hi,

johnlloyd_13 · ‎05-15-2017

hi,

i got 5525x A/S FW pair and can't seem to sync to standby FW.

i tried rebooting the standby FW but still the same.

suspect might be a bug but need someone's advise first or what troubleshooting i can further do, i.e. re-create failover config?

the bug i've searched:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCui19504/?referring_site=bugquickviewredir

ciscoasa/sec/act# sh ve

Cisco Adaptive Security Appliance Software Version 9.1(3)
Device Manager Version 7.1(3)

Compiled on Mon 16-Sep-13 16:07 PDT by builders
System image file is "disk0:/asa913-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 1 year 254 days
failover cluster up 1 year 259 day

ciscoasa/sec/act# sh run fail
failover
failover lan unit secondary <<< I'VE ADDED THIS TODAY AS PREVIOUS TECH FORGOT IT; NOT SURE IF THIS IS THE CULPRIT
failover lan interface folink GigabitEthernet0/7
failover link folink GigabitEthernet0/7
failover interface ip folink 192.168.7.1 255.255.255.248 standby 192.168.7.2

ciscoasa/sec/act# sh fail state

               State          Last Failure Reason      Date/Time
This host -   Secondary
               Active         None
Other host -   Primary
               Sync Config    Comm Failure             02:41:03 UTC May 15 2017

====Configuration State===
        Config Syncing
        Sync Done - STANDBY
====Communication State===

============

ciscoasa/pri/stby# sh ve

Cisco Adaptive Security Appliance Software Version 9.1(3)
Device Manager Version 7.1(3)

Compiled on Mon 16-Sep-13 16:07 PDT by builders
System image file is "disk0:/asa913-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 12 hours 50 mins <<< TRIED TO REBOOT BUT STILL HAVE SYNC ERROR
failover cluster up 12 hours 50 mins

ciscoasa/pri/stby# sh run fail
failover
failover lan unit primary
failover lan interface folink GigabitEthernet0/7
failover link folink GigabitEthernet0/7
failover interface ip folink 192.168.7.1 255.255.255.248 standby 192.168.7.2

ciscoasa/pri/stby#
        Unable to sync configuration from Active      <<< KEEP GETTING THIS ERROR
.

        Detected an Active mate

ciscoasa/pri/stby# sh fail state

               State          Last Failure Reason      Date/Time
This host -   Primary
               Sync Config    None
Other host -   Secondary
               Active         None

====Configuration State===
====Communication State===

ciscoasa/pri/stby# sh fail hist
==========================================================================
From State                 To State                   Reason
==========================================================================
03:16:43 UTC May 16 2017
Negotiation                Cold Standby               Detected an Active mate

03:16:45 UTC May 16 2017
Cold Standby               Sync Config                Detected an Active mate

03:18:47 UTC May 16 2017
Sync Config                Negotiation                HA state progression failed

03:18:48 UTC May 16 2017
Negotiation                Cold Standby               Detected an Active mate

03:18:50 UTC May 16 2017
Cold Standby               Sync Config                Detected an Active mate

03:20:52 UTC May 16 2017
Sync Config                Negotiation                HA state progression failed

cofee · ‎05-16-2017

Did you try removing stateful configuration on the active firewall? I wonder if it's failing because it can't sync tcp/udp connections to the standby firewall.

johnlloyd_13 · ‎05-20-2017

hi,

yes, i tried removing the failover config but an error prevents me from doing so.

error i got was something like sync is in progressing.

i got feedback from TAC and was told to reboot both FW pair.

Akhil.Balachandran · ‎05-16-2017

Hi,

Please attach the output of " show module" from the ASA pair.

Regards

Akhil

johnlloyd_13 · ‎05-20-2017

hi,

there's no module inserted on both FW pair.

ASA Active/Standby Failover 'HA state progression failed'