Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3395
Views
0
Helpful
2
Replies

ASA Cold Standby after Upgrade

Firepowered
Level 1
Level 1

‎09-04-2019 11:28 PM - edited ‎02-21-2020 09:27 AM

I have Cisco ASA 5516-x in Active / Standby failover. I upgraded the Firewalls using the following method:

 

1) set boot image

2) reload standby

3) make standby as active (now on latest code)

4) reload standby (former active)

5) no failover active on 'active' unit (secondary)

 

I upgraded many firewalls, but 2-3 pairs failed.

 

After reload, of the Primary firewall (Step 4 above), it went into 'Cold - Standby' or 'Primary - Failed' mode, hence the secondary unit is now 'Active' in failover pair. I can't access the the actual secondary ASA using it's IP address, can't ping it, but can ping the failover interface just fine.

 

Here is the config:

 

Sh run failover:

failover
failover lan unit secondary
failover lan interface Failover GigabitEthernet1/3
failover key *****
failover replication http
failover interface ip Failover 172.16.200.200 255.255.255.0 standby 172.16.200.199

 

sh failover history
==========================================================================
From State To State Reason
==========================================================================
10:54:43 CEDT Aug 20 2019
Not Detected Negotiation No Error

10:55:20 CEDT Aug 20 2019
Negotiation Cold Standby Detected an Active mate

10:55:21 CEDT Aug 20 2019
Cold Standby Sync Config Detected an Active mate

10:54:11 CEDT Aug 20 2019
Sync Config Sync File System Detected an Active mate

10:54:11 CEDT Aug 20 2019
Sync File System Bulk Sync Detected an Active mate

10:54:12 CEDT Aug 20 2019
Bulk Sync Standby Ready Detected an Active mate

10:59:18 CEDT Aug 20 2019
Standby Ready Just Active Other unit wants me Active

10:59:18 CEDT Aug 20 2019
Just Active Active Drain Other unit wants me Active

10:59:18 CEDT Aug 20 2019
Active Drain Active Applying Config Other unit wants me Active

10:59:18 CEDT Aug 20 2019
Active Applying Config Active Config Applied Other unit wants me Active

10:59:18 CEDT Aug 20 2019
Active Config Applied Active Other unit wants me Active

==========================================================================

 

sh failover state

State Last Failure Reason Date/Time
This host - Secondary
Active None
Other host - Primary
Cold Standby Comm Failure 08:22:53 CEDT Sep 2 2019

====Configuration State===
Sync Done - STANDBY
====Communication State===

 

sh failover:

Failover On
Failover unit Secondary
Failover LAN Interface: Failover GigabitEthernet1/3 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 160 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.8(4)8, Mate 9.8(4)8
Last Failover at: 10:59:18 CEDT Aug 20 2019
This host: Secondary - Active
Active time: 1373213 (sec)
slot 1: ASA5516 hw/sw rev (3.1/9.8(4)8) status (Up Sys)
Interface I_lan (192.167.0.254): Normal (Not-Monitored)
Interface H_lan (192.16.16.254): Normal (Not-Monitored)
Interface management (10.162.2.200): Normal (Waiting)
Interface inside (10.162.1.130): Normal (Not-Monitored)
Interface guest (10.162.64.190): Normal (Not-Monitored)
Interface outside (164.177.21.89): Normal (Not-Monitored)
Other host: Primary - Failed
Active time: 0 (sec)
slot 1: ASA5516 hw/sw rev (3.1/9.8(4)8) status (Up Sys)
Interface I_lan (0.0.0.0): Unknown (Not-Monitored)
Interface H_lan (0.0.0.0): Unknown (Not-Monitored)
Interface management (10.162.2.199): Unknown (Monitored)
Interface inside (0.0.0.0): Unknown (Not-Monitored)
Interface guest (0.0.0.0): Unknown (Not-Monitored)
Interface outside (0.0.0.0): Unknown (Not-Monitored)
slot 2: SFR5516 hw/sw rev (N/A/6.2.3-83) status (Up/Up)
ASA FirePOWER, 6.2.3-83, Up, (Not-Monitored)
slot 2: SFR5516 hw/sw rev (N/A/6.2.3-83) status (Up/Up)
ASA FirePOWER, 6.2.3-83, Up, (Not-Monitored)

Stateful Failover Logical Update Statistics
Link : Unconfigured.

 

 

How to resolve this? Thank you.

0 Helpful
2 Replies 2

GRANT3779
Spotlight
Spotlight

‎09-05-2019 12:39 AM

Hi,

Not 100% sure on this but I'd look at your management interface which looks like the only one you are monitoring as part of failover? Failed ASA says Unknown and I suspect this is why you can't fail back to it.

 

On Active ASA - Interface management (10.162.2.200): Normal (Waiting)

On Failed - Interface management (10.162.2.199): Unknown (Monitored)

 

Is this by design the only interface you are actually intending to monitor as part of the failover?

 

0 Helpful

Firepowered
Level 1
Level 1
In response to GRANT3779

‎09-05-2019 01:07 AM

Yes, I don't want to monitor those interfaces, so that is good.

 

Interesting catch about management. The management cable is only connected to Primary firewall, not to secondary, this is across estate and many firewalls were upgraded.

 

Since the now active firewall is secondary, there is no management cable connected. I disabled monitoring on management interface too, but that didn't do anything.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card