04-21-2010 11:11 AM - edited 03-11-2019 10:35 AM
13/04/2010 12:36 | Local7.Notice | 172.16.17.2 | 16260: Apr 13 12:36:00 GMT: %SYS-5-CONFIG_I: Configured from console by minxadmin on vty1 (172.16.17.210) |
13/04/2010 13:36 | Local4.Alert | 172.16.16.239 | Apr 13 2010 13:36:25: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface mgnt |
13/04/2010 13:36 | Local4.Alert | 172.16.16.239 | Apr 13 2010 13:36:25: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface desktop |
13/04/2010 13:36 | Local4.Alert | 172.16.16.239 | Apr 13 2010 13:36:25: %ASA-1-105008: (Secondary) Testing Interface mgnt |
13/04/2010 13:36 | Local4.Alert | 172.16.16.239 | Apr 13 2010 13:36:25: %ASA-1-105008: (Secondary) Testing Interface desktop |
13/04/2010 13:36 | Local4.Alert | 172.16.16.239 | Apr 13 2010 13:36:25: %ASA-1-105009: (Secondary) Testing on interface desktop Passed |
13/04/2010 13:36 | Local4.Alert | 172.16.16.239 | Apr 13 2010 13:36:27: %ASA-1-105009: (Secondary) Testing on interface mgnt Passed |
13/04/2010 14:06 | Local4.Alert | 172.16.16.239 | Apr 13 2010 14:06:15: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface dmz1 |
13/04/2010 14:06 | Local4.Alert | 172.16.16.239 | Apr 13 2010 14:06:15: %ASA-1-105008: (Secondary) Testing Interface dmz1 |
13/04/2010 14:06 | Local4.Alert | 172.16.16.239 | Apr 13 2010 14:06:15: %ASA-1-105009: (Secondary) Testing on interface dmz1 Passed |
13/04/2010 14:36 | Local4.Alert | 172.16.16.239 | Apr 13 2010 14:36:14: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface dmz1 |
13/04/2010 14:36 | Local4.Alert | 172.16.16.239 | Apr 13 2010 14:36:14: %ASA-1-105008: (Secondary) Testing Interface dmz1 |
13/04/2010 14:36 | Local4.Alert | 172.16.16.239 | Apr 13 2010 14:36:14: %ASA-1-105009: (Secondary) Testing on interface dmz1 Passed |
13/04/2010 14:36 | Local4.Alert | 172.16.16.239 | Apr 13 2010 14:36:19: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface mgnt |
13/04/2010 14:36 | Local4.Alert | 172.16.16.239 | Apr 13 2010 14:36:19: %ASA-1-105008: (Secondary) Testing Interface mgnt |
13/04/2010 14:36 | Local4.Alert | 172.16.16.239 | Apr 13 2010 14:36:21: %ASA-1-105009: (Secondary) Testing on interface mgnt Passed |
13/04/2010 15:06 | Local4.Alert | 172.16.16.239 | Apr 13 2010 15:06:29: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface mgnt |
13/04/2010 15:06 | Local4.Alert | 172.16.16.239 | Apr 13 2010 15:06:29: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface dmz1 |
13/04/2010 15:06 | Local4.Alert | 172.16.16.239 | Apr 13 2010 15:06:29: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface desktop |
13/04/2010 15:06 | Local4.Alert | 172.16.16.239 | Apr 13 2010 15:06:29: %ASA-1-105008: (Secondary) Testing Interface mgnt |
13/04/2010 15:06 | Local4.Alert | 172.16.16.239 | Apr 13 2010 15:06:29: %ASA-1-105008: (Secondary) Testing Interface dmz1 |
13/04/2010 15:06 | Local4.Alert | 172.16.16.239 | Apr 13 2010 15:06:29: %ASA-1-105008: (Secondary) Testing Interface desktop |
13/04/2010 15:06 | Local4.Alert | 172.16.16.239 | Apr 13 2010 15:06:29: %ASA-1-105009: (Secondary) Testing on interface dmz1 Passed |
13/04/2010 15:06 | Local4.Alert | 172.16.16.239 | Apr 13 2010 15:06:31: %ASA-1-105009: (Secondary) Testing on interface desktop Passed |
13/04/2010 15:06 | Local4.Alert | 172.16.16.239 | Apr 13 2010 15:06:31: %ASA-1-105009: (Secondary) Testing on interface mgnt Passed |
13/04/2010 15:36 | Local4.Alert | 172.16.16.239 | Apr 13 2010 15:36:24: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface desktop |
13/04/2010 15:36 | Local4.Alert | 172.16.16.239 | Apr 13 2010 15:36:24: %ASA-1-105008: (Secondary) Testing Interface desktop |
13/04/2010 15:36 | Local4.Alert | 172.16.16.239 | Apr 13 2010 15:36:25: %ASA-1-105009: (Secondary) Testing on interface desktop Passed |
I observed in the syslog message that after every 1/2 hour I am getting above error.. No operational impact.
