Failover question

Question:

I’d like to ask some failover WS-C3560V2-24PS-S  question. Please help me with it.

Thanks in advance.

In my network, the network is working well. It can ping 4.2.2.2. In order to test failover,

I shut down the interface Gi 1/12 of Core1 switch. After this,

From Host, it can ping the router 1 outside interface IP, X.X.X.X

And router 1 outside interface can ping 4.2.2.2

But the host is NOT able to ping 4.2.2.2.

And I found that the ASA outside interface can ping 4.2.2.2, but ping 4.2.2.2 with ASA inside interface does NOT work.

I have no idea how to troubleshoot it.

So please help me

Thank you very very much

router config :

……….

no aaa new-model

ip cef

!

ip domain round-robin

ip domain name aaaaa

ip name-server 4.2.2.2

multilink bundle-name authenticated

!

archive

log config

hidekeys

!

interface Loopback100

description mgmt interface

ip address 10.0.100.13 255.255.255.255

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0/0

description ISP circuit order 1-111111111111

ip address X.X.X.X 255.255.255.248

ip accounting output-packets

ip nat outside

ip nat enable

no ip virtual-reassembly

duplex full

speed 1000

media-type sfp

no negotiation auto

!

interface GigabitEthernet0/1

description uplink to main-1 interface g 1/0/12

ip address 192.168.2.253 255.255.255.0

ip accounting output-packets

ip nat inside

ip nat enable

no ip virtual-reassembly

duplex full

speed 1000

media-type sfp

no negotiation auto

standby 2 ip 192.168.2.254

standby 2 priority 110

standby 2 preempt

!

interface GigabitEthernet0/2

ip address 192.168.3.253 255.255.255.0

no ip redirects

duplex full

speed 1000

negotiation auto

standby 3 ip 192.168.3.254

standby 3 priority 110

standby 3 preempt

!

interface GigabitEthernet0/3

no ip address

duplex full

speed 1000

no negotiation auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 X.X.X.X

ip route 10.1.0.0 255.255.0.0 192.168.2.1

ip route 10.1.20.0 255.255.255.0 192.168.2.13

no ip http server

!

ip dns server view-group aaaaaaa

ip dns server

ip nat pool mypool X.X.X.X X.X.X.X netmask 255.255.255.252

ip nat inside source list 1 pool mypool overload

!

logging alarm informational

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 1 permit 192.168.3.0 0.0.0.255

!

control-plane

!

gatekeeper

shutdown

!

………..

switch config :

…..

ip domain-name xxxxxxxxxxxxxxxxxxxxxxxxx

ip name-server 4.2.2.2

interface Loopback100

ip address 10.0.100.15 255.255.255.255

!

interface FastEthernet0

no ip address

shutdown

!

interface GigabitEthernet1/0/1

!

interface GigabitEthernet1/0/2

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet1/0/3

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet1/0/4

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet1/0/5

description uplink to asa12 port 0/0

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet1/0/6

description uplink to router02 port g 0/1

switchport access vlan 2

switchport mode access

!

…

interface GigabitEthernet1/0/10

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet1/0/11

description uplink to asa11 port 0/0

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet1/0/12

description uplink to router01 port g 0/1

switchport access vlan 2

switchport mode access

!

interface Vlan1

no ip address

shutdown

!

interface Vlan2

ip address 192.168.2.4 255.255.255.0

!

ip default-gateway 192.168.2.254

!

ip http server

ip http secure-server

!

…..

monitor session 1 source interface Gi1/0/12

monitor session 1 destination interface Gi1/0/2

end

ASA config:

.....

interface GigabitEthernet0/3

description STATE Failover Interface

!

interface Management0/0

description LAN Failover Interface

management-only

!

interface GigabitEthernet1/0

media-type sfp

nameif outside

security-level 0

ip address 192.168.2.1 255.255.255.0

!

interface GigabitEthernet1/1

media-type sfp

nameif inside

security-level 100

ip address 192.168.4.1 255.255.255.0

!

interface GigabitEthernet1/2

media-type sfp

nameif inside-backup

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface GigabitEthernet1/3

media-type sfp

nameif outside-backup

security-level 0

ip address 192.168.3.1 255.255.255.0

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type AllowedICMP

icmp-object echo

icmp-object echo-reply

icmp-object traceroute

icmp-object unreachable

icmp-object time-exceeded

access-list EXEMPT extended permit ip 192.168.4.0 255.255.255.0 any

access-list EXEMPT extended permit ip 10.1.0.0 255.255.0.0 any

access-list EXEMPT extended permit ip 192.168.5.0 255.255.255.0 any

access-list no-nat extended permit ip 10.1.0.0 255.255.0.0 host 0.0.0.0

access-list outside_access_in extended permit icmp any any object-group AllowedICMP

access-list outside_access_in extended permit ip host 192.168.2.253 any

access-list outside_access_in extended permit ip 192.168.2.0 255.255.255.0 any

…

failover

failover lan unit secondary

failover lan interface fobasic Management0/0

failover key *****

failover link fostate GigabitEthernet0/3

failover interface ip fobasic 192.168.200.1 255.255.255.0 standby 192.168.200.2

failover interface ip fostate 192.168.201.1 255.255.255.0 standby 192.168.201.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply outside

icmp permit any unreachable outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside-backup) 1 interface

nat (inside) 0 access-list no-nat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

access-group outside_access_in out interface outside

access-group EXEMPT in interface inside

access-group EXEMPT out interface inside

!

router eigrp 10

no auto-summary

network 192.168.2.0 255.255.255.0

network 192.168.3.0 255.255.255.0

network 192.168.4.0 255.255.255.0

network 192.168.5.0 255.255.255.0

redistribute static

!

route outside 0.0.0.0 0.0.0.0 192.168.2.254 1

……

http 10.1.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

!

track 1 rtr 123 reachability

……..

management-access inside

dhcpd dns x.x.x.x

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect icmp error

!

service-policy global_policy global

Answer:

You need to add subnets to NAT ACL on the router where hosts are located. I guess they are:

access-list 1 permit 192.168.4.0 0.0.0.255

access-list 1 permit 192.168.5.0 0.0.0.255

And other subnets if you have them. Then remove on the router's interface:

int g0/0

no nat enable

int g0/1

no nat enable

Then try to test again failover it should work.

On the left ASA you're doing NAT so inside LAN subnet 192.168.4.0/24 gets translated into 192.168.2.1. I believe that's why you didn't need to add subnet into ACL. About ASA on the right side I cannot tell for sure. I think there might be NAT haven't been configured. So subnet are not getting translated instead just being forwarded to the router. For sure I can tell only after I see the config. of ASA and switches that WS-C3560V2-48PS-S Price is connected to.