cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2813
Views
0
Helpful
10
Replies

ASA 5515-x + Active/Active + CX Module

itenroll
Beginner
Beginner

Somewhere in upgrading to ASA code 9.1.4 and CX code 9.2.1.2 (52) we've run into a known and as yet still open bug (CSCud54665).  The symptom that we experienced was frequent failover back and forth due to 'Service card in other unit has failed'.  This continued for a couple of days until finally we had to bypass the CX modules altogether.


While I wait for the bug to (hopefully) be resolved, has anyone come across this?  Is there a better workaround than turning off the CX modules (ie we're not logging traffic or proactively blocking malware anymore).

Has anyone successfully downgraded their CX module(s)?

Thank you in advance

10 Replies 10

itenroll
Beginner
Beginner

I just wanted to add that I did find a supported way to downgrade my CX modules back to what they were and the problem is still present.  This potentially means that the problem was introduced in ASA code 9.1.3 or 9.1.4.  I'm not brave enough to try to downgrade back to 9.1.2 which is where I started.

Definitely an issue with the ASA code. I finally became brave enough to downgrade back to 9.1.2 and we're back in business. Avoid 9.1.3 and 9.1.4 for now.

Sent from Cisco Technical Support iPhone App

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

Thanks for updating your thread.

 

So you had to back your CX code down to 9.1(2) as well (or I guess you did that first in the troubleshooting process)? Because the latest 9.2(1) CX requires ASA 9.1(3) or higher. (Reference)

 

That's disappointing if so because it would mean not being able to use the NGFW IPS licenses at all.

Yup I downgraded the CX modules first and still found that I was failing back and forth frequently.  This forced me to turn off CX inspection to stabilize the situation.  Now that I've downgraded back to ASA 9.1.2 (listed as a stable, recommended release), I turned the CX inspection back on and we're in business again.  I even went as far as to bring us up to 9.1.3 of the CX code and we're still good.

You're absolutely right that 9.2 CX code requires 9.1.3 ASA code or higher.  I guess I'll wait until the 9.1.5 or whatever the next recommended release is.

For now, emergency over!

I'm having similar issues.  We ended up downgrading to 9.1.3 and disabling CX inspection.  Does anyone know of a good stable release for ASA code when running CX code...9.2.1.2-82.  Below  is a history of upgrades/downgrades that I have had to do over the past month.

CSCuj99176 - Make ASA-SSM cplane keepalives more tolerable to communication delays -Upgraded ASA's to 9.1.3 -Upgraded CX modules to 9.2.1.2-82

CSCun48868 - ASA changes to improve CX throughput and prevent unnecessary failovers -Upgraded to 9.1.5 interim release 10

CSCul77722 - Traceback with Assertion 0 (ASA Clientless VPN Denial of Service) -downgraded to 9.1.3

dbarry
Beginner
Beginner