cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
957
Views
5
Helpful
17
Replies

ASA 5520 V8 Standby failed

gurowar
Level 1
Level 1

Good day,

I have seen the other post on this but none fixed my problem, maybe I am missing some thing but long story short I have a pair of 5520 running in HA Active/Standby Mode.  The Standby ASA is in fail mode and I see that the outside interface is the one that failed.

FW-HDS-01# sh fail
Failover On
Failover unit Secondary
Failover LAN Interface: FOLINK GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 15:55:26 CDT Oct 23 2024
This host: Secondary - Failed
Active time: 587 (sec)
slot 0: ASA5520 hw/sw rev (1.1/8.0(4)) status (Up Sys)
Interface outside (54.224.109.3): Failed (Waiting)
Interface DMZ (192.168.60.6): Normal (Not-Monitored)
Interface DMZ-2 (65.163.193.130): Normal (Not-Monitored)
Interface inside (172.29.0.7): Normal
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Primary - Active
Active time: 10465 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface outside (54.224.109.2): Normal (Waiting)
Interface DMZ (192.168.60.1): Normal (Not-Monitored)
Interface DMZ-2 (65.163.193.129): Normal (Not-Monitored)
Interface inside (172.29.0.6): Normal
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)

Checking the logs I see

Oct 23 2024 16:23:42 FW-HDS-01 : %ASA-1-105008: (ASA) Testing Interface outside
Oct 23 2024 16:23:45 FW-HDS-01 : %ASA-1-105009: (ASA) Testing on interface outside Failed

105009 states that if it fails check cables and interface, I swapped out the cable and changed interfaces but still the same issue, not sure what else to try.   I even swapped the working  ASA01 with ASA02 cable  and port hoping that the issue would follow but it didn't so I can confirm cable and ports are good. Any help would be appreciated, I am out of ideas.

Thank you in advance!!

Warren

17 Replies 17

balaji.bandi
Hall of Fame
Hall of Fame

I will reboot the ASA since its standby so that service will not effect, also check on the switch side any logs ?

you mentioned changed the interface - i take this you changed connected on port (switch side different one ?)

is the all the ports going to same switch ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

As mentioned by @balaji.bandi the issue could be related to the switch port config where the secondary ASA outside interface is connected.

gurowar
Level 1
Level 1

Hi Guys,

Thank you for your response......

@balaji.bandi  Yes I  did reboot ASA02 2 times once by itself and when everyone was out of the office I power cycled both ASA01 and 02.  Bringing up 01 first then 02 but still the same issue.  As far as logs and ports, I did see in the logs

Oct 24 2024 10:11:45 FW-HDS-01 : %ASA-1-105009: (ASA) Testing on interface outside Failed

when I looked up 105009 it said

105009

Error Message %ASA-1-105009: (Primary) Testing on interface interface_name {Passed|Failed}.

Explanation The result (either Passed or Failed) of a previous interface test has been reported. Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required if the result is Passed. If the result is Failed, you should check the network cable connection to both failover units, that the network itself is functioning correctly, and verify the status of the standby unit.

so that is what led me to change out cables and ports.  Both ASA01/02 are plugged into the same dumb switch with leads to the comcast device.  I ran a new cable and used a different port (2 to be exact) but kept seeing

Interface outside (54.224.109.3): Failed (Waiting)

so finally I just used the same cable and port that ASA01 was using and swapped that over with ASA02.  Problem stayed with ASA02.

@Aref Alsouqi  I did check the config but today is a new day and my eyes are fresh will double check again and see

@ahollifield  Will check out your link thank you!!

Thank you guys I will go over your recommendation and keep you posted

Thank you!!!!

If i were you - next step to confirm is the switch port ASA interface issue.

Take the Laptop remove the ASA outside connected interface and connect Laptop is the port come up ? YES or NO

YES switch port come up, then you sure switch port working.

same test Laptop connect to ASA outside port and check is the ASA port come up or not ? then you know where to look for the problem and what to replace.

