topic If you are using the in Network Security

ASA Failover issue with SFR installed.

ScarFace P — Tue, 12 Mar 2019 08:36:48 GMT

Hello Experts,

I have two ASA 5545-X boxes installed and both the boxes has SFR module installed though the license has been expired and we are going to renew it soon. Both the ASA boxes have multiple contexts and are fail-over pair.

The issue i am having is the firewall fails over with the below reason. I think the SFR module is having issue and lead the fail-over. Can i remove this module from fail-over configuration or shut down this module. Here is the configuration we have.

Failover reason:-

Just Active Active Drain Service card in other unit has failed

Sh failover
This host: Primary - Active
slot 0: ASA5545 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
slot 1: SFR5545 hw/sw rev (N/A/5.3.1-152) status (Up/Up)
Other host: Secondary - Standby Ready
slot 0: ASA5545 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
slot 1: SFR5545 hw/sw rev (N/A/5.3.1-155) status (Up/Up)

Sh run failover
failover
failover lan unit primary
failover lan interface failover Gi0/1.1
failover replication http
failover link statelink GigabitEthernet0/1.2
failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
failover interface ip statelink 192.168.101.1 255.255.255.0 standby 192.168.101.2

Thanks for the help.

Regards

Pankaj

no monitor-interface service

Karsten Iwen — Fri, 02 Dec 2016 12:48:24 GMT

no monitor-interface service-module

should do the trick. Edit: This feature was introduced in version 9.3(1)

Thank you Iwen for quick

ScarFace P — Fri, 02 Dec 2016 13:02:05 GMT

Thank you Iwen for quick response, we have Version 9.2(2)4 so i am not able to run this command. Anything can be done on the existing version.

Any particular reason that

Karsten Iwen — Fri, 02 Dec 2016 13:53:32 GMT

Any particular reason that you can't or don't want to upgrade your firewall?

There is no particular reason

ScarFace P — Fri, 02 Dec 2016 16:15:31 GMT

There is no particular reason, we have planned the upgrade next year but the module is failing frequently almost twice a week. If we shut this module down and remove all the related configuration i.e. policy. Will it still be monitored and the change will be disruptive change.!

With these problems, I would

Karsten Iwen — Fri, 02 Dec 2016 16:48:41 GMT

With these problems, I would definitely first shutdown and uninstall FP, then upgrade the ASA to a suggested release and last reinstall the module. If that all doesn't help, you likely need to open a TAC-case.

Pankaj ,

Nenad Stojanovic — Fri, 02 Dec 2016 21:09:30 GMT

Pankaj ,

What version are SFR modules running? You should upgrade to the latest version and see if that will solve the issue. You should be able to do it without any service disruption.

Thanks,

Nenad

If you are using the

Marvin Rhoads — Sun, 04 Dec 2016 11:18:51 GMT

If you are using the FirePOWER (sfr) modules, you should definitely upgrade. You are running the very first version of ASA software that supported them and the very first version of FirePOWER software available on the ASA sfr module as well. There have been numerous upgrades and literally hundreds of bug fixes since those versions.

If you are not using them, then simply uninstall the modules. It's a simple non-disruptive (to the parent ASA) command. Do it on the standby unit first and then the active unit and it won't even trigger another failover. Your configurations will be lost unless you are using FirePOWER Management Center (previously known as FireSIGHT Management Center or Defense Center). In that case, all policies can be re-applied to the units once have have upgraded the software to a current stable release.

Hi Ninad,

ScarFace P — Tue, 06 Dec 2016 14:40:28 GMT

Hi Ninad,

We are using Software version: 5.3.1-152.

Thanks

Pankaj

As Marvin said I would

Nenad Stojanovic — Tue, 06 Dec 2016 14:42:42 GMT

As Marvin said I would upgrade firepower modules. I ran into couple bugs with old versions. Thanks

Thanks Marvin, yes i agree we

ScarFace P — Tue, 06 Dec 2016 14:44:01 GMT

Thanks Marvin, yes i agree we should upgrade the code now and we have in out plan for next year. When you say

"Your configurations will be lost unless you are using FirePOWER Management Center (previously known as FireSIGHT Management Center or Defense Center)."

which configuration are you reffering to, only SFR related config i.e. class map and service policy configuration or the firewall configuration...!

Thank you experts, Ninad,

ScarFace P — Tue, 06 Dec 2016 14:47:15 GMT

Thank you experts, Ninad, Marvin, Iwen for your valuable inputs and help. I think i should keep it shutdown till the next upgrade.

Thanks

@pankajm.bisht ,

Marvin Rhoads — Tue, 06 Dec 2016 15:55:13 GMT

[@pankajm.bisht] ,

I was referring only to the FirePOWER policies on the modules themselves. Your base ASA policies would not be affected.

You would, of course, need to go into the ASA and remove any policy map that includes redirection to the module prior to uninstalling it.

Re: no monitor-interface service

Steven Williams — Mon, 19 Nov 2018 17:39:21 GMT

So how do you stop monitoring your service module is versions less than 9.3? I mean Thats a huge feature missing there in all versions when you are dealing with ASA and Service Modules.

Re: no monitor-interface service

Marius Gunnerud — Mon, 19 Nov 2018 21:38:47 GMT

You can shutdown the sfr module.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html#56378