managment (192.168.1.2): Normal (Monitored) Interface as (x.x.x.x): Normal (Not-Monitored) Interface DMZ (0.0.0.0): Normal (Not-Monitored) Interface inside (10.1.1.246): Normal (Not-Monitored) slot 1: SFR5525 hw/sw rev (N/A/6.5.0-115) status (Up/Up) ASA FirePOWER, 6.5.0-115, Up, (Monitored)
Stateful Failover Logical Update Statistics Link : Failover GigabitEthernet0/5 (up) Stateful Obj xmit xerr rcv rerr General 14814910214 0 754335 18721 sys cmd 625296 0 625293 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 14674452806 0 44718 3839 UDP conn 123042517 0 83311 14882 ARP tbl 15279983 0 918 0 Xlate_Timeout 0 0 0 0 IPv6 ND tbl 0 0 0 0 VPN IKEv1 SA 1503053 0 71 0 VPN IKEv1 P2 6555 0 23 0 VPN IKEv2 SA 0 0 0 0 VPN IKEv2 P2 0 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 Route Session 0 0 0 0 Router ID 0 0 0 0 User-Identity 4 0 1 0 CTS SGTNAME 0 0 0 0 CTS PAC 0 0 0 0 TrustSec-SXP 0 0 0 0 IPv6 Route 0 0 0 0 STS Table 0 0 0 0
Logical Update Queue Information Cur Max Total Recv Q: 0 25 755632 Xmit Q: 0 148 14835810166
---------------------------------------------------------------------------------------------
ASA-2#
sh run
interface GigabitEthernet0/5 description LAN/STATE Failover Interface
failover failover lan unit secondary failover lan interface Failover GigabitEthernet0/5 failover key ***** failover link Failover GigabitEthernet0/5 failover interface ip Failover 10.11.11.1 255.255.255.0 standby 10.11.11.10 no failover wait-disable
interface Port-channel1.900 vlan 900 nameif inside security-level 100 ip address 10.1.1.245 255.255.255.0 standby 10.1.1.246
#sh failover Failover On Failover unit Primary Failover LAN Interface: Failover GigabitEthernet0/5 (up) Reconnect timeout 0:00:00 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 1 of 216 maximum MAC Address Move Notification Interval not set Version: Ours 9.6(2), Mate 9.6(2) Serial Number: Ours FCH21027VR7, Mate FCH21027VDL Last Failover at: 10:49:26 MSK May 16 2022 This host: Primary - Standby Ready Active time: 0 (sec) slot 0: ASA5525 hw/sw rev (3.0/9.6(2)) status (Up Sys) Interface managment (192.168.1.2): Normal (Monitored) Interface as (x.x.x.x): Normal (Not-Monitored) Interface DMZ (0.0.0.0): Normal (Not-Monitored) Interface inside (10.1.1.246): Normal (Not-Monitored) slot 1: SFR5525 hw/sw rev (N/A/6.5.0-115) status (Up/Up) ASA FirePOWER, 6.5.0-115, Up, (Monitored) Other host: Secondary - Active Active time: 44282 (sec) slot 0: ASA5525 hw/sw rev (3.0/9.6(2)) status (Up Sys) Interface managment (192.168.1.1): Normal (Monitored) Interface as (x.x.x.x): Normal (Not-Monitored) Interface DMZ (x.x.x.x): Normal (Not-Monitored) Interface inside (10.1.1.245): Normal (Not-Monitored) slot 1: SFR5525 hw/sw rev (N/A/6.5.0-115) status (Up/Up) ASA FirePOWER, 6.5.0-115, Up, (Monitored)
Stateful Failover Logical Update Statistics Link : Failover GigabitEthernet0/5 (up) Stateful Obj xmit xerr rcv rerr General 5877 0 7657269 3259 sys cmd 5877 0 5877 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 5733656 1627 UDP conn 0 0 1801927 1632 ARP tbl 0 0 97941 0 Xlate_Timeout 0 0 0 0 IPv6 ND tbl 0 0 0 0 VPN IKEv1 SA 0 0 17819 0 VPN IKEv1 P2 0 0 48 0 VPN IKEv2 SA 0 0 0 0 VPN IKEv2 P2 0 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 Route Session 0 0 0 0 Router ID 0 0 0 0 User-Identity 0 0 1 0 CTS SGTNAME 0 0 0 0 CTS PAC 0 0 0 0 TrustSec-SXP 0 0 0 0 IPv6 Route 0 0 0 0 STS Table 0 0 0 0
Logical Update Queue Information Cur Max Total Recv Q: 0 18 7866657 Xmit Q: 0 1 5878
|