Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6283
Views
0
Helpful
5
Replies

Cisco ASA 5505 Failover issue..

Go to solution
ManuMadhavan1
Level 1
Level 1

‎04-29-2015 05:42 AM - edited ‎03-11-2019 10:51 PM

Hi,

 I am having two firewalls (cisco ASA 5505) which is configured as active/standby Mode.It was running smoothly for more than an year,but last week the secondary firewall got failed and It made my whole network down.then I just removed the connectivity of the secondary firewall and run only the primary one.when I login  by console i found out that the failover has been disabled .So again I connected  to the Network and enabled the firewall.After a couple of days same issue happen.This time I take down the Secondary firewall erased the Flash.Reloaded the IOS image.Configured the failover and connected to the primary for the replication of configs.It found out the Active Mate.Replicated the configs and got synced...But after sync the same thing happened,The whole network gone down .I juz done the same thing removed the secondary firewall.Network came up.I feel there is some thing with failover thing ,but couldnt fin out :( .And the firewalls are in Router Mode.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to alexdelangel

‎05-18-2015 11:51 PM

Hi,

As you stated the ASA unit got rebooted ? If yes , check for "show crash" on both the ASA units and see if it coincides with the time when the issue happened.

Also , I see a communication problem between the Failover interfaces. So please verify the same.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎04-29-2015 05:48 AM

Hi,

As per your description of this issue , the Standby ASA unit fails , so that should ideally not cause any outage in the network as all the traffic would still pass thru the Active unit.

Outage might happen if the ASA both goes to Active state and traffic would be split and dropped on the network. (Possibly)

I think i would request you to share the output of the show failover , show failover history and show failover state when the issue happens and from the both unit before reloading/taking out the standby unit.

Thanks and Regards,

Vibhor Amrodia

 

0 Helpful

Go to solution
ManuMadhavan1
Level 1
Level 1
In response to Vibhor Amrodia

‎04-29-2015 06:22 AM

Please find the logs...
 
Secondary Firewall While Sync..
 
 
cisco-asa(config)# sh failover 
Failover On 
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 06:01:10 GMT Apr 29 2015
This host: Secondary - Sync Config 
Active time: 55 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
 Interface outside (27.251.167.246): No Link (Waiting)
 Interface inside (10.11.0.20): No Link (Waiting)
 Interface mgmt (10.11.200.21): No Link (Waiting)
slot 1: empty
Other host: Primary - Active 
Active time: 177303 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
 Interface outside (27.251.167.247): Unknown (Waiting)
 Interface inside (10.11.0.21): Unknown (Waiting)
 Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
 
=======================================================================================
 
Secondary Firewall Just after Sync ,Active (primary Firewall got rebootted)
 
cisco-asa# sh failover 
Failover On 
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate Unknown
Last Failover at: 06:06:12 GMT Apr 29 2015
This host: Secondary - Active 
Active time: 44 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
 Interface outside (27.251.167.246): Normal (Waiting)
 Interface inside (10.11.0.20): No Link (Waiting)
 Interface mgmt (10.11.200.21): No Link (Waiting)
slot 1: empty
Other host: Primary - Not Detected 
Active time: 0 (sec)
slot 0: empty
 Interface outside (27.251.167.247): Unknown (Waiting)
 Interface inside (10.11.0.21): Unknown (Waiting)
 Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
==========================================================================================
 
After Active firewall got rebootted failover off,whole network gone down.
 
 
cisco-asa# sh failover 
Failover Off 
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
 
===========================================================================================
 
Primary Firewall after rebootting
 
cisco-asa# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: e0/7 Vlan3 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate Unknown
Last Failover at: 06:17:29 GMT Apr 29 2015
        This host: Primary - Active
                Active time: 24707 (sec)
                slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
                  Interface outside (27.251.167.246): Normal (Waiting)
                  Interface inside (10.11.0.20): Normal (Waiting)
                  Interface mgmt (10.11.200.21): Normal (Waiting)
                slot 1: empty
        Other host: Secondary - Failed
                Active time: 0 (sec)

 

                slot 0: empty
                  Interface outside (27.251.167.247): Unknown (Waiting)
                  Interface inside (10.11.0.21): Unknown (Waiting)
                  Interface mgmt (10.11.200.22): Unknown (Waiting)
                slot 1: empty
 
 
cisco-asa# sh failover history
==========================================================================
From State                 To State                   Reason
==========================================================================
06:16:43 GMT Apr 29 2015
Not Detected               Negotiation                No Error
 
06:17:29 GMT Apr 29 2015
Negotiation                Just Active                No Active unit found
 
06:17:29 GMT Apr 29 2015
Just Active                Active Drain               No Active unit found
 
06:17:29 GMT Apr 29 2015
Active Drain               Active Applying Config     No Active unit found
 
06:17:29 GMT Apr 29 2015
Active Applying Config     Active Config Applied      No Active unit found
 
06:17:29 GMT Apr 29 2015
Active Config Applied      Active                     No Active unit found
 
==========================================================================
cisco-asa#
 
 
cisco-asa# sh failover state
 
               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         None
Other host -   Secondary
               Failed         Comm Failure             06:17:43 GMT Apr 29 2015
 
====Configuration State===
====Communication State===
 
==================================================================================
 
Secondary Firewall
 
cisc-asa# sh failover h
==========================================================================
From State                 To State                   Reason
==========================================================================
06:16:32 GMT Apr 29 2015
Not Detected               Negotiation                No Error
 
06:17:05 GMT Apr 29 2015
Negotiation                Disabled                   Set by the config command
 
==========================================================================
cisco-asa# sh failover
Failover Off
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (down)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
ecs-pune-fw-01# sh failover h
==========================================================================
From State                 To State                   Reason
==========================================================================
06:16:32 GMT Apr 29 2015
Not Detected               Negotiation                No Error
 
06:17:05 GMT Apr 29 2015
Negotiation                Disabled                   Set by the config command
 
==========================================================================
cisco-asa# sh failover state
 
 
               State          Last Failure Reason      Date/Time
This host  -   Secondary
               Disabled       None
Other host -   Primary
               Not Detected   None
 
====Configuration State===
====Communication State===
 
Thanks...
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
0 Helpful

Go to solution
alexdelangel
Level 1
Level 1
In response to ManuMadhavan1

‎05-18-2015 10:33 AM

Hi Manu,

 

Would you share the show run failover output from both units.

 

Best Regards!

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to alexdelangel

‎05-18-2015 11:51 PM

Hi,

As you stated the ASA unit got rebooted ? If yes , check for "show crash" on both the ASA units and see if it coincides with the time when the issue happened.

Also , I see a communication problem between the Failover interfaces. So please verify the same.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
ManuMadhavan1
Level 1
Level 1
In response to Vibhor Amrodia

‎06-25-2015 11:11 PM

Hi Vibhor,

 

 Its working now,there was communication problem with the failover interface. 

I reconfigured the failover interfaces. and now its working.

 

Thanks for the help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card