Switch side sure you see some logs. (what switch is this, show logg here help along with show interface x/x output)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

gurowar
Level 1
Level 1

Good day All,

Just an update on this, as  balaji.bandi  mentioned I  am thinking thinking it is the port on the ASA, even though when I check the status of the port I see it up and there are no errors

FW-HDS-01# sh inter gi0/0 deta
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
Description: Outside
MAC address 0018.b6a8.9ce6, MTU 1500
IP address 50.224.209.3, subnet mask 255.255.255.248
44524 packets input, 50422599 bytes, 0 no buffer
Received 806 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
44796 packets output, 6346138 bytes, 0 underruns
0 output errors, 0 collisions, 6 interface resets
0 late collisions, 0 deferred
0 input reset drops, 80 output reset drops
input queue (curr/max packets): hardware (0/14) software (0/0)
output queue (curr/max packets): hardware (0/25) software (0/0)
Traffic Statistics for "outside":
574 packets input, 26404 bytes
16103 packets output, 1719684 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 21 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 21 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 2
Interface config status is active
Interface state is active
FW-HDS-01#

This is the only thing that is common and haven't switched out.  Topology looks like this, sorry for the crude diagram:

          Comcast internet

                     |

            dumb switch

            |                 |

   ASA01 outside  ASA02 outside

ASA02 has been rebooted twice already and I have removed and reapplied the failover config just in case.

so what has been done so far is that the cable connecting ASA02 outside to the dumb switch has been swapped out interface came but to still seeing secondary failed

On the dumb switch I moved it to 2 different ports still with the new cable from above but still seeing secondary failed

As a last ditch effort I took the original cable from ASA02 outside and swapped with ASA01 outside and the port on the dumb switch that ASA01 outside it plugged into and swapped it with ASA2 outside.  I was hoping to see the issue move to ASA01 but nope still the same.  Secondary failure but ASA01 outside came up and I still have internet access.  So the only common that never changed was  the ASA02 outside port.  Now this is in a HA configuration so both ASA used gi0/0 as there outside interface. I am assuming it doesn't matter if on ASA02 I use a different interface but we will see what happens.  But before I do so any thoughts on this?

Thank you, guys!!!

What do you mean by " it doesn't matter if on ASA02 I use a different interface"? the config on both firewalls will be the same because they are in HA, the only exception for this the HA config which will be slightly different on the secondary device. How the ASAs HA links are connected? via a switch or direct? also, could you please try to turn off the monitoring on the outside interface and turn it back on and see if that makes any difference?

Ok for testing now  reboot dumb switch, put back to where originally status of the ports, and do the failover from ASA01 to ASA02 see is that works as expected?

as per the original post and recent information posted as below does not match, so make sure the IP addresses are corrected and check the ping reachability.

Interface outside (54.224.109.3): Failed (Waiting)

and recent output the IP does not match ?

FW-HDS-01# sh inter gi0/0 deta
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
Description: Outside
MAC address 0018.b6a8.9ce6, MTU 1500
IP address 50.224.209.3, subnet mask 255.255.255.248

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@balaji.bandi The IPs are the same that was a poor attempt to hide the IP, I forgot to change.  As Aref suggested I will attempt to turn on and off monitoring and see what happens.  Will keep you all posted.

Thank you!

Warren

that's fine, are you able to ping each other using outside interface. did you turn off the dumb switch and checked ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

gurowar
Level 1
Level 1

Hi Aref,

Like you mentioned HA, typically when doing HA I like to use same interface makes things easier and I am assuming based on your question that is how it is supposed to be configure. I was just wondering if we can use different ports on the  ASA but again based on your question I am thinking no. I was going to experiment and try it but you just confirmed it for me so no need to go down that rabbit hole.  Sorry didn't add that part in my diagram but the ASAs HA links are directly connected, both using gi0/3.  I also for the heck of it swapped out that cable as well.  Let me try turning on and off monitoring, never thought about that.....thank you.  Keep you posted.

Waiting meaning issue with SW Connect two OUT of  both FW.

Can you check the vlan and mac learn in SW

MHM

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

    Do you have IP (test via PING/ICMP) connectivity between the two ASA's IPv4 addresses on the outside interface? It looks like a problem on the switch side.

Best,

Cristian.

gurowar
Level 1
Level 1

@MHM Cisco World   That's the thing I cannot get into the dumb switch to check, I am still trying to get in there

@Cristian Matei On each firewall outside interface I have an IP.  54.224.309.2 outside interface for FW1 and 54.224.309.3 outside interface for FW2.  If this is what you mean then....from FW1 I am able to ping its outside interface but not FW2 outside interface and vice versa.

I am not sure if that dumb switch has any configuration on it, I am assuming no but I would like to login and see for myself. I did move the cable and port that FW01 is using and swapped it out with FW02 but the issues stayed with FW02.  So I am thinking itis gi0/0 on FW02 that has an issue even thought I show it up.

I also tried removing monitoring and adding it back as Aref suggested but still the same.

Thanks guys!!!

Warren

Review Cisco Networking for a $25 gift card