Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1740
Views
0
Helpful
7
Replies

ASA failover cluster software upgrade problems

atudos
Level 1
Level 1

‎07-22-2011 04:45 AM - edited ‎03-11-2019 02:02 PM

Hi,

last night we tried to upgrade our cluster (2x ASA5520) from 8.0(4) to 8.2(3) and failed miserably.

1. Both units got the new image, but when we reloaded the secondary unit then we got the following strange message:

"Mate's license (10GE I/O Enabled) is not compatible with my license (10GE I/O Disabled). Failover will be disabled."

After this message failover was not there anymore and both units became active (!!!) which killed everything.

Of course ASA5520 doesn't have 10GE and we have exactly the same units. What could be the problem here?

Currently we run with a single unit with 8.2(3) and the secondary unit is switched off.

2. After the upgrade we cannot connect with multiple VPN sessions from the same client, this gets logged:

"Multiple sessions per tunnel are not supported"

This was working just fine with 8.0(4) and doesn't work with 8.2(3). Do we have to update something in the config or what is causing this?

If you ask why we went with 8.2(3) instead of 8.2(5) then the answer is because we were testing that for several month in our secondary datacenter, but unfortunately only on a single ASA and not on a cluster. We couldn't go higher due to the 512MB RAM we have in all units.

And we had to upgrade, because we had crashes with 8.0(4) which was working fine for a long-long time.

BR,

Andras

Labels:
0 Helpful
7 Replies 7

atudos
Level 1
Level 1

‎07-22-2011 05:06 AM

I've found another thread which discusses the first problem and it is a bug of 8.2(3), which we picked.

We will test out 8.2(5) now.

Any ideas about the second issue?

A.

0 Helpful

varrao
Level 10
Level 10
In response to atudos

‎07-22-2011 09:02 AM

HI Andras,

You might very well be running into this DDTS - CSCti70859

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti70859

To restore normalcy, kindly follow the wowrkaround.

Hope this resolves your issue.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

varrao
Level 10
Level 10
In response to varrao

‎07-22-2011 09:05 AM

The second issue is also seems to be due to both the firewalls becaoming active, I would suggest you to first restore the failover and then monitor the VPN traffic, it shoud not be there. Whats heppening is since both the firewalls are passing the traffic, so it might creating multiple session of one tunnel on both the firewalls, so restoring failover should work.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

atudos
Level 1
Level 1
In response to varrao

‎07-22-2011 10:04 AM

Unfortunately the VPN issue is present with a single firewall running.

We will soon do the upgrade to 8.2(5) and then we will see if that resolves both or just the failover functionality.

Andras

0 Helpful

varrao
Level 10
Level 10
In response to atudos

‎07-22-2011 11:22 AM

Yup, no problem, do let me knw if the upgrade resolves both your issues.

-Varun

Thanks,
Varun Rao
0 Helpful

atudos
Level 1
Level 1
In response to varrao

‎07-22-2011 02:16 PM

This time the upgrade went OK, we are at 8.2(5) and failover clustering works as it should.

But the VPN problem is still there, we cannot connect twice from the same client (with different users and policies).

Any further idea what could be the difference regarding this between 8.0(4) and 8.2(5)?

Andras

0 Helpful

varrao
Level 10
Level 10
In response to atudos

‎07-22-2011 09:15 PM

Hi Andras,

Difficult to guess from here , what could be the issue, I would suggest you open a TAC case to get it investigated.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card