Re: ASA Failover: Only one device detects the other

Cartesian · ‎05-05-2025

I am trying to connect a pair of Cisco 4120 Firepowers, each running a single ASA in multiple context mode. The Primary chassis is configured while the Secondary chassis has been wiped.

Following Sheraz.Salim's advice, I set logging console 7 on the Primary while trying to pair the devices. I get the error message: Mate has a different chassis followed by both devices disabling failover.

The two device are identical in every way I can find, except for this: In the console command line of the Chassis Managers, running show fabric-interconnect detail yields the following:

Primary Chassis
Fabric Interconnect:
ID: A
Product Name: Cisco FPR-4120-SUP
PID: FPR-4120-SUP
VID: V07
...

Secondary Chassis
Fabric Interconnect:
ID: A
Product Name: Cisco FPR-4120-SUP
PID: FPR-4120-SUP
VID: V09
...

Is this actually a hardware limitation, that these two 4120's are incompatible with each other? Or is there a firmware/configuration change I can make? Or is the problem something else? I can't find any other difference between the two devices.

//////////////
Original Post:

I'm trying to get a pair of ASAs to form a failover pair. When I enable failover, the secondary says 'Detected an Active mate' but the primary says 'no Active mate detected'.

I've gradually eliminated possible problems until there's not much left. The devices have the same Firmware version and are directly connected to each other on the bench, and I just tried a write erase on the secondary and entered ONLY the failover commands. Both devices have been able to ping each others' failover IPs throughout the process.

Primary
failover lan unit primary
failover lan interface ha-failover Ethernet1/7
failover link state-failover Ethernet1/8
failover interface-ip ha-failover [address] 255.255.255.252 standby [next address]
failover interface-ip state-failover [address] 255.255.255.252 standby [next address]
no failover wait-disable

Secondary
failover lan unit secondary
failover lan interface ha-failover Ethernet1/7
failover link state-failover Ethernet1/8
failover interface-ip ha-failover [address] 255.255.255.252 standby [next address]
failover interface-ip state-failover [address] 255.255.255.252 standby [next address]
no failover wait-disable

The Primary was previously connected to a different Standby ASA It was not wiped but had some configs changed. When I go into it and type no failover, followed by failover, the Secondary repeats its message of 'Detected an Active mate' followed by the Primary saying 'no Active mate detected'. Any ideas what could be causing this?

ahollifield · ‎05-05-2025

Model? Software version? Why don't you just erase the standby ASA? Maybe I'm not following.

Sheraz.Salim · ‎05-06-2025

I guess these firewalls in production network therefore take extra care when you doing configuration/change on these appliances. I noted you mentioned both firewall running the same Firmware/ software version. also please confim if these appliances are on the same model version and same spec (like same network cards etc). Just on side note. even if your firewalls are running the different version of software but as long as they have same hardware spec on both side HA will form up. however, you will get the notification the software is mis-match.

I also noted they are connected directly to each other. could you please enable the logging to the console is enabled on one of the ASA and check what message you get when you forming the HA pair. your configuration are correct.

please do not forget to rate.

ASA Failover: Only one device detects the other (different chassis)