Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
945
Views
0
Helpful
4
Replies

Cannot deploy to SFR in HA pair

bvernille67
Level 1
Level 1

‎06-18-2019 09:08 AM - edited ‎02-21-2020 09:13 AM

We have an HA pair of ASA-5525x firewalls. Occasionally when we will deploy changes the SFR that is the standby mode will not update and the only way we have been able to correct this problem is to do a complete rebuild of the SFR module. We have tried the obvious solution of reloading the module and even rebooting the ASA but neither will bring the SFR back to an operational status. When doing a show module sfr the results show that the module is UP. It is getting old having to rebuild an SFR module each time this happens, hopefully someone has experienced this before and can help out...

 

 

Screen Shot 2019-06-18 at 12.01.35 PM.pngScreen Shot 2019-06-18 at 11.55.21 AM.png

 

 

 

Labels:
0 Helpful
4 Replies 4

nspasov
Cisco Employee
Cisco Employee

‎06-18-2019 06:37 PM

A couple of questions and one recommendation:

1. What version of ASA code are you running?

2. Have you considered moving to FTD (Unified image)?

3. I noticed from the screenshots that you are running version 6.3.0-1 and I would highly recommend that you apply the latest patch (3). I just checked the release notes and there are several resolved defects that are related with deploying configuration changes:

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/630x/relnotes/firepower-release-notes-630x/resolved-issues.html#id_103027

Thank you for rating helpful posts!

0 Helpful

bvernille67
Level 1
Level 1
In response to nspasov

‎06-19-2019 08:17 AM

We are running version: 9.6(4)17

 

Don't believe that this is an ASA firmware of SFR version issue. We have had this problem since the initial deployment of the firewalls which have been in place for quite some time now and we update them regularly.

 

With the project list we have it's just not possible to migrate to FTD.

 

 

Thanks,

Ben

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to bvernille67

‎06-19-2019 11:06 AM

Hmm. This is strange as I have several customers running similar deployments and they have not had this issue. I would suggest reaching out to TAC to get to the bottom of this.

Also, one more question: What is the ROMMON version of the ASAs?

Thank you for rating helpful posts!

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to bvernille67

‎06-19-2019 09:00 PM

Like @nspasov I have also done numerous HA ASA pairs with Firepower service module and never seen this problem.

 

I could postulate that the standby unit has a misconfiguration with the Firepower module - for instance using the same address for ASA management and sfr module would confuse the downstream device's arp table and cause intermittent connectivity and failure to deploy or upgrade.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card