06-19-2013 09:23 PM - edited 03-11-2019 07:00 PM
Hello. I have been trying to solve this issue for 6 hours now and cannot figure it out. I have a unit that is active and another unit that I reset the configuration and am trying to get it to replicate. I type in failover on both firewalls and it just doesnt want to work. Originally the failover was working fine but I had to go in and do a password recovery because I got locked out of the ASDM. I followed these instructions and was able to get back in but I noticed the failover config sync was no longer working. I decided to just clear the config of the secondary firewall and just set it as a new failover firewall but I cant get the damn thing to connect/replicate. Below are the outputs of "show failover", show failover state and show failover history for the primary and secondary firewall. Any help would be greatly appreciated as I am running out of hair to pull out of my head.
Both running asdm 6.4.5
ASA 8.0.5
Show failover
Primary
Failover On
Failover unit Primary
Failover LAN Interface: LANFAIL GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(5), Mate 8.0(5)
Last Failover at: 10:29:58 EDT Jun 19 2013
This host: Primary - Active
Active time: 1504705 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(5)) status (Up Sys)
Interface outside (6.15.35.170): Normal (Waiting)
Interface inside (10.0.0.1): Normal (Waiting)
Interface SAN (10.0.1.254): Link Down (Not-Monitored)
Interface management (192.168.1.1): No Link (Not-Monitored)
slot 1: empty
Other host: Secondary - Cold Standby
Active time: 6 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(5)) status (Up Sys)
Interface outside (6.15.35.178): Unknown
Interface inside (10.0.0.254): Unknown
Interface SAN (0.0.0.0): Link Down (Not-Monitored)
Interface management (0.0.0.0): Unknown (Not-Monitored)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : LANFAIL GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 3862489 0 196815 0
sys cmd 196167 0 196167 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 2268811 0 8 0
UDP conn 359758 0 558 0
ARP tbl 1036541 0 81 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 542 0 1 0
VPN IPSEC upd 430 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 240 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 73 196877
Xmit Q: 0 34 7613909
Secondary
Failover On
Failover unit Secondary
Failover LAN Interface: LANFAIL GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 250 maximum
Version: Ours 8.0(5), Mate 8.0(5)
Last Failover at: 14:49:27 UTC Jun 19 2013
This host: Secondary - Negotiation
Active time: 12 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(5)) status (Up Sys)
slot 1: empty
Other host: Primary - Active
Active time: 1504982 (sec)
slot 0: empty
slot 1: empty
Stateful Failover Logical Update Statistics
Link : LANFAIL GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
Show failover state
Primary
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Cold Standby Comm Failure 10:31:54 EDT Jun 19 2013
====Configuration State===
====Communication State===
Secondary
State Last Failure Reason Date/Time
This host - Secondary
Disabled None
Other host - Primary
Not Detected None
====Configuration State===
====Communication State===
Show failover history
Primary
=========================================================================
From State To State Reason
==========================================================================
08:06:13 EDT Jun 19 2013
Disabled Negotiation Set by the config command
08:06:58 EDT Jun 19 2013
Negotiation Just Active No Active unit found
08:06:58 EDT Jun 19 2013
Just Active Active Drain No Active unit found
08:06:58 EDT Jun 19 2013
Active Drain Active Applying Config No Active unit found
08:06:58 EDT Jun 19 2013
Active Applying Config Active Config Applied No Active unit found
08:06:58 EDT Jun 19 2013
Active Config Applied Active No Active unit found
08:22:53 EDT Jun 19 2013
Active Disabled Set by the config command
08:31:35 EDT Jun 19 2013
Disabled Negotiation Set by the config command
08:32:20 EDT Jun 19 2013
Negotiation Just Active No Active unit found
08:32:20 EDT Jun 19 2013
Just Active Active Drain No Active unit found
08:32:20 EDT Jun 19 2013
Active Drain Active Applying Config No Active unit found
08:32:20 EDT Jun 19 2013
Active Applying Config Active Config Applied No Active unit found
08:32:20 EDT Jun 19 2013
Active Config Applied Active No Active unit found
10:09:31 EDT Jun 19 2013
Active Disabled LAN Interface become un-configured
10:29:13 EDT Jun 19 2013
Disabled Negotiation Set by the config command
10:29:58 EDT Jun 19 2013
Negotiation Just Active No Active unit found
10:29:58 EDT Jun 19 2013
Just Active Active Drain No Active unit found
10:29:58 EDT Jun 19 2013
Active Drain Active Applying Config No Active unit found
10:29:58 EDT Jun 19 2013
Active Applying Config Active Config Applied No Active unit found
10:29:58 EDT Jun 19 2013
Active Config Applied Active No Active unit found
==========================================================================
Secondary
==========================================================================
