topic Re: ASA 5520 firewall keeps testing on one interface in Network Security

ASA 5520 firewall keeps testing on one interface

Ge Qu — Fri, 21 Feb 2020 14:52:01 GMT

Hi,

I have a ASA 5520 firewall as a boarder of our network to one of our client.

Recently, the outside interface of the secondary unit keep testing and keeps pass. I got the email from the firewall a few times a day. there is no obvious network drop as no one complaint and also as it's a secondary unit as well.

Below are the emails I got from the firewall every day:

%ASA-1-105008: (Secondary) Testing Interface outside
%ASA-1-105005: (Secondary) Lost Failover communications with mate on interface outside
%ASA-1-105009: (Secondary) Testing on interface outside Passed

I would like to trouble shoot and see why it's happening but I don't know where to start.

I checked the cabling and failover status and all is good.

Thank you.

Re: ASA 5520 firewall keeps testing on one interface

Karsten Iwen — Wed, 29 Nov 2017 22:21:35 GMT

Are the interface counters clean? Are the duplex settings set correctly? Are there any log-messages on the outside-switch?

Re: ASA 5520 firewall keeps testing on one interface

johnlloyd_13 — Sat, 02 Dec 2017 03:10:47 GMT

hi,

can you post a show run failover and show failover output?

try removing HTTP replication if it's being used.

no failover replication http

Re: ASA 5520 firewall keeps testing on one interface

Ge Qu — Wed, 06 Dec 2017 15:26:36 GMT

The following are the sho run failover and show failover results, why need to disable the http replication?

sh run failover
failover
failover lan unit primary
failover lan interface fo-link GigabitEthernet0/3
failover replication http
failover link fo-link GigabitEthernet0/3
failover interface ip fo-link x.x.x.x 255.255.255.252 standby x.x.x.y

sh failover
Failover On
Failover unit Primary
Failover LAN Interface: fo-link GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 160 maximum
failover replication http
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 17:25:07 EDT Mar 30 2017
This host: Primary - Active
Active time: 21625335 (sec)
slot 0: ASA5520 hw/sw rev (1.1/8.2(5)) status (Up Sys)
Interface xxx (x.x.x.x): Normal
Interface yyy (x.x.x.x): Normal
Interface zzz (x.x.x.x): Normal
Interface aaa (x.x.x.x): Normal (Not-Monitored)
Interface bbb (x.x.x.x): Normal
Interface ccc (x.x.x.x): Normal
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 6118 (sec)
slot 0: ASA5520 hw/sw rev (1.1/8.2(5)) status (Up Sys)
Interface xxx (x.x.x.x): Normal
Interface yyy (x.x.x.x): Normal
Interface zzz (x.x.x.x2): Normal
Interface aaa (x.x.x.x): Normal (Not-Monitored)
Interface bbb (x.x.x.x): Normal
Interface ccc (x.x.x.x): Normal
slot 1: empty

Stateful Failover Logical Update Statistics
Link : fo-link GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 1887991115 0 2882776 0
sys cmd 2882796 0 2882776 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 1446887935 0 0 0
UDP conn 387137788 0 0 0
ARP tbl 51082596 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 4 2882776
Xmit Q: 0 27 1909611057

Re: ASA 5520 firewall keeps testing on one interface

Ge Qu — Wed, 06 Dec 2017 15:32:37 GMT

Hi,

The interface counters are clean and no any log messages saying there is an issue and duplex setting is all full

Re: ASA 5520 firewall keeps testing on one interface

layer1981 — Mon, 29 Jan 2018 14:35:00 GMT

Guys,

I have a similar problem on my 5510s (ASA Version 9.1(7)16 )

The difference is that mine ASAs are in transparent mode and have 3BVIs.

On the Primary ASA two of the BVIs interfaces are Normal(Monitored) but of them is constantly being tested and Passed.

On the Standby all interfaces looks ok - Normal (Monitored).

These error messages (%ASA-1-105008; %ASA-1-105009) are only appearing when I'm running on the Primary Active. Once I fail them over to Secondary all interfaces are being shown Normal (Monitored). I'm NOT getting the %ASA-1-105005 but ASAs logging this error as Critical (file attached).

Can anyone advise please ?

Re: ASA 5520 firewall keeps testing on one interface

Ge Qu — Fri, 23 Feb 2018 19:27:39 GMT

Hi,

Why we need to remove failover replication http ?

Re: ASA 5520 firewall keeps testing on one interface

layer — Wed, 30 May 2018 11:21:08 GMT

Hi everyone,

It looks like we have got stuck with this.

Can someone please advise how to fix this weird issue ?

I did have to disable sent alert emails because our email box was getting hundreds of emails a day.

Ge Qu - unless you really have to , do not remove this http replication. Cisco says that "not replicating HTTP sessions increases system performance without causing serious data or connection loss" I'm keeping this still enabled , just in case. Cisco says that replication "could have a negative impact upon system performance" but our performance seems to be ok.