cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect
183
Views
0
Helpful
4
Replies
Highlighted
Beginner

Cannot deploy to SFR in HA pair

We have an HA pair of ASA-5525x firewalls. Occasionally when we will deploy changes the SFR that is the standby mode will not update and the only way we have been able to correct this problem is to do a complete rebuild of the SFR module. We have tried the obvious solution of reloading the module and even rebooting the ASA but neither will bring the SFR back to an operational status. When doing a show module sfr the results show that the module is UP. It is getting old having to rebuild an SFR module each time this happens, hopefully someone has experienced this before and can help out...

 

 

Screen Shot 2019-06-18 at 12.01.35 PM.pngScreen Shot 2019-06-18 at 11.55.21 AM.png

 

 

 

4 REPLIES 4
Cisco Employee

Re: Cannot deploy to SFR in HA pair

A couple of questions and one recommendation:

1. What version of ASA code are you running?

2. Have you considered moving to FTD (Unified image)?

3. I noticed from the screenshots that you are running version 6.3.0-1 and I would highly recommend that you apply the latest patch (3). I just checked the release notes and there are several resolved defects that are related with deploying configuration changes:

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/630x/relnotes/firepower-release-notes-630x/resolved-issues.html#id_103027

Thank you for rating helpful posts!

Beginner

Re: Cannot deploy to SFR in HA pair

We are running version: 9.6(4)17

 

Don't believe that this is an ASA firmware of SFR version issue. We have had this problem since the initial deployment of the firewalls which have been in place for quite some time now and we update them regularly.

 

With the project list we have it's just not possible to migrate to FTD.

 

 

Thanks,

Ben

Cisco Employee

Re: Cannot deploy to SFR in HA pair

Hmm. This is strange as I have several customers running similar deployments and they have not had this issue. I would suggest reaching out to TAC to get to the bottom of this.

Also, one more question: What is the ROMMON version of the ASAs?

Thank you for rating helpful posts!

Hall of Fame Master

Re: Cannot deploy to SFR in HA pair

Like @nspasov I have also done numerous HA ASA pairs with Firepower service module and never seen this problem.

 

I could postulate that the standby unit has a misconfiguration with the Firepower module - for instance using the same address for ASA management and sfr module would confuse the downstream device's arp table and cause intermittent connectivity and failure to deploy or upgrade.