The failover configuration is as mentioned below
failover
failover lan unit primary
failover lan interface FAIL Management0/0
failover polltime unit msec 500 holdtime 7
failover link FAIL Management0/0
failover interface ip FAIL 1.1.1.1 255.255.255.252 standby 1.1.1.2
monitor-interface natgrid
monitor-interface noc
monitor-interface xoserv
Output of show failover is
FW01/act# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FAIL Management0/0 (up)
Unit Poll frequency 500 milliseconds, holdtime 7 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 8 of 250 maximum
Version: Ours 7.2(2)18, Mate 7.2(2)18
Last Failover at: 00:05:23 GMT/BDT Apr 11 2010
This host: Primary - Active
Active time: 693746 (sec)
<All interfaces are normal>
Other host: Secondary - Standby Ready
Active time: 54 (sec)
<All interfaces are normal>
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : FAIL Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 32403730 0 13672467 124
sys cmd 131877 0 131411 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 15423799 0 6449684 38
UDP conn 16426913 0 6909463 86
ARP tbl 420368 0 181480 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 156 0 115 0
VPN IPSEC upd 617 0 314 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 25 15493640
Xmit Q: 0 7 36296735
Solved! Go to Solution.
04-22-2010 04:26 AM
Here is the URL for your reference (pls check out the "Failover Interface Speed for Stateful Links " section):
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1051759
04-21-2010 07:32 PM
What are your other ASA interfaces?
Failover interface needs to be the highest speed interface. If your other interfaces are gig-ethernet, you should be using gig-ethernet as your failover interface. I believe management interface is only 10/100.
04-21-2010 07:44 PM
Hi,
can you post the output of the below command
#sh failover status
I am suspecting, failover communication is gone between your primary and secondary firewall.
Thanks
Karuppu
04-22-2010 01:11 AM
04-22-2010 12:57 AM
Hi Halijenn,
Yes, we are using management interface 10/100 for failover whereas all other interfaces are gi interfaces.
Is there any reference or link supporting your statement that 'Failover interface needs to be the highest speed interface'
With regards,
Shailesh
04-22-2010 04:26 AM
Here is the URL for your reference (pls check out the "Failover Interface Speed for Stateful Links " section):
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1051759
04-22-2010 07:18 AM
This document i already have but could not see relevant error and suggestion not to use management port
for failover.
With regards,
Shailesh
04-26-2010 06:14 AM
Quote from the document:
"If you use the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available."
The management interface is not the fastest ethernet interface available on your ASA, hence, it should not be used. You should be using one of the gigabit ethernet interface for stateful failover link.
04-17-2012 07:11 PM
excuse me!
my platform are ASA-5585X works with failover pair in A/S
I configure the failover link and stateful link with the same GE interface
but I encountered this problem too
since this happen, everything works fine
but what can I do to find what the root cause with this problem?
thanks
here is my log message:
Apr 12 2012 19:27:15: %ASA-1-105003: (Secondary) Monitoring on interface MGT_252 waiting
Apr 12 2012 19:27:15: %ASA-1-105003: (Secondary) Monitoring on interface MGT_22 waiting
Apr 12 2012 19:27:25: %ASA-1-105004: (Secondary) Monitoring on interface MGT_22 normal
Apr 12 2012 19:27:25: %ASA-1-105008: (Secondary) Testing Interface MGT_252
Apr 12 2012 19:27:25: %ASA-1-105009: (Secondary) Testing on interface MGT_252 Passed
Apr 12 2012 19:27:40: %ASA-1-105008: (Secondary) Testing Interface MGT_252
Apr 12 2012 19:27:40: %ASA-1-105009: (Secondary) Testing on interface MGT_252 Passed
Apr 12 2012 19:27:53: %ASA-1-105008: (Secondary) Testing Interface MGT_252
Apr 12 2012 19:27:55: %ASA-1-105009: (Secondary) Testing on interface MGT_252 Passed
Apr 12 2012 19:27:58: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface MGT_999
Apr 12 2012 19:27:58: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface MGT_254
Apr 12 2012 19:27:58: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface MGT_222
Apr 12 2012 19:27:58: %ASA-1-105008: (Secondary) Testing Interface MGT_999
Apr 12 2012 19:27:58: %ASA-1-105008: (Secondary) Testing Interface MGT_254
Apr 12 2012 19:27:58: %ASA-1-105008: (Secondary) Testing Interface MGT_222
Apr 12 2012 19:27:59: %ASA-1-105009: (Secondary) Testing on interface MGT_222 Passed
Apr 12 2012 19:28:00: %ASA-1-105009: (Secondary) Testing on interface MGT_999 Passed
Apr 12 2012 19:28:02: %ASA-1-105009: (Secondary) Testing on interface MGT_254 Failed
Apr 12 2012 19:28:06: %ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=52,op=23,my=Failed,peer=Active.
Apr 12 2012 19:28:06: %ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_FAILED, my state Failed, peer state Active.
Apr 12 2012 19:28:06: %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=405,op=20,my=Failed,peer=Active.
Apr 12 2012 19:28:06: %ASA-6-720027: (VPN-Secondary) HA status callback: My state Failed.
Apr 12 2012 19:28:06: %ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_MY_STATE, my state Failed, peer state Active.
Apr 12 2012 19:29:18: %ASA-1-104004: (Secondary) Switching to OK.
Apr 12 2012 19:29:18: %ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=104,op=23,my=Standby Ready,peer=Active.
Apr 12 2012 19:29:18: %ASA-6-720040: (VPN-Secondary) VPN failover client is transitioning to standby state
Apr 12 2012 19:29:18: %ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_STANDBY_READY, my state Standby Ready, peer state Active.
Apr 12 2012 19:29:18: %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=405,op=80,my=Standby Ready,peer=Active.
Apr 12 2012 19:29:18: %ASA-6-720027: (VPN-Secondary) HA status callback: My state Standby Ready.
Apr 12 2012 19:29:18: %ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_MY_STATE, my state Standby Ready, peer state Active.
Apr 12 2012 19:29:28: %ASA-1-105003: (Secondary) Monitoring on interface MGT_254 waiting
Apr 12 2012 19:29:33: %ASA-1-105004: (Secondary) Monitoring on interface MGT_252 normal
Apr 12 2012 19:29:33: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface MGT_222
Apr 12 2012 19:29:33: %ASA-1-105008: (Secondary) Testing Interface MGT_222
Apr 12 2012 19:29:33: %ASA-1-105009: (Secondary) Testing on interface MGT_222 Passed
Apr 12 2012 19:29:38: %ASA-1-105004: (Secondary) Monitoring on interface MGT_254 normal
04-23-2012 07:13 AM
anyone could help me please
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide