Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1116
Views
10
Helpful
4
Replies

asa 5512-X failed failover and firepower?

Go to solution
baselzind
Level 6
Level 6

‎09-19-2017 05:22 AM - edited ‎02-21-2020 06:19 AM

i have two 5512-x connected and configured with failover , we had firepower configured with one of them only "the secondary" , recently we found that failover under show failover is show primary - failed also under show failover history it shows "detect service card failure" , both are running 9.8 , is it because one of them only have firepower installed that the failover is failing? how do i know failure reason?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
niko
Level 1
Level 1
In response to baselzind

‎09-19-2017 05:46 AM

You may do this without a restart.

I'm assuming the primary firewall is in failed state and secondary is an active one.

 

1) Disable service module monitoring, save config (do it on the active firewall as usual);

2) Check if the primary firewall is standby ready;

3) If everything looks good, do #no failover active on the secondary/active firewall.

4) Primary should be the active one now, secondary should be standby ready and failover should be in a proper state.

View solution in original post

4 Replies 4

Go to solution
niko
Level 1
Level 1

‎09-19-2017 05:32 AM

You would be doing better by turning off the service module monitoring, so failover will not monitor the state of the FP module and will not failover.

#no monitor-interface service-module 

Having FP running on one device of the failover pair is not a standard situation, does not make sense generally and may be considered as a failure by ASA - "service card failure" makes me think that's exactly the reason.

More information: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200944-Disable-Service-Module-Monitoring-on-ASA.html 

Go to solution
baselzind
Level 6
Level 6
In response to niko

‎09-19-2017 05:40 AM

the customer cannot afford another firepower license so i need to make due with one firepower , so this command and a restart for the primary failed asa should make the primary show standby normally?
0 Helpful

Go to solution
niko
Level 1
Level 1
In response to baselzind

‎09-19-2017 05:46 AM

You may do this without a restart.

I'm assuming the primary firewall is in failed state and secondary is an active one.

 

1) Disable service module monitoring, save config (do it on the active firewall as usual);

2) Check if the primary firewall is standby ready;

3) If everything looks good, do #no failover active on the secondary/active firewall.

4) Primary should be the active one now, secondary should be standby ready and failover should be in a proper state.

Go to solution
baselzind
Level 6
Level 6
In response to niko

‎09-19-2017 11:25 PM

thank you so much for the help , the command worked but i still needed to restart the primary to get the standby status though

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card