ASA Multiple context failover normal (waiting)

erickflamenco — Fri, 21 Feb 2020 16:18:46 GMT

Hi Pros,

I have 2 ASA firewall in multiple context but the first context keep stuck in normal (waiting)

00INFASA05/pri/act# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet1/4 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 516 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(2)38, Mate 9.8(2)38
Serial Number: Ours FCH1234J3CX, Mate FCH56787BCX
Group 1 last failover at: 10:37:30 UTC Oct 2 2018
Group 2 last failover at: 11:10:47 UTC Oct 1 2018

This host: Primary
Group 1 State: Active
Active time: 323 (sec)
Group 2 State: Active
Active time: 84725 (sec)

slot 0: ASA5555 hw/sw rev (3.1/9.8(2)38) status (Up Sys)
admin Interface management (172.27.0.235): Normal (Monitored)
DATACENTER Interface inside (172.16.254.1): Normal (Waiting)
DATACENTER Interface outside (172.16.254.17): Normal (Waiting)
slot 1: SFR5555 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 1: SFR5555 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)

Other host: Secondary
Group 1 State: Standby Ready
Active time: 66 (sec)
Group 2 State: Standby Ready
Active time: 5544 (sec)

slot 0: ASA5555 hw/sw rev (1.0/9.8(2)38) status (Up Sys)
admin Interface management (172.27.0.236): Normal (Monitored)
DATACENTER Interface inside (172.16.254.2): Normal (Waiting)
DATACENTER Interface outside (172.16.254.18): Normal (Waiting)
slot 1: SFR5555 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 1: SFR5555 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)

Stateful Failover Logical Update Statistics
Link : statelink GigabitEthernet1/5 (up)

ping works fine

00INFASA05/DATACENTER# ping 172.16.254.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.254.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
00INFASA05/DATACENTER# ping 172.16.254.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.254.18, timeout is 2 seconds:
!!!!!

The inside and outside interface are port-channel interfaces connected to N9K (ASA1-N9K1 and ASA2-N9K2)

Po10 inside and Po20 outside

00INFASA05/pri/act# sh port-channel summ
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
U - in use N - not in use, no aggregation/nameif
M - not in use, no aggregation due to minimum links not met
w - waiting to be aggregated
Number of channel-groups in use: 2
Group Port-channel Protocol Span-cluster Ports
------+-------------+---------+------------+------------------------------------
10 Po10(U) LACP No Gi0/0(P) Gi0/1(P) Gi0/2(P) Gi 0/3(P)
20 Po20(U) LACP No Gi0/4(P) Gi0/5(P) Gi0/6(P) Gi 0/7(P)

Port-channel from N9K-2

00INFSWC04(config-if)# sh port-channel summ
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
b - BFD Session Wait
S - Switched R - Routed
U - Up (port-channel)
p - Up in delay-lacp mode (member)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
1 Po1(SU) Eth LACP Eth1/49(P) Eth1/50(P) Eth1/51(P)
Eth1/52(P)
2 Po2(SD) Eth LACP Eth1/53(D) Eth1/54(D)
10 Po10(SU) Eth LACP Eth1/2(P) Eth1/3(P) Eth1/4(P)
Eth1/5(P)
11 Po11(SD) Eth LACP Eth1/10(D)
20 Po20(SU) Eth LACP Eth1/6(P) Eth1/7(P) Eth1/8(P)
Eth1/9(P)

The problem is FHELLO packets from ASA-1 never reach the secondary ASA-2

fover_parse: send_msg_ifc(): 172.16.254.1->172.16.254.2 ifc 131074 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.3->172.16.254.2 ifc 131074 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.4->172.16.254.2 ifc 131074 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.5->172.16.254.2 ifc 131074 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.17->172.16.254.18 ifc 131075 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.19->172.16.254.18 ifc 131075 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.20->172.16.254.18 ifc 131075 cmd FHELLO
fover_parse: send_msg_ifc(): 172.16.254.21->172.16.254.18 ifc 131075 cmd FHELLO

The weird thing: I don´t know why there are 4 ip addresses sending FHello Messages

with capture command

10: 10:48:30.282684 172.16.254.17 > 172.16.254.18: ip-proto-105, length 44
11: 10:48:30.282684 172.16.254.19 > 172.16.254.18: ip-proto-105, length 44
12: 10:48:30.282700 172.16.254.20 > 172.16.254.18: ip-proto-105, length 44
13: 10:48:30.282700 172.16.254.21 > 172.16.254.18: ip-proto-105, length

Never a response from peer.

The configured IP are:

interface Port-channel10
description Interface Inside Contexto DATACENTER
nameif inside
security-level 100
ip address 172.16.254.1 255.255.255.240 standby 172.16.254.2
!
interface Port-channel20
description Interface Outside Contexto DATACENTER
nameif outside
security-level 0
ip address 172.16.254.17 255.255.255.240 standby 172.16.254.18

What I have done

I have shutdown 3 of 4 links int Po10 and Po20

I have configured in N9K

Int Po10

switchport port type edge

int Po20

switchport port type edge

I have removed VLAN 890 and 891 from the peer-link beetwen N9K

I have removed a link from the port-channel peer-link and use this link as a trunk port beetwen N9K1-N9K2 with

switchport trunk allowed vlan 890,891

and N9K-1

spanning-tree vlan 890,891 priority root primary

and N9K-2

spanning-tree vlan 890,891 priority root secondary

No luck!!! failover still normal (waiting)

Management interface in admin context connected to IOS switch, looks fine:

admin Interface management (172.27.0.235): Normal (Monitored)

admin Interface management (172.27.0.236): Normal (Monitored)

Some advise will be appreciated...

Re: ASA Multiple context failover normal (waiting)

balaji.bandi — Tue, 02 Oct 2018 21:18:12 GMT

You need consider vPC best practice design with ASA cluster, i have attached presentation which has some good example to understand.

Hope that help you.

Re: ASA Multiple context failover normal (waiting)

erickflamenco — Wed, 03 Oct 2018 21:48:25 GMT

Hi Community,

Problem was solved reloading both ASAs.
Now looks fine!!!
Group 1 last failover at: 08:34:44 UTC Oct 3 2018
Group 2 last failover at: 08:36:21 UTC Oct 3 2018

This host: Primary
Group 1 State: Active
Active time: 1418 (sec)
Group 2 State: Standby Ready
Active time: 96 (sec)

slot 0: ASA5555 hw/sw rev (3.1/9.8(2)38) status (Up Sys)
admin Interface management (172.27.0.235): Normal (Monitored)
DATACENTER Interface inside (172.16.254.1): Normal (Monitored)
DATACENTER Interface outside (172.16.254.17): Normal (Monitored)
slot 1: SFR5555 hw/sw rev (N/A/6.2.2-81) status (Up/Up)

Best Regards

Re: ASA Multiple context failover normal (waiting)

balaji.bandi — Thu, 04 Oct 2018 07:09:49 GMT

Glad it was resolved by it self.

topic Re: ASA Multiple context failover normal (waiting) in Network Security

ASA Multiple context failover normal (waiting)

Re: ASA Multiple context failover normal (waiting)

Re: ASA Multiple context failover normal (waiting)

Re: ASA Multiple context failover normal (waiting)