cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


392
Views
5
Helpful
8
Replies

ASA failover reason

Hello, 

 

I have an active/ active pair of ASA with context enabled. 

Suddenly, the failover switch to the secondary and then back to primary. 

From show failover state, I see that the reason was "comm failure" on the primary. 

 

The failover cable is directly connected to each FW. 

How could I determine why the failover occurred?

Could be sw or hw issue?

 

Thanks and regards, 

Konstantinos

8 REPLIES 8
Engager

Re: ASA failover reason

hi,

can you post a show failover state and show failover history output from the primary/active FW?

Re: ASA failover reason

FW/pri/act# sh failover history

==========================================================================

Group     From State                 To State                   Reason

==========================================================================

16:17:43 EEST Aug 5 2019

    1     Sync File System           Bulk Sync                  Detected an Active mate

16:17:57 EEST Aug 5 2019

    2     Bulk Sync                  Standby Ready              Detected an Active mate

16:17:57 EEST Aug 5 2019

    1     Bulk Sync                  Standby Ready              Detected an Active mate

16:20:20 EEST Aug 5 2019

    0     Sync Config                Sync File System           Recovered from communication failure

16:20:20 EEST Aug 5 2019

    0     Sync File System           Bulk Sync                  Recovered from communication failure

16:20:21 EEST Aug 5 2019

    1     Standby Ready              Bulk Sync                  No Error

16:20:21 EEST Aug 5 2019

    2     Standby Ready              Bulk Sync                  No Error

16:20:21 EEST Aug 5 2019

    0     Bulk Sync                  Standby Ready              Recovered from communication failure

16:20:27 EEST Aug 5 2019

    2     Bulk Sync                  Standby Ready              No Error

16:20:37 EEST Aug 5 2019

    1     Bulk Sync                  Standby Ready              No Error

16:20:58 EEST Aug 5 2019

    1     Standby Ready              Just Active                Failover state check

16:20:59 EEST Aug 5 2019

    1     Just Active                Active Drain               Failover state check

16:20:59 EEST Aug 5 2019

    1     Active Drain               Active Applying Config     Failover state check

16:20:59 EEST Aug 5 2019

    1     Active Applying Config     Active Config Applied      Failover state check

16:20:59 EEST Aug 5 2019

    1     Active Config Applied      Active                     Failover state check

16:21:00 EEST Aug 5 2019

    0     Standby Ready              Just Active                Failover state check

16:21:00 EEST Aug 5 2019

    0     Just Active                Active Drain               Failover state check

16:21:00 EEST Aug 5 2019

    0     Active Drain               Active Applying Config     Failover state check

16:21:00 EEST Aug 5 2019

    0     Active Applying Config     Active Config Applied      Failover state check

16:21:00 EEST Aug 5 2019

    0     Active Config Applied      Active                     Failover state check

===================================================

 

 

 

 

sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
    Group 1    Active         Comm Failure             16:16:24 EEST Aug 5 2019
    Group 2    Standby Ready  Comm Failure             16:16:24 EEST Aug 5 2019
Other host -   Secondary
    Group 1    Standby Ready  None
    Group 2    Active         None

====Configuration State===
        Sync Done - STANDBY
====Communication State===
        Mac set

 

Highlighted
VIP Advisor

Re: ASA failover reason

Having the cable directly connected between ASAs is a bad design because
this won't allow you to find which ASA triggered the failover. Move this to
connect ASAs failover link through L2 switch. This way you can find which
ASA had comm failure.

Comm Failed means that failover flapped. With L2 link between the ASAs you
can tell which unit had the actual failure. With current design, if either
ASA fails, it will show comms failure at both sides

***** remember to rate useful posts

Re: ASA failover reason

Hello Mohammed, 

 

I will have this point in mind for future deployments. 

So right now I cannot tell which asa failed. The management connection is a L2. 

 

In failover state, only active asa shows comm failure. The secondary shows none. 

 

All in all, there is not a command in asa I could determine where the actual failure occurred(Hardware fault, software fault). 

 

Regards, 

Konstantinos

Engager

Re: ASA failover reason

hi,

can you check for errors on the failover cable with a show interface g0/x?

most of our active-standby FW deployment have direct failover cable between them.

this will save switch ports and avoid design complexity and troubleshooting.

we have very few deployments via L2 switch or patch panels if the two FWs are in different racks..

Re: ASA failover reason

Hello, 

 

This is the output of the command 

 

Interface Ethernet1/16 "", is up, line protocol is up

  Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec

        MAC address zzzz.zzzz.zzzz, MTU not set

        IP address unassigned

Interface Ethernet1/16.4001 "FAILOVER", is up, line protocol is up

  Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec

        VLAN identifier 4001

        Description: LAN Failover Interface

        MAC address zzzz.zzzz.zzzz, MTU 1500

        IP address xxx.xxx.xxx.xxx, subnet mask xxx.xxx.xxx.xxx

Interface Ethernet1/16.4002 "FOLINK", is up, line protocol is up

  Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec

        VLAN identifier 4002

        Description: STATE Failover Interface

        MAC address zzzz.zzzz.zzzz, MTU 1500

        IP address xxx.xxx.xxx.xxx, subnet mask xxx.xxx.xxx.xxx

 

 

Is that any helpful?

 

Regards, 

Konstantinos

Beginner

Re: ASA failover reason

Not really. I think we would like to see the output of each member of the cluster on their HA interface.

 

https://www.tunnelsup.com/understanding-cisco-asa-interface-counters-and-statistics/

Re: ASA failover reason

Hello, 

 

We have enabled collection of logs and if anything appears we will examine it. 

 

Thank you all for your help.

 

Regards, 

Konstantinos