https://community.cisco.com/t5/network-security/failover-secondary-active-problem/m-p/4798568#M1098845 <P>you mention active/standby in your post&nbsp; and then you mention cluster,<BR />which case is Active/Standby or Cluster ??&nbsp;</P> Tue, 21 Mar 2023 13:34:55 GMT MHM Cisco World 2023-03-21T13:34:55Z https://community.cisco.com/t5/network-security/failover-secondary-active-problem/m-p/4798332#M1098828 <P>FPR 2110 with ASA 9.14.3.18</P><P>Hello, everyone,<BR />we have an architecture of two ASAs with the above versions that failover between them and are clustered.<BR />Last week we noticed that when doing failover communication with the hello message , some vpn clients would drop. For this reason we decided to isolate the secondary, going to turn off all the communication ports with internal and external and the port that was supposed to do the failover, keeping management on so that it would remain reachable. Now, on Saturday, we don't understand the reasons, what was supposed to be secondary has requested failover and has become the active one, we believe, with the managment interface because it has also taken the managment ip of the primary. We have no persistent logs, a high log buffer and not even a log server. We only see this from the show failover history command where we can clearly see that both devices are active. Do you have any explanation? G</P><P>reetings</P> Tue, 21 Mar 2023 09:44:26 GMT https://community.cisco.com/t5/network-security/failover-secondary-active-problem/m-p/4798332#M1098828 Leopardi 2023-03-21T09:44:26Z https://community.cisco.com/t5/network-security/failover-secondary-active-problem/m-p/4798397#M1098830 <P>I believe this shouldn't normally happen, unless secondary was rebooted or there was a temporary communication failure between primary and secondary over management interface. In both such cases secondary would become active, because failover link is down, and split-brain would not be resolved, even though both units have working management interface which could potentially be used to send failover messages. This is design defect CSCvz08085 ENH: Avoid split brain when failover link comm is not possible during boot/election process</P> Tue, 21 Mar 2023 10:33:41 GMT https://community.cisco.com/t5/network-security/failover-secondary-active-problem/m-p/4798397#M1098830 tvotna 2023-03-21T10:33:41Z https://community.cisco.com/t5/network-security/failover-secondary-active-problem/m-p/4798568#M1098845 <P>you mention active/standby in your post&nbsp; and then you mention cluster,<BR />which case is Active/Standby or Cluster ??&nbsp;</P> Tue, 21 Mar 2023 13:34:55 GMT https://community.cisco.com/t5/network-security/failover-secondary-active-problem/m-p/4798568#M1098845 MHM Cisco World 2023-03-21T13:34:55Z https://community.cisco.com/t5/network-security/failover-secondary-active-problem/m-p/4800024#M1098948 <P>Sorry for the inconsistency, it is an Active/standby system. The last, we have resolved&nbsp;switching off the managment interface from the secondary switch and making it completely isolated</P> Thu, 23 Mar 2023 14:15:23 GMT https://community.cisco.com/t5/network-security/failover-secondary-active-problem/m-p/4800024#M1098948 Leopardi 2023-03-23T14:15:23Z