ASA Failover issue with SFR installed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2016 03:57 AM - edited 03-12-2019 01:36 AM
Hello Experts,
I have two ASA 5545-X boxes installed and both the boxes has SFR module installed though the license has been expired and we are going to renew it soon. Both the ASA boxes have multiple contexts and are fail-over pair.
The issue i am having is the firewall fails over with the below reason. I think the SFR module is having issue and lead the fail-over. Can i remove this module from fail-over configuration or shut down this module. Here is the configuration we have.
Failover reason:-
Just Active Active Drain Service card in other unit has failed
Sh failover
This host: Primary - Active
slot 0: ASA5545 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
slot 1: SFR5545 hw/sw rev (N/A/5.3.1-152) status (Up/Up)
Other host: Secondary - Standby Ready
slot 0: ASA5545 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
slot 1: SFR5545 hw/sw rev (N/A/5.3.1-155) status (Up/Up)
Sh run failover
failover
failover lan unit primary
failover lan interface failover Gi0/1.1
failover replication http
failover link statelink GigabitEthernet0/1.2
failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
failover interface ip statelink 192.168.101.1 255.255.255.0 standby 192.168.101.2
Thanks for the help.
Regards
Pankaj
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2016 04:48 AM
no monitor-interface service-module
should do the trick. Edit: This feature was introduced in version 9.3(1)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2016 05:02 AM
Thank you Iwen for quick response, we have Version 9.2(2)4 so i am not able to run this command. Anything can be done on the existing version.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2016 05:53 AM
Any particular reason that you can't or don't want to upgrade your firewall?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2016 08:15 AM
There is no particular reason, we have planned the upgrade next year but the module is failing frequently almost twice a week. If we shut this module down and remove all the related configuration i.e. policy. Will it still be monitored and the change will be disruptive change.!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2016 08:48 AM
With these problems, I would definitely first shutdown and uninstall FP, then upgrade the ASA to a suggested release and last reinstall the module. If that all doesn't help, you likely need to open a TAC-case.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2016 01:09 PM
Pankaj ,
What version are SFR modules running? You should upgrade to the latest version and see if that will solve the issue. You should be able to do it without any service disruption.
Thanks,
Nenad
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-06-2016 06:40 AM
Hi Ninad,
We are using Software version: 5.3.1-152.
Thanks
Pankaj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-06-2016 06:42 AM
As Marvin said I would upgrade firepower modules. I ran into couple bugs with old versions. Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-06-2016 06:47 AM
Thank you experts, Ninad, Marvin, Iwen for your valuable inputs and help. I think i should keep it shutdown till the next upgrade.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2016 03:18 AM
If you are using the FirePOWER (sfr) modules, you should definitely upgrade. You are running the very first version of ASA software that supported them and the very first version of FirePOWER software available on the ASA sfr module as well. There have been numerous upgrades and literally hundreds of bug fixes since those versions.
If you are not using them, then simply uninstall the modules. It's a simple non-disruptive (to the parent ASA) command. Do it on the standby unit first and then the active unit and it won't even trigger another failover. Your configurations will be lost unless you are using FirePOWER Management Center (previously known as FireSIGHT Management Center or Defense Center). In that case, all policies can be re-applied to the units once have have upgraded the software to a current stable release.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-06-2016 06:44 AM
Thanks Marvin, yes i agree we should upgrade the code now and we have in out plan for next year. When you say
"Your configurations will be lost unless you are using FirePOWER Management Center (previously known as FireSIGHT Management Center or Defense Center)."
which configuration are you reffering to, only SFR related config i.e. class map and service policy configuration or the firewall configuration...!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-06-2016 07:55 AM
[@pankajm.bisht] ,
I was referring only to the FirePOWER policies on the modules themselves. Your base ASA policies would not be affected.
You would, of course, need to go into the ASA and remove any policy map that includes redirection to the module prior to uninstalling it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2018 09:39 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2018 01:38 PM
You can shutdown the sfr module.
Please remember to select a correct answer and rate helpful posts
