Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13024
Views
0
Helpful
4
Replies

ASA Failover - Detect service card failure

abhijith891
Level 1
Level 1

‎09-21-2018 06:19 PM - edited ‎02-21-2020 08:16 AM

Hi All,

 

We are running ASAs 9.8(2) in Act/Stdby mode. Recently, our primary ASA got rebooted and services got impacted. Upon checking checking failover history, we got the message - Detect service card failure. Upon checking syslogs - we only got 2 messages of significance:

 

i) Line protocol on interface changed state to down

ii) Line protocol on interface changed state to up

 

I believe the inside interface went down or something but can someone please explain a bit more in detail about this since we are doing RCA.

 

1) What's "Detect service card failure" mean?

2) What measures should we take in order to avoid this happening again in future?

 

I have attached a the failover output file for reference.

 

Regards,

Abhijit

 

 

 

 

3 people had this problem
Preview file
9 KB
0 Helpful
4 Replies 4

Ajay Saini
Level 7
Level 7

‎09-22-2018 02:12 AM

Hello Abhijeet,

 

The service card refers to any software based IPS module installed in the ASA, for example IPS module. If it fails or it is too busy to respond to the ASA backplane hello packets, it is detected as a failover reason and failover would happen.

 

The logs from Secondary device are from 13 Sep when I guess that the primary device reloaded, which is normal since it says that it has not heard from mate, and hence it became active. This happened around 21:55 on Sep 13th 2018.

 

The logs from Primary firewall wherein says service card failed looks like a transition phase message when it was initializing after the ASA reloaded.

 

The real issue here is on Sep 20th around 12:59 when the interface failed message appears on Primary Firewall and this comes from inside interface. That is where you need to focus apart from the reason behind the reason for primary firewall reload.

 

Regards,

 

Ajay

 

 

0 Helpful

abhijith891
Level 1
Level 1
In response to Ajay Saini

‎09-24-2018 05:36 PM

Hi Ajay,

 

Thanks a lot for your inputs. Yes, we do have an IPS module built-in the ASA, though we dont use it.. Can you please let me know if there are any preventive measures, or any commands which we configure to avoid this incident happening again?

 

Regards,

Abhijit

0 Helpful

Ajay Saini
Level 7
Level 7
In response to abhijith891

‎09-25-2018 02:38 AM

Hello,

 

If you wish to remove the IPS card from failover monitoring, you can remove the failover monitoring of the IPS module:

 

no monitor-interface service-module

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200944-Disable-Service-Module-Monitoring-on-ASA.html

 

HTH

AJ

 

 

0 Helpful

tanios191
Level 1
Level 1
In response to Ajay Saini

‎10-21-2022 12:14 AM

Hello Ajay,

I have the same case but I don't have an IPS module within my Cisco ASA and I got random failover with reason:

Detect service card failure
 
Can you advise on this?
 
Thanks,
Tanios

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card