Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1762
Views
0
Helpful
11
Replies

ASA 5512-X Failover

Remo Grueebler
Level 1
Level 1

‎07-24-2017 11:37 AM - edited ‎03-12-2019 02:43 AM

Hi everyone,

I have two ASA5512-X on which I like to configure HA. When I activate Failover on the standby unit I get the following error message:

Detected an Active mate
Mate NOT PRESENT card in slot 2 is different from mine CXSC5512

I guess this is because of a software module on the active ASA.

show module on the active ASA:

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5512-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5512 FCH17427H7N
ips Unknown N/A FCH17427H7N
cxsc Unknown N/A FCH17427H7N
sfr Unknown N/A FCH17427H7N

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 885a.92f7.07d9 to 885a.92f7.07e0 1.0 2.1(9)8 9.8(1)
ips 885a.92f7.07d7 to 885a.92f7.07d7 N/A N/A
cxsc 885a.92f7.07d7 to 885a.92f7.07d7 N/A N/A
sfr 885a.92f7.07d7 to 885a.92f7.07d7 N/A N/A

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
cxsc Unknown No Image Present Not Applicable
sfr Unknown No Image Present Not Applicable

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Unresponsive Not Applicable
sfr Unresponsive Not Applicable

Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Disabled perpetual

show module on the standby ASA:

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5512-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5512 FCH17357FMW
ips Unknown N/A FCH17357FMW
cxsc Unknown N/A FCH17357FMW
sfr Unknown N/A FCH17357FMW

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 e4c7.2283.e680 to e4c7.2283.e687 1.0 2.1(9)8 9.8(1)
ips e4c7.2283.e67e to e4c7.2283.e67e N/A N/A
cxsc e4c7.2283.e67e to e4c7.2283.e67e N/A N/A
sfr e4c7.2283.e67e to e4c7.2283.e67e N/A N/A

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
sfr Unknown No Image Present Not Applicable

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Unresponsive Not Applicable
sfr Unresponsive Not Applicable

Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Disabled perpetual

I suppose that the highlighted part is the problem so my question is how can I remove the cxsc module? What I tried so far:

-sw-module module cxsc shutdown

-sw-module module cxsc uninstall

-sw-module module cxsc reset

After executing this commands I get the error:

Unable to uninstall Module cxsc, it does not have a software image installed.

I hope someone can give me some advise.

Thank you
Remo

1 person had this problem
Labels:
0 Helpful
11 Replies 11

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-24-2017 06:51 PM

The strange thing is why cxsc doesn't even show up in that section even though it should. Personally I would open a TAC case on that issue - the unit may be defective.

If you don't have support, you may be able to work around with the following command on the active unit:

no monitor-interface service-module

... as described in detail here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200944-Disable-Service-Module-Monitoring-on-ASA.html

0 Helpful

Remo Grueebler
Level 1
Level 1
In response to Marvin Rhoads

‎07-24-2017 11:14 PM

Thank you both for your reply,

I tried to uninstall the module with:

sw-module module cxsc uninstall
Then I get the following error: Unable to uninstall module cxsc, it does not have a software image installed

The problem occured when I upgraded the ASAs. At this time they were configured in a failover cluster in single context, routed mode. The software version was 9.3. Then I upgraded the active ASA to 9.7, what I think you shouldn't do. Because then the standby ASA reloaded and lost the whole configuration. Since then I have the problem that HA doesn't work anymore.

I also tried the no monitor-interface service-module command but I still get the same error.

Maybe you have another idea why my ASA plays crazy.

Thank you
Remo

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Remo Grueebler

‎07-24-2017 11:18 PM

Sounds even more like a bug. I would definitely open a TAC case. 

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Remo Grueebler

‎07-24-2017 11:33 PM

Hi Remo,

I think you can try reloading the standby ASA if you have not done yet.

If it still does not help please open a case with TAC.

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-24-2017 09:45 PM

Hi,

1) Uninstall CXSC software module on ASA:

Since the CXSC module is facing issues on the ASA I would recommend it to be uninstalled on both the ASA’s as we are not using it. You can uninstall a software module image and its associated configuration. In multiple context mode, perform this procedure in the system execution space.

Command to disable

You can uninstall a software module image and its associated configuration:

Command to disable cxsc module: ciscoasa# sw-module module cxsc uninstall

Module cxsc will be uninstalled. 

This will completely remove the disk image associated with the sw-module including any configuration that existed within it. Uninstall module cxsc? [confirm]

Also, remove the cxsc image from the ASA flash of both the devices: Delete flash:/asacx-5500x-boot-x.x.x-x-x.x86_64.img

Then check if you still face the same issue.

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful

Spooster IT Services
Level 7
Level 7

‎07-25-2017 12:36 PM

Hi Remo, 

What is the OS version you have on both ASA's? Have you tried to upgrade the OS?

Spooster IT Services Team
0 Helpful

Remo Grueebler
Level 1
Level 1
In response to Spooster IT Services

‎07-25-2017 01:04 PM

At beginning I had the OS version 9.3 and upgraded to 9.7. Then the standby ASA reloaded and booted without a config.

Yesterday I made an upgrade to 9.8.

Thanks,
Remo

0 Helpful

Spooster IT Services
Level 7
Level 7
In response to Remo Grueebler

‎07-25-2017 01:12 PM

Hi Remo,

Try 9.6.3, it is the Cisco Suggested release based on software quality, stability and longevity.

Spooster IT Services Team
0 Helpful

Remo Grueebler
Level 1
Level 1
In response to Spooster IT Services

‎07-27-2017 11:14 AM

I downgraded both ASA but unfortunately I get the same error.

I'll try now to reset the active Firewall and reconfigure it. I'll let you know if this helps.

0 Helpful

Remo Grueebler
Level 1
Level 1
In response to Remo Grueebler

‎07-28-2017 12:13 PM

Hi,

the factory-reset didn't work. But I noticed that on the standby firewall there was a sw-module activated. I didn't check that because the show command hasn't shown it.

Now I am running a failover cluster with the software version 9.6.3.

Thank you guys very much for your support
Remo

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Remo Grueebler

‎07-28-2017 04:52 PM

Hi Remo,

Happy to assist.

Please close the discussion as it would help others as well.

Regards,

Aditya

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card