Somewhere in upgrading to ASA code 9.1.4 and CX code 184.108.40.206 (52) we've run into a known and as yet still open bug (CSCud54665). The symptom that we experienced was frequent failover back and forth due to 'Service card in other unit has failed'. This continued for a couple of days until finally we had to bypass the CX modules altogether.
While I wait for the bug to (hopefully) be resolved, has anyone come across this? Is there a better workaround than turning off the CX modules (ie we're not logging traffic or proactively blocking malware anymore).
Has anyone successfully downgraded their CX module(s)?
Thank you in advance
I just wanted to add that I did find a supported way to downgrade my CX modules back to what they were and the problem is still present. This potentially means that the problem was introduced in ASA code 9.1.3 or 9.1.4. I'm not brave enough to try to downgrade back to 9.1.2 which is where I started.
Thanks for updating your thread.
So you had to back your CX code down to 9.1(2) as well (or I guess you did that first in the troubleshooting process)? Because the latest 9.2(1) CX requires ASA 9.1(3) or higher. (Reference)
That's disappointing if so because it would mean not being able to use the NGFW IPS licenses at all.
Yup I downgraded the CX modules first and still found that I was failing back and forth frequently. This forced me to turn off CX inspection to stabilize the situation. Now that I've downgraded back to ASA 9.1.2 (listed as a stable, recommended release), I turned the CX inspection back on and we're in business again. I even went as far as to bring us up to 9.1.3 of the CX code and we're still good.
You're absolutely right that 9.2 CX code requires 9.1.3 ASA code or higher. I guess I'll wait until the 9.1.5 or whatever the next recommended release is.
For now, emergency over!
I'm having similar issues. We ended up downgrading to 9.1.3 and disabling CX inspection. Does anyone know of a good stable release for ASA code when running CX code...220.127.116.11-82. Below is a history of upgrades/downgrades that I have had to do over the past month.
CSCuj99176 - Make ASA-SSM cplane keepalives more tolerable to communication delays -Upgraded ASA's to 9.1.3 -Upgraded CX modules to 18.104.22.168-82
CSCun48868 - ASA changes to improve CX throughput and prevent unnecessary failovers -Upgraded to 9.1.5 interim release 10
CSCul77722 - Traceback with Assertion 0 (ASA Clientless VPN Denial of Service) -downgraded to 9.1.3