Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1364
Views
5
Helpful
3
Replies

ASA failover happening daily

Go to solution
ThomasCaapiCci
Level 1
Level 1

‎07-29-2020 12:35 AM

Hi all,

 

I have 2 questions I hope you could help me with.

 

We have a 2 nodes active/passive ASA setup (ASA 5525 running OS 9.9(2)), it used to run stable but now for some reason every night at the same time there is a failover happening.

 

1.It's always happening a 3:12 AM and I am wondering what could cause it

 

2.we are also looking at upgrading the IOS to the latest stable version to address latest CVEs (https://nvd.nist.gov/vuln/detail/CVE-2020-3452#match-5553983)

Could you let me know which versions we should use (we use the ASA as VPN concentrator for AnyConnect Clients)

 

I have checked the failover history, on the active node I see:

==========================================================================
From State To State Reason
==========================================================================
03:12:13 CEDT Jul 29 2020
Not Detected Negotiation No Error

03:12:39 CEDT Jul 29 2020
Negotiation Cold Standby Detected an Active mate

03:12:40 CEDT Jul 29 2020
Cold Standby Sync Config Detected an Active mate

03:12:53 CEDT Jul 29 2020
Sync Config Sync File System Detected an Active mate

03:12:53 CEDT Jul 29 2020
Sync File System Bulk Sync Detected an Active mate

03:13:08 CEDT Jul 29 2020
Bulk Sync Standby Ready Detected an Active mate

03:36:15 CEDT Jul 29 2020
Standby Ready Just Active HELLO not heard from mate

03:36:15 CEDT Jul 29 2020
Just Active Active Drain HELLO not heard from mate

03:36:15 CEDT Jul 29 2020
Active Drain Active Applying Config HELLO not heard from mate

03:36:15 CEDT Jul 29 2020
Active Applying Config Active Config Applied HELLO not heard from mate

03:36:15 CEDT Jul 29 2020
Active Config Applied Active HELLO not heard from mate

==========================================================================

And on the passive node

==========================================================================
From State To State Reason
==========================================================================
03:39:37 CEDT Jul 29 2020
Not Detected Negotiation No Error

03:40:03 CEDT Jul 29 2020
Negotiation Cold Standby Detected an Active mate

03:40:04 CEDT Jul 29 2020
Cold Standby Sync Config Detected an Active mate

03:40:17 CEDT Jul 29 2020
Sync Config Sync File System Detected an Active mate

03:40:17 CEDT Jul 29 2020
Sync File System Bulk Sync Detected an Active mate

03:40:32 CEDT Jul 29 2020
Bulk Sync Standby Ready Detected an Active mate

==========================================================================

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎07-29-2020 12:45 AM

Hi,

It sounds like it could potentially be a bug. Have you checked the other directly connected switches to determine if there is an issue there?

 

As you are using your ASA for Remote Access VPN, I'd recommend upgrading to 9.12.3 as with version 9.10 and above cisco introduced new features to optimise performance for RAVPN. Also ensure you are running AnyConnect 4.7 or higher to get best performance.

 

ASA RAVPN Best Practice guide:-

https://community.cisco.com/t5/security-documents/asa-best-practices-for-remote-access-vpn-performance/ta-p/4070579

 

You can directly upgrade from your existing version to 9.12, without an interim upgrade.

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html#id_58680

 

HTH

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎07-29-2020 12:45 AM

Hi,

It sounds like it could potentially be a bug. Have you checked the other directly connected switches to determine if there is an issue there?

 

As you are using your ASA for Remote Access VPN, I'd recommend upgrading to 9.12.3 as with version 9.10 and above cisco introduced new features to optimise performance for RAVPN. Also ensure you are running AnyConnect 4.7 or higher to get best performance.

 

ASA RAVPN Best Practice guide:-

https://community.cisco.com/t5/security-documents/asa-best-practices-for-remote-access-vpn-performance/ta-p/4070579

 

You can directly upgrade from your existing version to 9.12, without an interim upgrade.

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html#id_58680

 

HTH

Go to solution
ThomasCaapiCci
Level 1
Level 1
In response to Rob Ingram

‎07-29-2020 12:57 AM

Thanks Rob, so the version you advise to upgrade to directly would asa9-12-3-12-smp-k8.bin

 

I can connect to the switches the ASA is connected but do you have any clue what I should look for on the switches?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to ThomasCaapiCci

‎07-29-2020 01:03 AM

Yes, that's the latest gold start recommended version.

Check the logs of the switches, to determine whether there are any errors on the switch which could have an knock on effect to the ASA. There may not be any, but rule everything else out before upgrading the ASA.

You could also log a TAC call, though they would probably recommend upgrading the ASA.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card