Solved: ASA 5525 - Failover troubleshooting

kaleemullahbilal1 · ‎02-05-2022

Dear All,

I m new to ASA 5525, I just run Show Failover command, it shows secondary in use how dow i troubleshoot the issue to bring back the Primary one.

Regards,

KALEEM

Sheraz.Salim · ‎02-05-2022

before failing back to primary firewall make sure both units see each other.

show failover | i host

this above command will tell you if the both units can see each other. in case if the command tell you

the "Other host primary - Failed" in that case you need to figure out what causing this issue.

other command which can help you is

show failover state

this command will tell us if the issue was occured due to any Comm Failure. If this is the case you better check the back to back cable/if the swiches are setup in between make sure the cables are connected or the check on the swtiches the primary interfaces and the secondary interface mac address are learned.

you can check the command

show failover history

this command will tell you the break down of the event the occured during this time when the HA unit failed from parimary to secodnadry.

In order to fail back the firewall you need to ssh or console or if on ASDM to fail it back.

here is the method from SSH.

prior to failing back make sure both HA are in good health and see each other with any issue. for example they should be looking like this.

show failover | i host
        This host: Primary - Standby
        Other host: Secondary - Active

you connect to ssh on the standby firewall and give command

failover active

or you can connected to standby fireall (which is active as active firewall)

you can give command on this firewall

no failover active

this will force the firewall to fall back to primary unite and make it active.

please do not forget to rate.

View solution in original post

kaleemullahbilal1 · ‎02-06-2022

Thanks for the Quick reply and giving the detailed information, how do i check total number of anyconnect users configured on asa?

View solution in original post

Rob Ingram · ‎02-05-2022

@kaleemullahbilal1 if the original active device rebooted the secondary would take over and remain active until it is rebooted or if the other device is manually specified as active again.

Is there an issue with the original failover primary device? Provide the output of "show failover".

kaleemullahbilal1 · ‎02-05-2022

Dear Rob,

Here is the output. usually when i run this command it shows as primary, Primary still up and i can ping ..what is the best practice shoud i make Primary active manualy ? need to know the reson of that switch ..

NSH-ASA/sec/act# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER GigabitEthernet0/7 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 216 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.8(1), Mate 9.8(1)
Serial Number: Ours FCH2141JDF5, Mate FCH2141JDFC
Last Failover at: 00:52:22 UTC Nov 18 2021
This host: Secondary - Active
Active time: 6830576 (sec)
slot 0: ASA5525 hw/sw rev (3.1/9.8(1)) status (Up Sys)
Interface outside (172.17.17.250): Normal (Monitored)
Interface inside (172.16.10.250): Normal (Monitored)
Interface management (192.168.1.1): Normal (Waiting)
slot 1: SFR5525 hw/sw rev (N/A/6.4.0.7-53) status (Up/Up)
ASA FirePOWER, 6.4.0.7-53, Up, (Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.4.0.7-53) status (Up/Up)
ASA FirePOWER, 6.4.0.7-53, Up, (Monitored)
Other host: Primary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (3.1/9.8(1)) status (Up Sys)
Interface outside (172.17.17.251): Normal (Monitored)
Interface inside (172.16.10.251): Normal (Monitored)
Interface management (0.0.0.0): Normal (Waiting)
slot 1: SFR5525 hw/sw rev (N/A/6.4.0.7-53) status (Up/Up)
ASA FirePOWER, 6.4.0.7-53, Up, (Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.4.0.7-53) status (Up/Up)
ASA FirePOWER, 6.4.0.7-53, Up, (Monitored)

Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet0/7 (up)
Stateful Obj xmit xerr rcv rerr
General 1156191556 0 946779 151
sys cmd 910721 0 910720 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 720511659 0 23188 66
UDP conn 412556080 0 12700 84
ARP tbl 12085 0 16 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 9341 0 4 0
VPN IKEv1 P2 112120 0 18 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 7359449 0 40 0
SIP Tx 7359208 0 49 0
SIP Pinhole 7358657 0 39 1
Route Session 306 0 0 0
Router ID 0 0 0 0
User-Identity 1930 0 5 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 946946
Xmit Q: 0 65 1174852500

Sheraz.Salim · ‎02-05-2022

before failing back to primary firewall make sure both units see each other.

show failover | i host

this above command will tell you if the both units can see each other. in case if the command tell you

the "Other host primary - Failed" in that case you need to figure out what causing this issue.

other command which can help you is

show failover state

this command will tell us if the issue was occured due to any Comm Failure. If this is the case you better check the back to back cable/if the swiches are setup in between make sure the cables are connected or the check on the swtiches the primary interfaces and the secondary interface mac address are learned.

you can check the command

show failover history

this command will tell you the break down of the event the occured during this time when the HA unit failed from parimary to secodnadry.

In order to fail back the firewall you need to ssh or console or if on ASDM to fail it back.

here is the method from SSH.

prior to failing back make sure both HA are in good health and see each other with any issue. for example they should be looking like this.

show failover | i host
        This host: Primary - Standby
        Other host: Secondary - Active

you connect to ssh on the standby firewall and give command

failover active

or you can connected to standby fireall (which is active as active firewall)

you can give command on this firewall

no failover active

this will force the firewall to fall back to primary unite and make it active.

please do not forget to rate.

kaleemullahbilal1 · ‎02-06-2022

Thanks for the Quick reply and giving the detailed information, how do i check total number of anyconnect users configured on asa?

Sheraz.Salim · ‎02-07-2022

To check how many licences you have for your anyconnect. Give command "show version" in it there will be the information how many anyconnect licences you have purchased.

to check how many user are connected to anyconnect give command "show vpn-session detail anyconnect" or "show vpn-session summary"

please do not forget to rate.

kaleemullahbilal1 · ‎02-07-2022

Thanks for the reply, my actual question is how can i see number of Anyconnect users configured on the ASA with the there level of access not the connected users.