Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5889
Views
0
Helpful
2
Replies

Failover interface failed

suhas_syndrome
Level 1
Level 1

‎11-30-2012 07:51 AM - edited ‎03-11-2019 05:30 PM

Hi,

   I have 2 ASA 5520 firewall configured with HA(Failover). but some time my primary firewall goes down standby firewall doesnt come active. i found below log from primary firewall..what is the reason & what is the mining of reason code of 4...

Nov 30 2012 14:07:47: %ASA-1-105002: (ASA) Enabling failover.

Nov 30 2012 14:08:43: %ASA-1-105043: (Primary) Failover interface failed

Nov 30 2012 14:08:56: %ASA-1-103001: (Primary) No response from other firewall (reason code = 4).

After i hard reboot my standby firewall below log had been generated..

Nov 30 2012 15:51:57: %ASA-1-105042: (Primary) Failover interface OK
Nov 30 2012 15:52:02: %ASA-1-709003: (Primary) Beginning configuration replication: Send to mate.
Nov 30 2012 15:52:15: %ASA-1-709004: (Primary) End Configuration Replication (ACT)

Please assist....

Regards

Suhas

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎11-30-2012 08:33 AM

Hi,

The explanation for that can be found in the ASAs syslog messages document.

Here it is

 103001 
Error Message    %ASA-1-103001: (Primary) No response from other firewall (reason 
code = code).





 


Explanation    This is a failover message, which is displayed if the primary unit is unable to  communicate with the secondary unit over the failover cable. (Primary) can also be listed as  (Secondary). for the secondary unit. Table 1-2 lists the reason codes and the descriptions to  determine why the failover occurred. 


 











 Table 1-2     Reason Codes 

 





 Reason Code 

 

 Description 

 






 1 




 The local unit is not receiving the hello packet on the failover LAN  interface when LAN failover occurs or on the serial failover cable when  serial failover occurs, and declares that the peer is down. 








 2 




 An interface did not pass one of the four failover tests, which are as  follows: 1) Link Up, 2) Monitor for Network Traffic, 3) ARP, and 4)  Broadcast Ping. 








 3 




 No proper ACK for 15+ seconds after a command was sent on the serial cable. 








 4 




 The local unit is not receiving the hello packet on the failover LAN and  other data interfaces and it is declaring that the peer is down. 








 5 




 The failover LAN interface is down, and other data interfaces are not  responding to additional interface testing. In addition, the local unit  is declaring that the peer is down. 


















 


Recommended Action    Verify that the failover cable is connected correctly and both units have the  same hardware, software, and configuration. If the problem persists, contact the Cisco TAC.

Are you saying that the Primary ASA loses all connectivity to the Secondary ASA (looking at the log messages). Judging by the above Cisco description it would mean the Primary ASA isnt getting Failover Hellos through any of the monitored interfaces which again would make it seem like the Secondary Firewall is expriencing some problems.

- Jouni

0 Helpful

Jack Leung
Level 1
Level 1

‎11-30-2012 08:35 AM

How is the HA configured? Straight through cable directly or using a switch in between? Can you also post a sanitized version of your failover configs from both primary and standby?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card