From State To State Reason
==========================================================================
14:31:46 UTC Jun 19 2013
Active Applying Config Active Config Applied No Active unit found
14:31:46 UTC Jun 19 2013
Active Config Applied Active No Active unit found
14:31:51 UTC Jun 19 2013
Active Cold Standby Failover state check
14:32:06 UTC Jun 19 2013
Cold Standby Disabled HA state progression failed
14:48:32 UTC Jun 19 2013
Disabled Negotiation Set by the config command
14:49:27 UTC Jun 19 2013
Negotiation Just Active No Active unit found
14:49:27 UTC Jun 19 2013
Just Active Active Drain No Active unit found
14:49:27 UTC Jun 19 2013
Active Drain Active Applying Config No Active unit found
14:49:27 UTC Jun 19 2013
Active Applying Config Active Config Applied No Active unit found
14:49:27 UTC Jun 19 2013
Active Config Applied Active No Active unit found
14:49:32 UTC Jun 19 2013
Active Cold Standby Failover state check
14:49:47 UTC Jun 19 2013
Cold Standby Disabled HA state progression failed
14:49:55 UTC Jun 19 2013
Disabled Negotiation Set by the config command
14:50:51 UTC Jun 19 2013
Negotiation Just Active No Active unit found
14:50:51 UTC Jun 19 2013
Just Active Active Drain No Active unit found
14:50:51 UTC Jun 19 2013
Active Drain Active Applying Config No Active unit found
14:50:51 UTC Jun 19 2013
Active Applying Config Active Config Applied No Active unit found
14:50:51 UTC Jun 19 2013
Active Config Applied Active No Active unit found
14:50:56 UTC Jun 19 2013
Active Cold Standby Failover state check
14:51:11 UTC Jun 19 2013
Cold Standby Disabled HA state progression failed
==========================================================================
06-20-2013 02:29 AM
Hi Jack,
As it was running before I'm guessing the active box has a correct configuration but it looks as though there is a problem with either the communication or the config going on to the standby box. Are they directly connected or is it through a switch? I'd check the active and standby addresses are correct for both.
Andy.
06-20-2013 09:14 AM
Hey thanks for responding! They are both hooked up to eachother dirrectly through a CAT5 cable. Here is the failover link config... I know the secondary has "no failover" set. The box switches back to no failover after me issuing the "Failover" command.
Primary
failover
failover lan unit primary
failover lan interface LANFAIL GigabitEthernet0/3
failover key *****
failover link LANFAIL GigabitEthernet0/3
failover interface ip LANFAIL 172.16.1.1 255.255.255.0 standby 172.16.1.2
Secondary
no failover
failover lan unit secondary
failover lan interface LANFAIL GigabitEthernet0/3
failover key *****
failover link LANFAIL GigabitEthernet0/3
failover interface ip LANFAIL 172.16.1.1 255.255.255.0 standby 172.16.1.2
06-26-2013 05:50 PM
Here is a log dump of what is happening on the secondary when I try the failover command.
, my state Negotiation, peer state Not Detected.
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=411,op=22,my=Negotiation,peer=Not Detected.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_CLIENT_NEGOTIATED_VERSION, my state Negotiation, peer state Not Detected.
%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=53,op=1,my=Negotiation,peer=Not Detected.
%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_NEGOTIATION, my state Negotiation, peer state Not Detected.
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=130,my=Negotiation,peer=Active.
%ASA-6-720028: (VPN-Secondary) HA status callback: Peer state Active.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_STATE, my state Negotiation, peer state Active.
%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=200,op=16,my=Just Active,peer=Active.
%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_ACTIVE_FAST, my state Just Active, peer state Active.
%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=201,op=16,my=Active Drain,peer=Active.
%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_ACTIVE_DRAIN, my state Active Drain, peer state Active.
%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=202,op=16,my=Active Applying Config,peer=Active.
%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_ACTIVE_PRECONFIG, my state Active Applying Config, peer state Active.
%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=203,op=16,my=Active Config Applied,peer=Active.
%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_ACTIVE_POSTCONFIG, my state Active Config Applied, peer state Active.
%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=204,op=16,my=Active,peer=Active.
%ASA-6-720039: (VPN-Secondary) VPN failover client is transitioning to active state
%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_ACTIVE, my state Active, peer state Active.
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=405,op=130,my=Active,peer=Active.
%ASA-6-720027: (VPN-Secondary) HA status callback: My state Active.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_MY_STATE, my state Active, peer state Active.
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=10,my=Cold Standby,peer=Disabled.
%ASA-6-720028: (VPN-Secondary) HA status callback: Peer state Disabled.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_STATE, my state Cold Standby, peer state Disabled.
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=401,op=0,my=Disabled,peer=Disabled.
%ASA-6-720024: (VPN-Secondary) HA status callback: Control channel is down.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_CTL_COMM, my state Disabled, peer state Disabled.
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=402,op=0,my=Disabled,peer=Disabled.
%ASA-6-720025: (VPN-Secondary) HA status callback: Data channel is down.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_DATA_COMM, my state Disabled, peer state Disabled.
%ASA-1-105001: (Secondary) Disabling failover.
%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=51,op=29,my=Disabled,peer=Disabled.
%ASA-6-720010: (VPN-Secondary) VPN failover client is being disabled
%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_DISABLED, my state Disabled, peer state Disabled.
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=405,op=10,my=Disabled,peer=Disabled.
%ASA-6-720027: (VPN-Secondary) HA status callback: My state Disabled.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_MY_STATE, my state Disabled, peer state Disabled.
12-12-2017 04:47 AM
The same issue with me. check the config.. Fail over not working.
ASA-2# show running-config
: Saved
:
: Serial Number: FLM2013FVLR
: Hardware: FPR4K-SM-12, 58269 MB RAM, CPU Xeon E5 series 2194 MHz, 1 CPU (24 cores)
:
ASA Version 9.6(1)
!
hostname ASA-2
enable password YdxZuMgZnGXj4fkF encrypted
names
zone DMZ
zone inside
zone outside
!
interface Ethernet1/1
shutdown
nameif inside
security-level 100
ip address 10.10.10.3 255.255.255.0
!
interface Ethernet1/2
shutdown
nameif outside
security-level 0
ip address 192.168.20.10 255.255.255.0
!
interface Ethernet1/3
management-only
shutdown
nameif management
security-level 0
no ip address
!
interface Ethernet1/4
description LAN/STATE Failover Interface
!
ftp mode passive
object-group network source
network-object 0.0.0.0 0.0.0.0
object-group network destination
network-object 0.0.0.0 0.0.0.0
object-group network source-address
network-object 0.0.0.0 0.0.0.0
object-group network destination-address
network-object 0.0.0.0 0.0.0.0
object-group network lan
network-object 0.0.0.0 0.0.0.0
object-group network WAN
network-object 0.0.0.0 0.0.0.0
object-group network 192.168.20.1
network-object 192.168.20.1 255.255.255.255
access-list 110 extended permit ip object-group lan object-group WAN
access-list 111 extended permit ip object-group lan object-group WAN
access-list 120 extended permit ip any any
access-list 121 extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
failover lan unit secondary
failover lan interface folink Ethernet1/4
failover link folink Ethernet1/4
failover interface ip folink 30.30.30.1 255.255.255.0 standby 30.30.30.2
ASA-2# show failover history
==========================================================================
From State To State Reason
==========================================================================
11:41:41 UTC Dec 12 2017
Not Detected Disabled No Error
11:46:57 UTC Dec 12 2017
Disabled Negotiation Set by the config command
11:46:59 UTC Dec 12 2017
Negotiation Cold Standby Detected an Active mate
11:47:00 UTC Dec 12 2017
Cold Standby Disabled HA state progression faile d
12:01:02 UTC Dec 12 2017
Disabled Negotiation Set by the config command
12:01:04 UTC Dec 12 2017
Negotiation Cold Standby Detected an Active mate
12:01:05 UTC Dec 12 2017
Cold Standby Disabled HA state progression faile d
12:01:49 UTC Dec 12 2017
Disabled Negotiation Set by the config command
12:01:51 UTC Dec 12 2017
Negotiation Cold Standby Detected an Active mate
12:01:52 UTC Dec 12 2017
Cold Standby Disabled HA state progression failed
12:03:58 UTC Dec 12 2017
Disabled Negotiation Set by the config command
12:04:00 UTC Dec 12 2017
Negotiation Cold Standby Detected an Active mate
12:04:01 UTC Dec 12 2017
Cold Standby Disabled HA state progression failed
12:04:29 UTC Dec 12 2017
Disabled Negotiation Set by the config command
12:04:30 UTC Dec 12 2017
Negotiation Cold Standby Detected an Active mate
12:04:31 UTC Dec 12 2017
Cold Standby Disabled HA state progression failed
12:37:07 UTC Dec 12 2017
Disabled Negotiation Set by the config command
12:37:10 UTC Dec 12 2017
Negotiation Cold Standby Detected an Active mate
12:37:11 UTC Dec 12 2017
Cold Standby Disabled HA state progression failed
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: