Solved: ASA 5510 failover issue

juno_q_beat · ‎07-10-2013

Hi all

I am trying to setup my ASA5510 as active standby failover pair

License are samo on both boxes , only diference is flash ! one box has 64Mg and the other one is 256MB

after failover configuration I had an notiffication:

"Mate's license (Inside Hosts 3) is not compatible with my license (Inside Hosts Unlimited). Failover will be disabled"

I am attaching show wersion for your information.hope I am not missing anything here

Many thanks in advance

Failover Config:

no failover(bue to notiffication with license missmatch which desables failover)

failover lan unit primary

failover lan interface failover Ethernet0/3

failover link state_failover Ethernet0/2

failover interface ip failover 1.1.1.1 255.255.255.0 standby 1.1.1.2

failover interface ip state_failover 2.2.2.1 255.255.255.0 standby 2.2.2.2

ASA 1:

Cisco Adaptive Security Appliance Software Version 8.2(5)26

Device Manager Version 6.4(7)

Compiled on Fri 02-Mar-12 14:04 by builders

System image file is "disk0:/asa825-26-k8.bin"

Config file at boot was "startup-config"

ASA-Primary up 2 hours 26 mins

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash LHF00L47 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: Ethernet0/0 : address is 001d.454c.0aa2, irq 9

1: Ext: Ethernet0/1 : address is 001d.454c.0aa3, irq 9

2: Ext: Ethernet0/2 : address is 001d.454c.0aa4, irq 9

3: Ext: Ethernet0/3 : address is 001d.454c.0aa5, irq 9

4: Ext: Management0/0 : address is 001d.454c.0aa6, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

SSL VPN Peers : 2

Total VPN Peers : 250

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Botnet Traffic Filter : Disabled

This platform has an ASA 5510 Security Plus license.

Serial Number: JMXXXXXXXX

Running Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Configuration register is 0x1

ASA2:

Cisco Adaptive Security Appliance Software Version 8.2(5)26

Device Manager Version 6.4(7)

Compiled on Fri 02-Mar-12 14:04 by builders

System image file is "disk0:/asa825-26-k8.bin"

Config file at boot was "startup-config"

ASA-Secondary up 2 hours 23 mins

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1599 MHz

Internal ATA Compact Flash, 64MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: Ethernet0/0 : address is 0015.c6fa.2e6c, irq 9

1: Ext: Ethernet0/1 : address is 0015.c6fa.2e6d, irq 9

2: Ext: Ethernet0/2 : address is 0015.c6fa.2e6e, irq 9

3: Ext: Ethernet0/3 : address is 0015.c6fa.2e6f, irq 9

4: Ext: Management0/0 : address is 0015.c6fa.2e6b, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

SSL VPN Peers : 2

Total VPN Peers : 250

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Botnet Traffic Filter : Disabled

This platform has an ASA 5510 Security Plus license.

Serial Number: XXXXXXXXXXXXXXX

Running Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Configuration register is 0x1

Marvin Rhoads · ‎07-13-2013

Have you tried starting failover configuration with the other physical unit as the primary? I wonder how it would report.

Now that you have adequate RAM and Flash, you can move up to 8.4 (or 9.x) and try again. Of course you'd have to get Smaretnet to be eligible for the license. The list price for 1 year Smartnet on a 5510 is US$587. That would also entitle you to TAC support.

View solution in original post

Marvin Rhoads · ‎07-10-2013

According to both the release notes and the 8.2 configuration guide section on high availability, you can setup failover with differing amounts of flash memory between the members.

I'm not aware of any bugs that would cause what you're seeing.

juno_q_beat · ‎07-10-2013

Thanks for your reply Marvin. That's why I am fonfused not sure what to do now.

As you see my license are security plus with same amount of Vlans etc(standard sec plus licenses for 5510)

Unfortunattly I don't have smartnet contract for this Firewalls so I can't involve TAC on this one and my only hope is this forum

Marvin Rhoads · ‎07-10-2013

Forgive me if this is a silly question, but you don't possibly have an ASA 5505 in the room that you pluged your failover cable into accidentally?

I only ask because the "inside hosts" number should not ever be anything other than unlimited on anything but an ASA 5505.

juno_q_beat · ‎07-11-2013

Sounds trange isn't it ?

I do have 5505 but this is nothing to do with it. My cabling is done on 5510 ) (Isolated !)

Rudy Sanjoko · ‎07-11-2013

Hi,

It is a very strange behaviour, never seen it before. What I would suggest you to do is to upgrade the software and see if the issue still happening. Another thing to try is by reconfiguring the failover from scratch.

HTH,

juno_q_beat · ‎07-13-2013

I have replaced Flash on both Firewalls so now I've gor 1gb RAM and 1GB flash.

Reconfiguration is done (from scratch) but I have same error !

juno_q_beat · ‎07-13-2013

from show failover:

ASA-Primary(config)# show failover

Failover On

Failover unit Primary

Failover LAN Interface: failover Ethernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 0 of 110 maximum

Version: Ours 8.2(5)26, Mate 8.2(5)26

Last Failover at: 13:40:02 UTC Jul 13 2013

This host: Primary - Active

Active time: 814 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.2(5)26) status (Up Sys)

Interface Outside (10.10.10.1): No Link (Not-Monitored)

Interface MGMT (10.196.2.110): Normal (Not-Monitored)

slot 1: empty

Other host: Secondary - Disabled

Active time: 0 (sec)

slot 0: empty

Interface Outside (10.10.10.2): Unknown (Not-Monitored)

Interface MGMT (10.196.2.115): Unknown (Not-Monitored)

slot 1: empty

As you see my secondary Firewall is Disabled.

Massage from secondary Firewall:

ASA-Secondary(config)# Mate's license (Inside Hosts Unlimited) is not compatible with my license (Inside Hosts 3). Failover will be

ASA-Secondary(config)# Mate's license (Inside Hosts Unlimited) is not compatible with my license (Inside Hosts 3). Failover will be disabled.

.

This is not a firs time I do this ) but still can't explain what is going on (((((

My secondary Firewall is exactly the same (as you see from show version) aldo asa Version it self might me diferent , and it is(not sure how to check it) but when I did an upgrade of RAM i've notice that one Primary Firewall I had one slot for RAM but on the Secondary I have 4 slots (this should'd be the problem! its just FYI)

Home some one can help me

Manyt hanks in advance

Marvin Rhoads · ‎07-13-2013

Have you tried starting failover configuration with the other physical unit as the primary? I wonder how it would report.

Now that you have adequate RAM and Flash, you can move up to 8.4 (or 9.x) and try again. Of course you'd have to get Smaretnet to be eligible for the license. The list price for 1 year Smartnet on a 5510 is US$587. That would also entitle you to TAC support.

juno_q_beat · ‎07-13-2013

Hi Martin

I can swap FW around to see if something change, No problem(I will update you on this one)

Problem is that I don't want to upgrade to 8.4 as I will soon prepear for CCNP Security and as far as I know Cisco si still using 8.2 on there exam.

Marvin Rhoads · ‎07-13-2013

The newer CCNA Security 2.0 and CCNP Firewall (642-618) exams are based on ASA 8.3/8.4. Reference.

lkhurtsilava · ‎07-13-2013

Thank you Martin

I did upgrade on 8.4(6) and it works now not sure what was a problem on 8.2 !

Many thanks for sugestions

Marvin Rhoads · ‎07-13-2013

You're welcome.

Glad to hear it is working now.

Please rate the replies if they helped. Regards.