07-29-2020 12:35 AM
Hi all,
I have 2 questions I hope you could help me with.
We have a 2 nodes active/passive ASA setup (ASA 5525 running OS 9.9(2)), it used to run stable but now for some reason every night at the same time there is a failover happening.
1.It's always happening a 3:12 AM and I am wondering what could cause it
2.we are also looking at upgrading the IOS to the latest stable version to address latest CVEs (https://nvd.nist.gov/vuln/detail/CVE-2020-3452#match-5553983)
Could you let me know which versions we should use (we use the ASA as VPN concentrator for AnyConnect Clients)
I have checked the failover history, on the active node I see:
==========================================================================
From State To State Reason
==========================================================================
03:12:13 CEDT Jul 29 2020
Not Detected Negotiation No Error
03:12:39 CEDT Jul 29 2020
Negotiation Cold Standby Detected an Active mate
03:12:40 CEDT Jul 29 2020
Cold Standby Sync Config Detected an Active mate
03:12:53 CEDT Jul 29 2020
Sync Config Sync File System Detected an Active mate
03:12:53 CEDT Jul 29 2020
Sync File System Bulk Sync Detected an Active mate
03:13:08 CEDT Jul 29 2020
Bulk Sync Standby Ready Detected an Active mate
03:36:15 CEDT Jul 29 2020
Standby Ready Just Active HELLO not heard from mate
03:36:15 CEDT Jul 29 2020
Just Active Active Drain HELLO not heard from mate
03:36:15 CEDT Jul 29 2020
Active Drain Active Applying Config HELLO not heard from mate
03:36:15 CEDT Jul 29 2020
Active Applying Config Active Config Applied HELLO not heard from mate
03:36:15 CEDT Jul 29 2020
Active Config Applied Active HELLO not heard from mate
==========================================================================
And on the passive node
==========================================================================
From State To State Reason
==========================================================================
03:39:37 CEDT Jul 29 2020
Not Detected Negotiation No Error
03:40:03 CEDT Jul 29 2020
Negotiation Cold Standby Detected an Active mate
03:40:04 CEDT Jul 29 2020
Cold Standby Sync Config Detected an Active mate
03:40:17 CEDT Jul 29 2020
Sync Config Sync File System Detected an Active mate
03:40:17 CEDT Jul 29 2020
Sync File System Bulk Sync Detected an Active mate
03:40:32 CEDT Jul 29 2020
Bulk Sync Standby Ready Detected an Active mate
==========================================================================
Solved! Go to Solution.
07-29-2020 12:45 AM
Hi,
It sounds like it could potentially be a bug. Have you checked the other directly connected switches to determine if there is an issue there?
As you are using your ASA for Remote Access VPN, I'd recommend upgrading to 9.12.3 as with version 9.10 and above cisco introduced new features to optimise performance for RAVPN. Also ensure you are running AnyConnect 4.7 or higher to get best performance.
ASA RAVPN Best Practice guide:-
You can directly upgrade from your existing version to 9.12, without an interim upgrade.
https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html#id_58680
HTH
07-29-2020 12:45 AM
Hi,
It sounds like it could potentially be a bug. Have you checked the other directly connected switches to determine if there is an issue there?
As you are using your ASA for Remote Access VPN, I'd recommend upgrading to 9.12.3 as with version 9.10 and above cisco introduced new features to optimise performance for RAVPN. Also ensure you are running AnyConnect 4.7 or higher to get best performance.
ASA RAVPN Best Practice guide:-
You can directly upgrade from your existing version to 9.12, without an interim upgrade.
https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html#id_58680
HTH
07-29-2020 12:57 AM
Thanks Rob, so the version you advise to upgrade to directly would asa9-12-3-12-smp-k8.bin
I can connect to the switches the ASA is connected but do you have any clue what I should look for on the switches?
07-29-2020 01:03 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide