Traffic stopped passing through after failover to secondary ASA 5580
We are currently working on an issue where, as the title suggests, after failover of active FW from primary to secondary, there was no traffic passing through the secondary(active) FW. Due to this, the active FW was immediately failedback to primary. After a while, the field engineer performed, "write standby" on the primary FW.
However, another failover attempt couldn't performed to troubleshoot as the network is very critical in nature.
While trying to find the root cause of this issue, we made the following observations,
Its ASA 5580 with version, 9.1(7.15), which has this bug, CSCvd78303, due to which the ASA may stop passing traffic after 213 days of uptime. However, it was confirmed that the asa was anyhow restarted, hence, this may not be the issue.
After looking in more detail about "write standby"command, I realised, it should normally be avoided and if needed, only upon advise of Cisco TAC.
After doing "show failover history", the time duration between the moment when failover was done on primary to secondary and when secondary actually became active was approx. 20mins. Not sure, if this is normal.
"show failover history" also showed, "configuration mismatch between the primary and secondary.
Another major point was, there were no .cfg files present on the secondary ASA.
We had no ASA logs after the outage to determine, what exactly happened to the traffic, there is a non-cisco IPS behind the ASAs, but it was also confirmed no traffic passed through the secondary asa.
TAC also has been engaged to look into this case, but we have had no concrete response as to why this must have happened and how it can be resolved.
I strongly feel, pts 4 & 5 could be a major cause here, as it would be quite obvious that secondary becomes active and it finds no config files in its flash, how would it even operate? But, as I am not an ASA expert, I can't be sure.
We are also thinking to manually copy the .cfg files from primary to secondary and attempt another failover to see if it works.
Hence, can someone please advise what could be the probable cause of this issue and how it can be resolved ?
Hi experts,I would like any suggestions on this topology. We are is the middle of replacing our old ASA5520 with the new FirePower. Our current firewall terminate our IPsec tunnels and the GRE is terminated on the first inside router's loopback on the sec...
Hi All, A customer wants to authenticate Anyconnect VPN users from an ASA using the client installed certificate and then with AD. i.e. Is this a corporate device?Would we recommend authenticating the cert on the ASA then passing the AD check to ISE ...
Hello Team, we are getting alert in FMC stating policy deployment failed, we are running on 6.2.0 version and not sure which version is stable version to re mediate this issue, in one event i have seen restart will resolve this issue but is it perman...
Threat Hunting 101
In the latest Cisco Cybersecurity report, we explore all there is to know about threat hunting and provide a how-to guide for creating a threat hunting team.
Here are some of th...
What Is Cisco Identity Services Engine?
Cisco Identity Services Engine (ISE) is an all-in-one enterprise policy control product that enables comprehensive secure wired, wireless, and Virtual Private Networking (VPN) access.
Cisco ISE offers...