topic Please check first if you are in Network Security

Cisco ASA standby failed - pls help

secureIT — Tue, 12 Mar 2019 08:15:10 GMT

Hi Friends,

In my ASA 8.4(7)30 HA setup, i do see standby failed when i run show failover in Primary FW (Active) as given below.

Primary - Active FW

# show failover

This host: Primary - Active
Other host: Secondary - Failed

Secondary - Standby FW

# show failover

This host: Secondary - Standby Ready
Other host: Primary - Active

I have executed below debugs in the standby FW, and got few logs.

debug fover verify
debug fover fail
debug fover sync

ASA failover HA TRANS: received out of sequence message
fover_ip: HA TRANS: received out of sequence message, seq - ba4514b, expect - ba45144
fover_ip: HA TRANS: send aggressive ACK
fover_ip: HA TRANS: received out of sequence message, seq - ba45147, expect - ba45144
fover_ip: HA TRANS: send aggressive ACK
fover_ip: HA TRANS: received out of sequence message, seq - ba45150, expect - ba45144
fover_ip: HA TRANS: send aggressive ACK

%ASA-6-720024: (VPN-Secondary) HA status callback: Control channel is down.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_CTL_COMM, my state Standby Ready, peer state Active.
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=401,op=1,my=Standby Ready,peer=Active.
%ASA-6-720024: (VPN-Secondary) HA status callback: Control channel is up.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_CTL_COMM, my state Standby Ready, peer state Active.
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=411,op=52,my=Standby Ready,peer=Active.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_CLIENT_NEGOTIATED_VERSION, my state Standby Ready, peer state Active.
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=401,op=0,my=Standby Ready,peer=Active.
%ASA-6-720024: (VPN-Secondary) HA status callback: Control channel is down.

These messages floods in the show logging..

Can someone assist me..

Hello,

Kornelia Gutierrez — Thu, 08 Sep 2016 20:09:05 GMT

Hello,

Could you kindly please, check the status of the interface that works as the failover link, and attach a show failover and show failover state.

Hi Kornelia Gutierrez,

secureIT — Fri, 09 Sep 2016 11:02:03 GMT

Hi Kornelia Gutierrez, Please find the attached logs from both the firewalls.

pls find the attached show

secureIT — Mon, 12 Sep 2016 11:44:35 GMT

pls find the attached show failover logs from both the firewall, i think i need to reboot the secondary standby firewall - what do you say ?

Please check first if you are

Pawan Raut — Mon, 12 Sep 2016 11:59:07 GMT

Please check first if you are able to ping Management interface IP of each other. If no then check cable connectivity between this two. If still see the issue you can reboot the standby unit but make sure yous should do this in non production hours because it has risk of both unit become Active at a time.

Hi,

Marco Soeder-Schuettler — Mon, 12 Sep 2016 13:09:21 GMT

Hi,

in case of reboot a standby Unit i disconnect all interface cables and connect only failover interface cable.

Then wait for negotiate failover active and passive then connect all other cables again

In this case there is no risk that both units become active

Regards Marco

Ok Marco, By seeing the debug

secureIT — Mon, 12 Sep 2016 13:15:47 GMT

Ok Marco, By seeing the debug logs and show failover outputs of both Fws, I seriously suspect issue with standby fw only, so I will go ahead remove all the cables except Mgmt0/0, reboot the Standby fw, then i will connect cables one by one.

Yes, so you can do ;-)

Marco Soeder-Schuettler — Mon, 12 Sep 2016 13:34:03 GMT

Yes, so you can do 😉

Make sure that active / passive negotiation is already done.