ASA Failover Failure

Nathaniel Wood — Tue, 12 Mar 2019 05:54:09 GMT

Hello CSC World!

I just came across an issue where our pair of ASA5525 devices are syncing but showing a "failed" state when issuing the show fail command. Here is the output of the show fail command:

Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 6 of 216 maximum
failover replication http
Version: Ours 9.0(4), Mate 9.0(4)
Last Failover at: 00:55:14 EDT Mar 25 2015
This host: Secondary - Active
Active time: 3742577 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.0(4)) status (Up Sys)
Interface outside (66.159.100.4): Normal (Waiting)
Interface inside (10.5.55.4): Normal (Waiting)
Interface dmz (10.5.10.1): Normal (Waiting)
Interface dmz2 (10.5.13.1): Normal (Waiting)
Interface testwifi (10.5.51.1): Normal (Not-Monitored)
Interface guestwifi (10.5.247.1): Normal (Waiting)
Interface mgmt (0.0.0.0): Unknown (Waiting)
slot 1: IPS5525 hw/sw rev (N/A/7.1(7)E4) status (Up/Up)
IPS, 7.1(7)E4, Up
Other host: Primary - Failed
Active time: 8387132 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.0(4)) status (Up Sys)
Interface outside (66.159.100.5): No Link (Waiting)
Interface inside (10.5.55.5): No Link (Waiting)
Interface dmz (10.5.10.2): No Link (Waiting)
Interface dmz2 (10.5.13.2): No Link (Waiting)
Interface testwifi (10.5.51.2): Normal (Not-Monitored)
Interface guestwifi (10.5.247.2): No Link (Waiting)
Interface mgmt (0.0.0.0): No Link (Waiting)
slot 1: IPS5525 hw/sw rev (N/A/7.1(7)E4) status (Up/Down)
IPS, 7.1(7)E4, Up

I checked to make sure changes are replicating by inputting a remark in the current active firewall and it was replicated without issue to the other. I then looked at the links back to the switches and they are all up and I can ping all the IP addresses associated with the interfaces from the firewalls and switches themselves. In addition, spanning tree is not blocking anything on the uplinks.

The topology is as follows (I can be more detailed, but this should give you a decent idea):

ASA5525-01 ==> Nexus 7K-01 == Nexus 7K-02 <== ASA5525-02

The last failover occurred during a maintenance window when I had to bring down our primary switch, and it seems that it has never failed back.

Any suggestions/input would be appreciated.

Thanks everyone!

The output indicates the IPS

Marvin Rhoads — Thu, 07 May 2015 13:02:55 GMT

The output indicates the IPS module on your Primary unit is up but its data plane connection is down. It needs to be Up/Up for the unit to be marked as ready.

Try reloading the IPS module on that unit only:

sw-module module ips reload

Hi Marvin, Thanks for the

Nathaniel Wood — Thu, 07 May 2015 13:25:09 GMT

Hi Marvin,

Thanks for the quick response, that has done the trick!

I overlooked the IPS as the issue as all the other interfaces were showing No Link (Waiting) and thought the issue was somewhere on the actual uplinks.

Makes sense that if the data plane is down, it won't do anything 🙂

Thanks again!

topic ASA Failover Failure in Network Security

ASA Failover Failure

The output indicates the IPS

Hi Marvin, Thanks for the