Hi Akshay,

Luis Carlos Agripino de Carvalho Jr. · ‎11-05-2015

Hi,

I have one ASA5525-X using the 9.2(4) IOS. it's configured Active/Standby HA with success.

The problem ocurred when I rebooted the Active ASA to simulating a fail, after this time it's not detect the other ASA and both are active.

When it's boot up I can see "IPMI over lan not active" log message.

Anyone has this same problem?

Follow the configuration:

failover
failover lan unit primary
failover lan interface fover GigabitEthernet0/7
failover key *****
failover replication http
failover link fover GigabitEthernet0/7
failover interface ip fover 10.255.255.253 255.255.255.252 standby 10.255.255.254

!

Failover On
Failover unit Primary
Failover LAN Interface: fover GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 216 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(4), Mate Unknown
Last Failover at: 10:19:02 UTC Nov 4 2015
This host: Primary - Active
Active time: 782 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.2(4)) status (Up Sys)
Interface DMZ (177.XX.XX.1): Normal (Not-Monitored)
Interface 1001 (177.XX.XX.1): Normal (Not-Monitored)
Interface 1002 (177.XX.XX.1): Normal (Not-Monitored)
Interface 1003 (177.XX.XX.1): Normal (Not-Monitored)
Interface lab (10.1.10.1): No Link (Waiting)
Interface WAN (177.XX.XX.XX): Unknown (Waiting)
slot 1: SFR5525 hw/sw rev (N/A/5.3.1-152) status (Up/Up)
ASA FirePOWER, 5.3.1-152, Up
Other host: Secondary - Failed
Active time: 0 (sec)
Interface DMZ (177.XX.XX.2): Unknown (Not-Monitored)
Interface 1001 (177.XX.XX.2): Unknown (Not-Monitored)
Interface 1002 (177.XX.XX.2): Unknown (Not-Monitored)
Interface 1003 (177.XX.XX.2): Unknown (Not-Monitored)
Interface lab (10.1.10.2): Unknown (Waiting)
Interface WAN (177.XX.XX.XX): Unknown (Waiting)

Stateful Failover Logical Update Statistics
Link : fover GigabitEthernet0/7 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0

#######################################

failover
failover lan unit secondary
failover lan interface fover GigabitEthernet0/7
failover key *****
failover replication http
failover link fover GigabitEthernet0/7
failover interface ip fover 10.255.255.253 255.255.255.252 standby 10.255.255.254

!

Failover On
Failover unit Secondary
Failover LAN Interface: fover GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 216 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(4), Mate Unknown
Last Failover at: 10:19:32 UTC Nov 4 2015
This host: Secondary - Active
Active time: 870 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.2(4)) status (Up Sys)
Interface DMZ (177.XX.XX.2): Normal (Not-Monitored)
Interface 1001 (177.XX.XX.2): Normal (Not-Monitored)
Interface 1002 (177.XX.XX.2): Normal (Not-Monitored)
Interface 1003 (177.XX.XX.2): Normal (Not-Monitored)
Interface lab (10.1.10.2): No Link (Waiting)
Interface WAN (177.XX.XX.XX): Unknown (Waiting)
slot 1: SFR5525 hw/sw rev (N/A/5.3.1-152) status (Up/Up)
ASA FirePOWER, 5.3.1-152, Up
Other host: Primary - Failed
Active time: 0 (sec)
Interface DMZ (177.XX.XX.1): Unknown (Not-Monitored)
Interface 1001 (177.XX.XX.1): Unknown (Not-Monitored)
Interface 1002 (177.XX.XX.1): Unknown (Not-Monitored)
Interface 1003 (177.XX.XX..1): Unknown (Not-Monitored)
Interface lab (10.1.10.1): Unknown (Waiting)
Interface WAN (177.XX.XX.XX): Unknown (Waiting)

Stateful Failover Logical Update Statistics
Link : fover GigabitEthernet0/7 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0

##############################################

Interface GigabitEthernet0/7 "fover", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: LAN/STATE Failover Interface
MAC address 0462.735f.91f6, MTU 1500
IP address 10.255.255.254, subnet mask 255.255.255.252
1844 packets input, 118016 bytes, 0 no buffer
Received 458 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
1837 packets output, 117568 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 2 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (467/461)
output queue (blocks free curr/low): hardware (467/447)
Traffic Statistics for "fover":
1844 packets input, 77264 bytes
1838 packets output, 60844 bytes
945 packets dropped
1 minute input rate 2 pkts/sec, 84 bytes/sec
1 minute output rate 2 pkts/sec, 66 bytes/sec
1 minute drop rate, 1 pkts/sec
5 minute input rate 2 pkts/sec, 84 bytes/sec
5 minute output rate 2 pkts/sec, 66 bytes/sec
5 minute drop rate, 1 pkts/sec

!

Interface GigabitEthernet0/7 "fover", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: LAN/STATE Failover Interface
MAC address 0462.735f.9256, MTU 1500
IP address 10.255.255.253, subnet mask 255.255.255.252
1663 packets input, 106432 bytes, 0 no buffer
Received 427 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
1632 packets output, 104448 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
39 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (487/461)
output queue (blocks free curr/low): hardware (479/447)

Thank you

Akshay Rastogi · ‎11-05-2015

Hi Luis,

- Are you able to ping Failover IP addresses?

- Could you please check by removing the failover key from both the ASA and enable the failover again with 'failover' key again and see if it comes up.

If that doesn't work then try removing the complete failover configuration from the unit which has been reloaded and past it again.

I could also see on defect opened for the same issue. Your version could also be affected as it has been seen on version 9.2.3 and your ASA is running on 9.2.4. It has been kept in a cosmetic category so it should not be having anything much to worry:

https://tools.cisco.com/bugsearch/bug/CSCuu33125/?referring_site=bugquickviewredir

Hope it helps.

Regards,

Akshay Rastogi

Luis Carlos Agripino de Carvalho Jr. · ‎11-18-2015

Hi Akshay,

This problem were because the "https://tools.cisco.com/bugsearch/bug/CSCuq52250/?reffering_site=dumpcr" bug.

ASA 5525-X HA problem