Ok Marco, By seeing the debug

secureIT · ‎09-08-2016

Hi Friends,

In my ASA 8.4(7)30 HA setup, i do see standby failed when i run show failover in Primary FW (Active) as given below.

Primary - Active FW

# show failover

This host: Primary - Active
Other host: Secondary - Failed

Secondary - Standby FW

# show failover

This host: Secondary - Standby Ready
Other host: Primary - Active

I have executed below debugs in the standby FW, and got few logs.

debug fover verify
debug fover fail
debug fover sync

ASA failover HA TRANS: received out of sequence message
fover_ip: HA TRANS: received out of sequence message, seq - ba4514b, expect - ba45144
fover_ip: HA TRANS: send aggressive ACK
fover_ip: HA TRANS: received out of sequence message, seq - ba45147, expect - ba45144
fover_ip: HA TRANS: send aggressive ACK
fover_ip: HA TRANS: received out of sequence message, seq - ba45150, expect - ba45144
fover_ip: HA TRANS: send aggressive ACK

%ASA-6-720024: (VPN-Secondary) HA status callback: Control channel is down.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_CTL_COMM, my state Standby Ready, peer state Active.
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=401,op=1,my=Standby Ready,peer=Active.
%ASA-6-720024: (VPN-Secondary) HA status callback: Control channel is up.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_CTL_COMM, my state Standby Ready, peer state Active.
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=411,op=52,my=Standby Ready,peer=Active.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_CLIENT_NEGOTIATED_VERSION, my state Standby Ready, peer state Active.
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=401,op=0,my=Standby Ready,peer=Active.
%ASA-6-720024: (VPN-Secondary) HA status callback: Control channel is down.

These messages floods in the show logging..

Can someone assist me..

Kornelia Gutierrez · ‎09-08-2016

Hello,

Could you kindly please, check the status of the interface that works as the failover link, and attach a show failover and show failover state.

secureIT · ‎09-09-2016

Hi Kornelia Gutierrez, Please find the attached logs from both the firewalls.

secureIT · ‎09-12-2016

pls find the attached show failover logs from both the firewall, i think i need to reboot the secondary standby firewall - what do you say ?

Pawan Raut · ‎09-12-2016

Please check first if you are able to ping Management interface IP of each other. If no then check cable connectivity between this two. If still see the issue you can reboot the standby unit but make sure yous should do this in non production hours because it has risk of both unit become Active at a time.

Marco Soeder-Schuettler · ‎09-12-2016

Hi,

in case of reboot a standby Unit i disconnect all interface cables and connect only failover interface cable.

Then wait for negotiate failover active and passive then connect all other cables again

In this case there is no risk that both units become active

Regards Marco

secureIT · ‎09-12-2016

Ok Marco, By seeing the debug logs and show failover outputs of both Fws, I seriously suspect issue with standby fw only, so I will go ahead remove all the cables except Mgmt0/0, reboot the Standby fw, then i will connect cables one by one.

Marco Soeder-Schuettler · ‎09-12-2016

Yes, so you can do ;-)

Make sure that active / passive negotiation is already done.

Cisco ASA standby failed - pls help