topic Failover interface failed in Network Security

Failover interface failed

suhas_syndrome — Tue, 12 Mar 2019 00:30:46 GMT

Hi,

I have 2 ASA 5520 firewall configured with HA(Failover). but some time my primary firewall goes down standby firewall doesnt come active. i found below log from primary firewall..what is the reason & what is the mining of reason code of 4...

Nov 30 2012 14:07:47: %ASA-1-105002: (ASA) Enabling failover.

Nov 30 2012 14:08:43: %ASA-1-105043: (Primary) Failover interface failed

Nov 30 2012 14:08:56: %ASA-1-103001: (Primary) No response from other firewall (reason code = 4).

After i hard reboot my standby firewall below log had been generated..

Nov 30 2012 15:51:57: %ASA-1-105042: (Primary) Failover interface OK
Nov 30 2012 15:52:02: %ASA-1-709003: (Primary) Beginning configuration replication: Send to mate.
Nov 30 2012 15:52:15: %ASA-1-709004: (Primary) End Configuration Replication (ACT)

Please assist....

Regards

Suhas

Failover interface failed

Jouni Forss — Fri, 30 Nov 2012 16:33:26 GMT

Hi,

The explanation for that can be found in the ASAs syslog messages document.

Here it is

103001

Error Message    %ASA-1-103001: (Primary) No response from other firewall (reason 
code = code).

Explanation This is a failover message, which is displayed if the primary unit is unable to communicate with the secondary unit over the failover cable. (Primary) can also be listed as (Secondary). for the secondary unit. Table 1-2 lists the reason codes and the descriptions to determine why the failover occurred.

Table 1-2 Reason Codes
Reason Code	Description
1	The local unit is not receiving the hello packet on the failover LAN interface when LAN failover occurs or on the serial failover cable when serial failover occurs, and declares that the peer is down.
2	An interface did not pass one of the four failover tests, which are as follows: 1) Link Up, 2) Monitor for Network Traffic, 3) ARP, and 4) Broadcast Ping.
3	No proper ACK for 15+ seconds after a command was sent on the serial cable.
4	The local unit is not receiving the hello packet on the failover LAN and other data interfaces and it is declaring that the peer is down.
5	The failover LAN interface is down, and other data interfaces are not responding to additional interface testing. In addition, the local unit is declaring that the peer is down.

Recommended Action Verify that the failover cable is connected correctly and both units have the same hardware, software, and configuration. If the problem persists, contact the Cisco TAC.

Are you saying that the Primary ASA loses all connectivity to the Secondary ASA (looking at the log messages). Judging by the above Cisco description it would mean the Primary ASA isnt getting Failover Hellos through any of the monitored interfaces which again would make it seem like the Secondary Firewall is expriencing some problems.

- Jouni

Failover interface failed

Jack Leung — Fri, 30 Nov 2012 16:35:53 GMT

How is the HA configured? Straight through cable directly or using a switch in between? Can you also post a sanitized version of your failover configs from both primary and standby?