cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
33272
Views
0
Helpful
10
Replies

ASA 8.4 - Failover not replicating configs

vialves
Cisco Employee
Cisco Employee

Hi there,

I have this firewall working as active/standby. Everything seemed to be ok, but we noticed that confirgurations are not being replicated by saving configuration either copy run start or write. The workaround here is write standby command. Below the configs and stats, plus the show version, which is the same in both equipments:

Header 1
                              
failover
failover lan unit primary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2

failover
failover lan unit secondary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2



Failover On
Failover unit Primary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.4(1), Mate 8.4(1)
Last Failover at: 12:50:47 BRST May 21 2011
        This host: Primary - Active
                Active time: 4498133 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.4(1)) status (Up Sys)
                  Interface inside (172.17.31.2): Normal (Monitored)
                  Interface outside1 (200.169.226.168): Normal (Monitored)
                  Interface outside2 (189.43.119.28): Normal (Monitored)
                slot 1: empty
        Other host: Secondary - Standby Ready
                Active time: 2221 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.4(1)) status (Up Sys)
                  Interface inside (172.17.31.3): Normal (Monitored)
                  Interface outside1 (200.169.226.169): Normal (Monitored)
                  Interface outside2 (189.43.119.29): Normal (Monitored)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : failover Management0/0 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         11868543   1          604633     0
        sys cmd         600054     0          600054     0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        4588915    0          475        0
        UDP conn        2867035    0          1885       0
        ARP tbl         3772016    1          2162       0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKEv1 SA    508        0          0          0
        VPN IKEv1 P2    16         0          0          0
        VPN IKEv2 SA    0          0          0          0
        VPN IKEv2 P2    0          0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     39999      0          57         0
        Route Session   0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       18      617744
        Xmit Q:         0       2048    56934494

Cisco Adaptive Security Appliance Software Version 8.4(1)

Device Manager Version 6.4(1)

Compiled on Mon 31-Jan-11 02:11 by builders

System image file is "disk0:/asa841-k8.bin"

Config file at boot was "startup-config"

vpnssljf01 up 52 days 2 hours

failover cluster up 52 days 2 hours

Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision

0x0)

                             Boot microcode        : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode     :

CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode       :

CNlite-MC-IPSECm-MAIN-2.06

                             Number of accelerators: 1

  0: Ext: GigabitEthernet0/0  : address is d0d0.fd3f.006c, irq 9

  1: Ext: GigabitEthernet0/1  : address is d0d0.fd3f.006d, irq 9

  2: Ext: GigabitEthernet0/2  : address is d0d0.fd3f.006e, irq 9

  3: Ext: GigabitEthernet0/3  : address is d0d0.fd3f.006f, irq 9

  4: Ext: Management0/0       : address is d0d0.fd3f.006b, irq 11

  5: Int: Not used            : irq 11

  6: Int: Not used            : irq 5

Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 150            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

VPN-DES                           : Enabled        perpetual

VPN-3DES-AES                      : Enabled        perpetual

Security Contexts                 : 2              perpetual

GTP/GPRS                          : Disabled       perpetual

AnyConnect Premium Peers          : 250            perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 750            perpetual

Total VPN Peers                   : 750            perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Enabled        perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

Failover cluster licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 150            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

VPN-DES                           : Enabled        perpetual

VPN-3DES-AES                      : Enabled        perpetual

Security Contexts                 : 4              perpetual

GTP/GPRS                          : Disabled       perpetual

AnyConnect Premium Peers          : 500            perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 750            perpetual

Total VPN Peers                   : 750            perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Enabled        perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 4              perpetual

Total UC Proxy Sessions           : 4              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.




               

What am I missing?

Thanks

2 Accepted Solutions

Accepted Solutions

Hello,

When you say you configure something, what exactly are you configuring? Does the problem happen with all config lines you've tested or only certain features?

If you are only seeing the problem with access-lists, the problem could be related to:

CSCtn08562 - ASA: Access-list commands are not automatically replicated to Standby

In either case, it would be worth opening a TAC case for this issue so it can be investigated.

-Mike

View solution in original post

Hello,

How long has this been happening?

Any changes to the config? Any failover scenario on the last days?

We might be hitting this bug CSCua70156


Commands fail to replicate to standby ASA in failover

Symptom:

Configuration commands entered on the Active ASA fail to show up on the Standby ASA's configuration. "Debug fover sync" and syslogs on the Standby ASA will indicate the Standby ASA actually receives the commands but it fails to take effect in the running-config. Examples of logs and debugs on Standby ASA:

%ASA-5-111008: User 'failover' executed the 'logg mon 6' command.
fover_parse: parse_thread_helper: Cmd: logg mon 6

Conditions:

ASAs set up for some sort of failover (Active/Active or Active/Standby). First seen on ASAs running 8.4(2)8.

Workaround:

Reload Standby ASA

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

10 Replies 10

brquinn
Level 1
Level 1

1) Configuration changes are replicated at the time they are made. They are only replicated from Active -> Standby. They are not replicated from Standby -> Active.

2) Saving the configuration with the 'write mem' or 'copy run start' command will be replicated from Active -> Standby, but does not force the rest of the configuration to be replicated. In other words, if you save the configuration on the Active ASA, the Standby ASA will also save its configuration. If, on the other hand, you save the configuration on the Standby unit, the Active unit will NOT save its configuraiton. This is expected behavior.

3) The purpose of the 'write standby' command is to force a config sync from Active to Standby. The only time this should be necessary is if changes were made to the Standby unit to make the configurations out of sync.

Which commands aren't replicating? Are you sure that you are always making changes to your Active ASA?

*Note: If you ever receive this error message, do not make any changes because you are connected to the standby ASA. All changes should be made to the Active ASA ONLY. (regardless of whether the primary or secondary unit is currently active)

brquinn-5550# conf t

**** WARNING ****

    Configuration Replication is NOT performed from Standby unit to Active unit.

    Configurations are no longer synchronized.

brquinn-5550(config)#

I hope this helps.

Thanks,

Brendan

Hi Brendan!

Thanks for your response.

I'm pretty sure I'm making the configs on the active firewall. My test is the following:

- config something;

- save the configuration with "copy run start" to ensure that the configs are being stored;

- run the command fail exec mate show run | inc .

...and the results are always the same. The new configs are never there, except when I force the replication by using "write standby".

I have done this setup in a couple of failover pairs, without any problems....

Hello,

When you say you configure something, what exactly are you configuring? Does the problem happen with all config lines you've tested or only certain features?

If you are only seeing the problem with access-lists, the problem could be related to:

CSCtn08562 - ASA: Access-list commands are not automatically replicated to Standby

In either case, it would be worth opening a TAC case for this issue so it can be investigated.

-Mike

Was this problem ever solved?

I have this identical problem on an ASA 5525.  The only way I can get the config on the standby to sync is to issue the "write standby" command on the active.

Thanks.

Hello,

What version are you running?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

8.6

Hello,

How are you testing this?

Does it happen with any kind of  configuration?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I created an object on the active, then did a show run on the standby and it does not appear.  If I issue a write standby then check again the new configuration appears.

Its not just objects that dont replicate, I tried many other commands.  The show failover history does not show any sync errors. The debug fover sync does not show any errors either.

Thanks.

Hello,

How long has this been happening?

Any changes to the config? Any failover scenario on the last days?

We might be hitting this bug CSCua70156


Commands fail to replicate to standby ASA in failover

Symptom:

Configuration commands entered on the Active ASA fail to show up on the Standby ASA's configuration. "Debug fover sync" and syslogs on the Standby ASA will indicate the Standby ASA actually receives the commands but it fails to take effect in the running-config. Examples of logs and debugs on Standby ASA:

%ASA-5-111008: User 'failover' executed the 'logg mon 6' command.
fover_parse: parse_thread_helper: Cmd: logg mon 6

Conditions:

ASAs set up for some sort of failover (Active/Active or Active/Standby). First seen on ASAs running 8.4(2)8.

Workaround:

Reload Standby ASA

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ahmadzubair654
Level 1
Level 1

For Anyone who might run into that error,

For us it happened when we upgraded our ASA version.

Our Standby Firewall didn't carry over hostscan image and its config, from its primary.  Soon as we copied over and configured hostscan, that error went away.

HTH someone.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: