ASDM 5.2 User Guide
Monitoring Failover
Downloads: This chapterpdf (PDF - 391.0KB) The complete bookPDF (PDF - 11.14MB) | Feedback

Monitoring Failover

Table Of Contents

Monitoring Failover

Single Context Mode

Failover

Status

Graphs

Multiple Context Mode

System

Failover Group 1 and Failover Group 2


Monitoring Failover


Single Context Mode

Failover

You can monitor the status of the active and standby devices in a failover pair and failover related statistics. See the following screens for more information:

Status—Displays the failover status of the device.

Graphs—Displays graphs of various failover communication statistics.

For More Information

For more information about failover in general, see Understanding Failover.

Status

The Status pane displays the failover state of the system. In single context mode, you can also control the failover state of the system by:

Toggling the active/standby state of the device.

Resetting a failed device.

Reloading the standby unit.

Fields

Failover state of the system—Display only. Displays the failover state of the security appliance. The information in this field is the same output you would receive from the show failover command. The following information is included in the display:


Note Only a subset of the fields below appear when viewing the failover status within a security context. Those fields are indicated by an asterisk (*) before the field name.


*Failover—Displays "On" when failover is enabled, "Off" when failover is not enabled.

Cable Status—(PIX security appliance platform only) Displays the status of the serial failover cable. The following shows possible cable states:

Normal—The cable is connected to both units, and they both have power.

My side not connected—The serial cable is not connected to this unit. It is unknown if the cable is connected to the other unit.

Other side is not connected—The serial cable is connected to this unit, but not to the other unit.

Other side powered off—The other unit is turned off.

N/A—LAN-based failover is enabled.

Failover unit—Displays the role of the system in the failover pair, either "Primary" or "Secondary".

Failover LAN Interface—Displays the logical and physical name of the LAN failover interface. If you are using the dedicated failover cable on the PIX platform, this field displays "N/A - Serial-based failover enabled". If you have not yet configured the failover interface, this field displays "Not configured".

Unit Poll frequency/holdtime—Displays how often hello messages are sent on the failover link and how long to wait before testing the peer for failure if no hello messages are received.

Interface Poll frequency—Displays the interval, in seconds, between hello messages on monitored interfaces.

Interface Policy—Displays the number of interfaces that must fail before triggering failover.

Monitored Interfaces—Displays the number of interfaces whose health you are monitoring for failover.

failover replication http—Displayed if HTTP replication is enabled.

*Last Failover—Displays the time and date the last failover occurred.

*This Host(Context)/Other Host(Context)—For each host (or for the selected context in multiple context mode) in the failover pair, the following information is shown:

Primary or Secondary—Displays whether the unit is the primary or secondary unit. Also displays the following status:

*Active—The unit is the active unit.

*Standby—The unit is the standby unit.

*Disabled—The unit has failover disabled or the failover link is not configured.

*Listen—The unit is attempting to discover an active unit by listening for polling messages.

*Learn—The unit detected an active unit, and is not synchronizing the configuration before going to standby mode.

*Failed—The unit is failed.

*Active Time—The amount of time, in seconds, that the unit has been in the active state.

*[context_name] Interface name (n.n.n.n)—For each interface, the display shows the IP address currently being used on each unit, as well as one of the following conditions. In multiple context mode, the context name appears before each interface.

Failed—The interface has failed.

Link Down—The interface line protocol is down.

Normal—The interface is working correctly.

No Link—The interface has been administratively shut down.

Unknown—The security appliance cannot determine the status of the interface.

(Waiting)—The interface has not yet received any polling messages from the other unit.

Testing—The interface is being tested.

*Stateful Failover Logical Updates Statistics—The following fields relate to the Stateful Failover feature. If the Link field shows an interface name, then the Stateful Failover statistics are shown.


Note Stateful Failover is not supported on the ASA 5505 series adaptive security appliance. These statistics do not appear in ASDM running on an ASA 5505 security appliance.


Link—Displays one of the following:

interface_name—The interface used for the Stateful Failover link.

Unconfigured—You are not using Stateful Failover.

Stateful Obj—For each field type, the following statistics are displayed:

xmit—Number of transmitted packets to the other unit

xerr—Number of errors that occurred while transmitting packets to the other unit

rcv—Number of received packets

rerr—Number of errors that occurred while receiving packets from the other unit

The following are the stateful object field types:

General—Sum of all stateful objects.

sys cmd—Logical update system commands; for example, LOGIN and Stay Alive.

up time—Up time, which the active unit passes to the standby unit.

RPC services—Remote Procedure Call connection information.

TCP conn—TCP connection information.

UDP conn—Dynamic UDP connection information.

ARP tbl—Dynamic ARP table information.

L2BRIDGE tbl—Layer 2 bridge table information (transparent firewall mode only).

Xlate_Timeout—Indicates connection translation timeout information.

VPN IKE upd—IKE connection information.

VPN IPSEC upd—IPSec connection information.

VPN CTCP upd—cTCP tunnel connection information.

VPN SDI upd—SDI AAA connection information.

VPN DHCP upd—Tunneled DHCP connection information.

*Logical Update Queue Information—Displays the following statistics:

Recv Q—The status of the receive queue.

Xmit Q—The status of the transmit queue.

The following information is displayed for each queue:

Cur—The current number of packets in the queue.

Max—The maximum number of packets.

Total—The total number of packets.

*Lan-based Failover is active—This field appears only when LAN-based failover is enabled.

interface name (n.n.n.n) and peer (n.n.n.n)—The name and IP address of the failover link currently being used on each unit.

The following actions are available on the Status pane:

Make Active—(Only available in Single mode) Click this button to make the security appliance the active unit in an active/standby configuration.

Make Standby—(Only available in Single mode) Click this button to make the security appliance the standby unit in an active/standby pair.

Reset Failover—(Only available in Single mode) Click this button to reset a system from the failed state to the standby state. You cannot reset a system to the active state. Clicking this button on the active unit resets the standby unit.

Reload Standby—(Only available in Single mode) Click this button to force the standby unit to reload.

Refresh—Click this button to refresh the status information in the Failover state of the system field.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

For more information about failover in general, see Understanding Failover.

Graphs

The Graphs pane lets you view failover statistics in graph and table form. In multiple context mode, the Graphs pane is only available in the admin context.

The information in the graphs relate to Stateful Failover only.

Fields

Available Graphs for—Lists the types of statistical information available for monitoring. You can choose up to four statistic types to display in one graph window. Double-clicking a statistic type in this field moves it to the Selected Graphs field. Single-clicking a statistic type in this field selects the entry. You can select multiple entries.

The following types of statistics are available in graph or table format in the graph window. They show the number of packets sent to and received from the other unit in the failover pair.

RPC services information—Displays the security appliance RPC service information.

TCP Connection Information—Displays the security appliance TCP connection information.

UDP Connection Information—Displays the security appliance UDP connection information.

ARP Table Information—Displays the security appliance ARP table information.

L2Bridge Table Information—(Transparent Firewall Mode Only) Displays the layer 2 bridge table packet counts.

Xmit Queue—(Single Mode Only) Displays the current, maximum, and total number of packets transmitted.

Receive Queue—(Single Mode Only) Displays the current, maximum, and total number of packets received.

Graph Window—Shows the graph window name to which you want to add a statistic type. If you have a graph window already open, a new graph window is listed by default. If you want to add a statistic type to an already open graph, select the open graph window name. The statistics already included in the graph window are shown in the Selected Graphs field, to which you can add additional types (up to a maximum of four types per window).

Add—Click this button to move the selected entries in the Available Graphs for field to the Selected Graphs field.

Remove—Removes the selected statistic type from the Selected Graphs field.

Selected Graphs—Shows the statistic types you want to show in the selected graph window. You can include up to four types. Double-clicking a statistic type in this field removes the selected statistic type from the field. Single-clicking a statistic type in this field selects the statistic type. You can select multiple statistic types.

Show Graphs—Click this button to display a new or updated graph window with the selected statistics.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

For more information about failover in general, see Understanding Failover.

Multiple Context Mode

You can monitor the failover status of the system and of the individual failover groups in the system context. See the following topics for monitoring failover status from the system context:

System

Failover Group 1 and Failover Group 2

For More Information

For more information about failover in general, see Understanding Failover.

System

The System pane displays the failover state of the system.You can also control the failover state of the system by:

Toggling the active/standby state of the device.

Resetting a failed device.

Reloading the standby unit.

Fields

Failover state of the system—Display only. Displays the failover state of the security appliance. The information shown is the same output you would receive from the show failover command. The following information is included in the display:

Failover—Displays "On" when failover is enabled, "Off" when failover is not enabled.

Cable Status—(PIX security appliance platform only) Displays the status of the serial failover cable. The following shows possible cable states:

Normal—The cable is connected to both units, and they both have power.

My side not connected—The serial cable is not connected to this unit. It is unknown if the cable is connected to the other unit.

Other side is not connected—The serial cable is connected to this unit, but not to the other unit.

Other side powered off—The other unit is turned off.

N/A—LAN-based failover is enabled.

Failover unit—Displays the role of the system in the failover pair, either "Primary" or "Secondary".

Failover LAN Interface—Displays the logical and physical name of the LAN failover interface. If you are using the dedicated failover cable on the PIX platform, this field displays "N/A - Serial-based failover enabled". If you have not yet configured the failover interface, this field displays "Not configured".

Unit Poll frequency/holdtime—Displays how often hello messages are sent on the failover link and how long to wait before testing the peer for failure if no hello messages are received.

Interface Poll frequency—Displays the interval, in seconds, between hello messages on monitored interfaces.

Interface Policy—Displays the number of interfaces that must fail before triggering failover.

Monitored Interfaces—Displays the number of interfaces whose health you are monitoring for failover.

failover replication http—Specifies that HTTP replication is enabled.

Group x Last Failover—Displays the time and date the last failover occurred for each failover group.

This Host/Other Host —For each host in the failover pair, the following information is shown:

Primary or Secondary—Displays whether the unit is the primary or secondary unit.

Group x—For each failover group, the following information is shown:

State—Active or Standby Ready.

Active Time—The amount of time, in seconds, that the failover group has been in the active state.

context_name Interface name (n.n.n.n)—For each interface, the display shows the IP address currently being used on each unit, as well as one of the following conditions.

Failed—The interface has failed.

Link Down—The interface line protocol is down.

Normal—The interface is working correctly.

No Link—The interface has been administratively shut down.

Unknown—The security appliance cannot determine the status of the interface.

(Waiting)—The interface has not yet received any polling messages from the other unit.

Testing—The interface is being tested.

Stateful Failover Logical Updates Statistics—The following fields relate to the Stateful Failover feature. If the Link field shows an interface name, then the Stateful Failover statistics are shown.


Note Stateful Failover is not supported on the ASA 5505 series adaptive security appliance. These statistics do not appear in ASDM running on an ASA 5505 security appliance.


Link—Displays one of the following:

interface_name—The interface used for the Stateful Failover link.

Unconfigured—You are not using Stateful Failover.

Stateful Obj—For each field type, the following statistics are displayed:

xmit—Number of transmitted packets to the other unit

xerr—Number of errors that occurred while transmitting packets to the other unit

rcv—Number of received packets

rerr—Number of errors that occurred while receiving packets from the other unit

The following are the stateful object field types:

General—Sum of all stateful objects.

sys cmd—Logical update system commands; for example, LOGIN and Stay Alive.

up time—Up time, which the active unit passes to the standby unit.

RPC services—Remote Procedure Call connection information.

TCP conn—TCP connection information.

UDP conn—Dynamic UDP connection information.

ARP tbl—Dynamic ARP table information.

L2BRIDGE tbl—Layer 2 bridge table information (transparent firewall mode only).

Xlate_Timeout—Indicates connection translation timeout information.

VPN IKE upd—IKE connection information.

VPN IPSEC upd—IPSec connection information.

VPN CTCP upd—cTCP tunnel connection information.

VPN SDI upd—SDI AAA connection information.

VPN DHCP upd—Tunneled DHCP connection information.

Logical Update Queue Information—Displays the following statistics:

Recv Q—The status of the receive queue.

Xmit Q—The status of the transmit queue.

The following information is displayed for each queue:

Cur—The current number of packets in the queue.

Max—The maximum number of packets.

Total—The total number of packets.

Lan-based Failover is active—This field appears only when LAN-based failover is enabled.

interface name (n.n.n.n) and peer (n.n.n.n)—The name and IP address of the failover link currently being used on each unit.

The following actions are available on the System pane:

Make Active—Click this button to make the security appliance the active unit in an active/standby configuration. In an active/active configuration, clicking this button causes both failover groups to become active on the security appliance.

Make Standby—Click this button to make the security appliance the standby unit in an active/standby pair. In an active/active configuration, clicking this button causes both failover groups to go to the standby state on the security appliance.

Reset Failover—Click this button to reset a system from the failed state to the standby state. You cannot reset a system to the active state. Clicking this button on the active unit resets the standby unit.

Reload Standby—Click this button to force the standby unit to reload.

Refresh—Click this button to refresh the status information in the Failover state of the system field.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

For more information about failover in general, see Understanding Failover.

Failover Group 1 and Failover Group 2

The Failover Group 1 and Failover Group 2 panes display the failover state of the selected group.You can also control the failover state of the group by toggling the active/standby state of the group or by resetting a failed group.

Fields

Failover state of Group[x]—Display only. Displays the failover state of the selected failover group. The information shown is the same as the output you would receive from the show failover group command and contains the following information:

Last Failover—The time and date of the last failover.

This Host/Other Host—For each host in the failover pair, the following information is shown:

Primary or Secondary—Displays whether the unit is the primary or secondary unit. The following information is also shown for the failover group:

Active—The failover group is active on the specified unit.

Standby—The failover group is in the standby state on the specified unit.

Disabled—The unit has failover disabled or the failover link is not configured.

Listen—The unit is attempting to discover an active unit by listening for polling messages.

Learn—The unit detected an active unit, and is not synchronizing the configuration before going to standby mode.

Failed—The failover group is in the failed state on the specified unit.

Active Time—The amount of time, in seconds, that the failover group has been in the active state on the specified unit.

context_name Interface name (n.n.n.n)—For each interface in the selected failover group, the display shows the context to which it belongs and the IP address currently being used on each unit, as well as one of the following conditions.

Failed—The interface has failed.

Link Down—The interface line protocol is down.

Normal—The interface is working correctly.

No Link—The interface has been administratively shut down.

Unknown—The security appliance cannot determine the status of the interface.

(Waiting)—The interface has not yet received any polling messages from the other unit.

Testing—The interface is being tested.

Stateful Failover Logical Updates Statistics—The following fields relate to the Stateful Failover feature. If the Link field shows an interface name, then the Stateful Failover statistics are shown.

Link—Displays one of the following:

interface_name—The interface used for the Stateful Failover link.

Unconfigured—You are not using Stateful Failover.

Stateful Obj—For each field type, the following statistics are displayed:

xmit—Number of transmitted packets to the other unit

xerr—Number of errors that occurred while transmitting packets to the other unit

rcv—Number of received packets

rerr—Number of errors that occurred while receiving packets from the other unit

The following are the stateful object field types:

General—Sum of all stateful objects.

sys cmd—Logical update system commands; for example, LOGIN and Stay Alive.

up time—Up time, which the active unit passes to the standby unit.

RPC services—Remote Procedure Call connection information.

TCP conn—TCP connection information.

UDP conn—Dynamic UDP connection information.

ARP tbl—Dynamic ARP table information.

L2BRIDGE tbl—Layer 2 bridge table information (transparent firewall mode only).

Xlate_Timeout—Indicates connection translation timeout information.

IKE upd—IKE connection information.

VPN IPSEC upd—IPSec connection information.

VPN CTCP upd—cTCP tunnel connection information.

VPN SDI upd—SDI AAA connection information.

VPN DHCP upd—Tunneled DHCP connection information.

Logical Update Queue Information—Displays the following statistics:

Recv Q—The status of the receive queue.

Xmit Q—The status of the transmit queue.

The following information is displayed for each queue:

Cur—The current number of packets in the queue.

Max—The maximum number of packets.

Total—The total number of packets.

You can performthe following actions from this pane:

Make Active—Click this button to make the failover group active unit on the security appliance.

Make Standby—Click this button to force the failover group into the standby state on the security appliance.

Reset Failover—Click this button to reset a system from the failed state to the standby state. You cannot reset a system to the active state. Clicking this button on the active unit resets the standby unit.

Refresh—Click this button to refresh the status information in the Failover state of the system field.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

For more information about failover in general, see Understanding Failover.