07-24-2017 11:37 AM - edited 03-12-2019 02:43 AM
Hi everyone,
I have two ASA5512-X on which I like to configure HA. When I activate Failover on the standby unit I get the following error message:
Detected an Active mate
Mate NOT PRESENT card in slot 2 is different from mine CXSC5512
I guess this is because of a software module on the active ASA.
show module on the active ASA:
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5512-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5512 FCH17427H7N
ips Unknown N/A FCH17427H7N
cxsc Unknown N/A FCH17427H7N
sfr Unknown N/A FCH17427H7NMod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 885a.92f7.07d9 to 885a.92f7.07e0 1.0 2.1(9)8 9.8(1)
ips 885a.92f7.07d7 to 885a.92f7.07d7 N/A N/A
cxsc 885a.92f7.07d7 to 885a.92f7.07d7 N/A N/A
sfr 885a.92f7.07d7 to 885a.92f7.07d7 N/A N/AMod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
cxsc Unknown No Image Present Not Applicable
sfr Unknown No Image Present Not ApplicableMod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Unresponsive Not Applicable
sfr Unresponsive Not ApplicableMod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Disabled perpetual
show module on the standby ASA:
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5512-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5512 FCH17357FMW
ips Unknown N/A FCH17357FMW
cxsc Unknown N/A FCH17357FMW
sfr Unknown N/A FCH17357FMWMod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 e4c7.2283.e680 to e4c7.2283.e687 1.0 2.1(9)8 9.8(1)
ips e4c7.2283.e67e to e4c7.2283.e67e N/A N/A
cxsc e4c7.2283.e67e to e4c7.2283.e67e N/A N/A
sfr e4c7.2283.e67e to e4c7.2283.e67e N/A N/AMod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
sfr Unknown No Image Present Not ApplicableMod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Unresponsive Not Applicable
sfr Unresponsive Not ApplicableMod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Disabled perpetual
I suppose that the highlighted part is the problem so my question is how can I remove the cxsc module? What I tried so far:
-sw-module module cxsc shutdown
-sw-module module cxsc uninstall
-sw-module module cxsc reset
After executing this commands I get the error:
Unable to uninstall Module cxsc, it does not have a software image installed.
I hope someone can give me some advise.
Thank you
Remo
07-24-2017 06:51 PM
The strange thing is why cxsc doesn't even show up in that section even though it should. Personally I would open a TAC case on that issue - the unit may be defective.
If you don't have support, you may be able to work around with the following command on the active unit:
no monitor-interface service-module
... as described in detail here:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200944-Disable-Service-Module-Monitoring-on-ASA.html
07-24-2017 11:14 PM
Thank you both for your reply,
I tried to uninstall the module with:
sw-module module cxsc uninstall
Then I get the following error: Unable to uninstall module cxsc, it does not have a software image installed
The problem occured when I upgraded the ASAs. At this time they were configured in a failover cluster in single context, routed mode. The software version was 9.3. Then I upgraded the active ASA to 9.7, what I think you shouldn't do. Because then the standby ASA reloaded and lost the whole configuration. Since then I have the problem that HA doesn't work anymore.
I also tried the no monitor-interface service-module command but I still get the same error.
Maybe you have another idea why my ASA plays crazy.
Thank you
Remo
07-24-2017 11:18 PM
Sounds even more like a bug. I would definitely open a TAC case.
07-24-2017 11:33 PM
Hi Remo,
I think you can try reloading the standby ASA if you have not done yet.
If it still does not help please open a case with TAC.
Regards,
Aditya
Please rate helpful and mark correct answers
07-24-2017 09:45 PM
Hi,
1) Uninstall CXSC software module on ASA:
Since the CXSC module is facing issues on the ASA I would recommend it to be uninstalled on both the ASA’s as we are not using it. You can uninstall a software module image and its associated configuration. In multiple context mode, perform this procedure in the system execution space.
Command to disable
You can uninstall a software module image and its associated configuration:
Command to disable
Module
This will completely remove the disk image associated with the
Also, remove the cxsc image from the ASA flash of both the devices: Delete flash:/asacx-5500x-boot-x.x.x-x-x.x86_64.img
Then check if you still face the same issue.
Regards,
Aditya
Please rate helpful and mark correct answers
07-25-2017 12:36 PM
Hi Remo,
What is the OS version you have on both ASA's? Have you tried to upgrade the OS?
07-25-2017 01:04 PM
At beginning I had the OS version 9.3 and upgraded to 9.7. Then the standby ASA reloaded and booted without a config.
Yesterday I made an upgrade to 9.8.
Thanks,
Remo
07-25-2017 01:12 PM
Hi Remo,
Try 9.6.3, it is the Cisco Suggested release based on software quality, stability and longevity.
07-27-2017 11:14 AM
I downgraded both ASA but unfortunately I get the same error.
I'll try now to reset the active Firewall and reconfigure it. I'll let you know if this helps.
07-28-2017 12:13 PM
Hi,
the factory-reset didn't work. But I noticed that on the standby firewall there was a sw-module activated. I didn't check that because the show command hasn't shown it.
Now I am running a failover cluster with the software version 9.6.3.
Thank you guys very much for your support
Remo
07-28-2017 04:52 PM
Hi Remo,
Happy to assist.
Please close the discussion as it would help others as well.
Regards,
Aditya
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide