Solved: ASA Failover Failure

Nathaniel Wood · ‎05-07-2015

Hello CSC World!

I just came across an issue where our pair of ASA5525 devices are syncing but showing a "failed" state when issuing the show fail command. Here is the output of the show fail command:

Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 6 of 216 maximum
failover replication http
Version: Ours 9.0(4), Mate 9.0(4)
Last Failover at: 00:55:14 EDT Mar 25 2015
This host: Secondary - Active
Active time: 3742577 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.0(4)) status (Up Sys)
Interface outside (66.159.100.4): Normal (Waiting)
Interface inside (10.5.55.4): Normal (Waiting)
Interface dmz (10.5.10.1): Normal (Waiting)
Interface dmz2 (10.5.13.1): Normal (Waiting)
Interface testwifi (10.5.51.1): Normal (Not-Monitored)
Interface guestwifi (10.5.247.1): Normal (Waiting)
Interface mgmt (0.0.0.0): Unknown (Waiting)
slot 1: IPS5525 hw/sw rev (N/A/7.1(7)E4) status (Up/Up)
IPS, 7.1(7)E4, Up
Other host: Primary - Failed
Active time: 8387132 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.0(4)) status (Up Sys)
Interface outside (66.159.100.5): No Link (Waiting)
Interface inside (10.5.55.5): No Link (Waiting)
Interface dmz (10.5.10.2): No Link (Waiting)
Interface dmz2 (10.5.13.2): No Link (Waiting)
Interface testwifi (10.5.51.2): Normal (Not-Monitored)
Interface guestwifi (10.5.247.2): No Link (Waiting)
Interface mgmt (0.0.0.0): No Link (Waiting)
slot 1: IPS5525 hw/sw rev (N/A/7.1(7)E4) status (Up/Down)
IPS, 7.1(7)E4, Up

I checked to make sure changes are replicating by inputting a remark in the current active firewall and it was replicated without issue to the other. I then looked at the links back to the switches and they are all up and I can ping all the IP addresses associated with the interfaces from the firewalls and switches themselves. In addition, spanning tree is not blocking anything on the uplinks.

The topology is as follows (I can be more detailed, but this should give you a decent idea):

ASA5525-01 ==> Nexus 7K-01 == Nexus 7K-02 <== ASA5525-02

The last failover occurred during a maintenance window when I had to bring down our primary switch, and it seems that it has never failed back.

Any suggestions/input would be appreciated.

Thanks everyone!

Marvin Rhoads · ‎05-07-2015

The output indicates the IPS module on your Primary unit is up but its data plane connection is down. It needs to be Up/Up for the unit to be marked as ready.

Try reloading the IPS module on that unit only:

sw-module module ips reload

View solution in original post

Marvin Rhoads · ‎05-07-2015

The output indicates the IPS module on your Primary unit is up but its data plane connection is down. It needs to be Up/Up for the unit to be marked as ready.

Try reloading the IPS module on that unit only:

sw-module module ips reload

Nathaniel Wood · ‎05-07-2015

Hi Marvin,

Thanks for the quick response, that has done the trick!

I overlooked the IPS as the issue as all the other interfaces were showing No Link (Waiting) and thought the issue was somewhere on the actual uplinks.

Makes sense that if the data plane is down, it won't do anything :)

Thanks again!