topic Re: ASA 5540 Stateful Failover routing errors in Network Security

ASA 5540 Stateful Failover routing errors

Eric Hansen — Fri, 21 Feb 2020 11:46:08 GMT

Have two 5540's setup in a failover scenario. Doing both LAN Failover and State Failover. **see attached**

The LAN Failover is using 192.168.2.1 as the active and 192.168.2.2 as the standby, with subnet mask of /30. On both devices LAN Failover is using G0/2 and there is a crossover cable connecting them.

The State Failover is using 192.168.3.1 as the active and 192.168.3.2 as the standby, with subnet mask of /30. With â€œenable HTTP replicationâ€ checked in ASDM. On both devices State Failover is using G0/3 and there is a crossover cable connecting them.

The ASDM syslog is logging errors every 10 seconds or so that say:

SOURCE IP: 192.168.3.1

DESTINATION IP: 192.168.3.2

Description:

â€œRouting failed to locate next hop for igrp from NP identity 192.168.3.1/0 to statefull:192.168.3.2/0â€

The ASA's are using static routes to talk back to the network, of those routes there are two and both are in the 10.x.x.x network. No routing protocol is in use.

I am not sure why these errors are spamming my syslog and would love to get rid of them.

Re: ASA 5540 Stateful Failover routing errors

Collin Clark — Fri, 30 Oct 2009 17:17:45 GMT

Can you post the results of show run failover? From the active ASA can you ping 192.168.3.1 & .2?

Re: ASA 5540 Stateful Failover routing errors

Eric Hansen — Fri, 30 Oct 2009 18:30:56 GMT

sure.

act/sec/ASAUFirewall# show fail

Failover On

Failover unit Secondary

Failover LAN Interface: fail GigabitEthernet0/2 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 1 of 250 maximum

failover replication http

Version: Ours 8.2(1), Mate 8.2(1)

Last Failover at: 16:35:59 UTC Oct 30 2009

This host: Secondary - Active

Active time: 6585 (sec)

slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)

Interface inside (10.0.0.2): Normal

Interface outside (0.0.0.0): No Link (Not-Monitored)

Interface management (management): No Link (Not-Monitored)

slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)

IPS, 7.0(1)E3, Up

Other host: Primary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)

Interface inside (10.0.0.3): Normal

Interface outside (0.0.0.0): Normal (Not-Monitored)

Interface management (0.0.0.0): Normal (Not-Monitored)

slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)

IPS, 7.0(1)E3, Up

Stateful Failover Logical Update Statistics

Link : statefull GigabitEthernet0/3 (Failed)

Stateful Obj xmit xerr rcv rerr

General 0 0 0 0

sys cmd 0 0 0 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 0 0 0 0

Xlate_Timeout 0 0 0 0

VPN IKE upd 0 0 0 0

VPN IPSEC upd 0 0 0 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

SIP Session 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 0 0

Xmit Q: 0 0 0

Re: ASA 5540 Stateful Failover routing errors

Eric Hansen — Fri, 30 Oct 2009 18:32:14 GMT

...and yes the secondary is currently active, only cause I booted the primary when I was trying to troubleshoot the issue.

Re: ASA 5540 Stateful Failover routing errors

Collin Clark — Fri, 30 Oct 2009 18:46:17 GMT

Link : statefull GigabitEthernet0/3 (Failed) Can you ping the failover IP's from the ASA? Do both show the above failed? Can you run a LAN-based failover?

Re: ASA 5540 Stateful Failover routing errors

Eric Hansen — Fri, 30 Oct 2009 19:01:04 GMT

Crap, you asked for that and I completely didnt do it. Sorry, here it is.

act/sec/ASAUFirewall# ping 192.168.3.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:

No route to host 192.168.3.2

Success rate is 0 percent (0/1)

and the lan based fail, the primary ip is being monitored on the inside interface, so I shut the switchport the ASA is plugged into. And as you can imagine while that port is in shut state I see this...

act/pri/ASAUFirewall# show fail

Failover On

Failover unit Primary

Failover LAN Interface: fail GigabitEthernet0/2 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 1 of 250 maximum

failover replication http

Version: Ours 8.2(1), Mate 8.2(1)

Last Failover at: 18:51:54 UTC Oct 30 2009

This host: Primary - Active

Active time: 102 (sec)

slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)

Interface inside (10.0.0.2): Normal (Waiting)

Interface outside (0.0.0.0): No Link (Not-Monitored)

Interface management (management): No Link (Not-Monitored)

slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)

IPS, 7.0(1)E3, Up

Other host: Secondary - Failed

Active time: 8154 (sec)

slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)

Interface inside (10.0.0.3): No Link (Waiting)

Interface outside (0.0.0.0): Normal (Not-Monitored)

Interface management (0.0.0.0): Normal (Not-Monitored)

slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)

IPS, 7.0(1)E3, Up

and then I no shut the interface, now connecting the standby shows ready...

act/pri/ASAUFirewall# show fail

Failover On

Failover unit Primary

Failover LAN Interface: fail GigabitEthernet0/2 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 1 of 250 maximum

failover replication http

Version: Ours 8.2(1), Mate 8.2(1)

Last Failover at: 18:51:54 UTC Oct 30 2009

This host: Primary - Active

Active time: 259 (sec)

slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)

Interface inside (10.0.0.2): Normal (Waiting)

Interface outside (0.0.0.0): No Link (Not-Monitored)

Interface management (management): No Link (Not-Monitored)

slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)

IPS, 7.0(1)E3, Up

Other host: Secondary - Standby Ready

Active time: 8154 (sec)

slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)

Interface inside (10.0.0.3): Normal (Waiting)

Interface outside (0.0.0.0): Normal (Not-Monitored)

Interface management (0.0.0.0): Normal (Not-Monitored)

slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)

IPS, 7.0(1)E3, Up

thanks

**also checked the show asp table routing and both 192.168.2.1 and 192.168.3.1 are in there as "identity" but no specific routes for either.

Maybe a bad cable? aww wouldnt that be a kicker.

Re: ASA 5540 Stateful Failover routing errors

Collin Clark — Fri, 30 Oct 2009 19:08:04 GMT

I was thinking it could be a bad cable! Does the physical failover interface show down? Can you swap the cable?

Re: ASA 5540 Stateful Failover routing errors

Eric Hansen — Fri, 30 Oct 2009 19:19:12 GMT

I should have remember the rule "always check layer 1 first". It was the cable.

The odd thing is the interfaces on g0/3 showed link, showed activity, and showed up. I just swapped the cable and bounced both devices and now the routing errors are gone.

act/pri/ASAUFirewall# ping 192.168.3.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

thanks for working through it with me, sorry to waste your time on a "physical" problem.

Re: ASA 5540 Stateful Failover routing errors

Collin Clark — Fri, 30 Oct 2009 19:25:48 GMT

Glad to hear it's working, that's the most important thing. I'm not trying to preach, but Cisco recommends not using cross-over cables for fail over. The devices can't always tell who the master should be and usually causes more issues than just a link down.