01-17-2013 07:54 AM
We did a faulty ACE30 module swap in a HA pair. Both the ACEs have stopped syncing since then. Below is the error message I see:
FT Group ID: 1 My State:FSM_FT_STATE_ACTIVE Peer State:FSM_FT_STATE_STANDBY_CONFIG
Context Name: Admin Context Id: 0
Running Cfg Sync Status:Failed to convert/transform configuration to peer version
Both ACE modules are running 5.2 with the same license.
sh ft peer status from both active and standby show the same results.
Peer Id : 1
State : FSM_PEER_STATE_COMPATIBLE
Maintenance mode : MAINT_MODE_OFF
SRG Compatibility : COMPATIBLE
License Compatibility : COMPATIBLE
FT Groups : 15
Am I missing something here?
01-18-2013 06:18 AM
Check if there were certificates on the box. Ideally if SSL certificates are not copied then it is not going to Sync the config. Compare the SSL files on both the box. Copy all the SSL cert to the new box. Then it should sync fine.
01-18-2013 07:40 AM
My understanding is that if its a SSL issue, it will go in COLD state and also display the error message that there is a missing crypto file. In this case, I see a different error.
Running Cfg Sync Status:Failed to convert/transform configuration to peer version
01-18-2013 07:52 AM
Not all versions of code may display the reason for the config sync failure. I would first verify that all certs and keys are the same on both modules. This is the most common reason for this issue. If they are the same the next step I would take is to compare the two running configs to see if there are any differences. You can use a tool such as winmerge to compare. If you find any differences manually configure them to be the same and try the sync again.
Regards
Jim
02-07-2013 08:42 AM
The problem was with the primary ACE module. It was missing startup file that it sends to the peer while sync process. I reloaded it and toggled the sync. Secondary started syncing just fine.
02-13-2013 03:47 PM
Hey Mini,
It sounds good it works now.
For future reference you may see the #show crypto files to compare the SSL files which you got in the boxes.
Additionally, please be aware that sometimes if there´s any crash in one device and generates a core dump file, they might detect that as a difference.
Then in general you may follow these instructions:
1) Check with #show crypto files
2) Compare both configurations.
3) Check #show version to see if there was a crash which you did not notice.
Hope this helps!
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide