Hi,

In addition to Ajay , I think this command would tell you the exact interface name because of which the Fail-over might have occurred:-

show failover state

Check this on both the devices and it will show past events until and unless the device has been rebooted.

Thanks and Regards,

Vibhor Amrodia

Vibhor / Ajay

The failover happened again, according to the show failover history command the issue was the cxsc module again. As you told me on previous comments it is just a software module, is it enough if I just reload the complete hardware? I have read in other discussions that reseating the older hardware modules is enough. According to the show failover command the module took such as one minute in showing the UP status again. Look at the next outputs:

Asa(config)# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: FOLINK GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 316 maximum
Version: Ours 9.1(3), Mate 9.1(3)
Last Failover at: 09:45:32 GMT Jan 2 2015
        This host: Secondary - Active
                Active time: 191 (sec)
                slot 0: ASA5545 hw/sw rev (1.0/9.1(3)) status (Up Sys)
                  Interface OUTSIDE (192.168.1.2): Normal (Waiting)
                  Interface INSIDE (192.168.1.9): Normal (Waiting)
                  Interface DMZ (0.0.0.0): No Link (Waiting)
                slot 1: CXSC5545 hw/sw rev (N/A/9.2.1.1) status (Up/Up)
                  ASA CX, 9.2.1.1, Up
        Other host: Primary - Failed
                Active time: 796669 (sec)
                slot 0: ASA5545 hw/sw rev (1.0/9.1(3)) status (Up Sys)
                  Interface OUTSIDE (0.0.0.0): Unknown (Waiting)
                  Interface INSIDE (0.0.0.0): Unknown (Waiting)
                  Interface DMZ (0.0.0.0): No Link (Waiting)
                slot 1: CXSC5545 hw/sw rev (N/A/9.2.1.1) status (Unresponsive/Up)
                  ASA CX, 9.2.1.1, Not Applicable
             
Stateful Failover Logical Update Statistics
        Link : Unconfigured.
             
Asa(config)#

---------------------------------------------------------------------------------------------------------------------

Asa(config)# show fai history
==========================================================================
From State                 To State                   Reason
==========================================================================

09:45:32 GMT Jan 2 2015
Standby Ready              Just Active                Service card in other unit has failed

09:45:32 GMT Jan 2 2015
Just Active                Active Drain               Service card in other unit has failed

09:45:32 GMT Jan 2 2015
Active Drain               Active Applying Config     Service card in other unit has failed

09:45:32 GMT Jan 2 2015
Active Applying Config     Active Config Applied      Service card in other unit has failed

09:45:32 GMT Jan 2 2015
Active Config Applied      Active                     Service card in other unit has failed

==========================================================================
Asa(config)# 

-------------------------------------------------------------------------------------------------------------------

After such as one minute, the module that had failed on the Primary unit showed the UP status, and the unit changed to the Standby Ready Status:

Asa(config)# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: FOLINK GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 316 maximum
Version: Ours 9.1(3), Mate 9.1(3)
Last Failover at: 09:45:32 GMT Jan 2 2015
        This host: Secondary - Active
                Active time: 266 (sec)
                slot 0: ASA5545 hw/sw rev (1.0/9.1(3)) status (Up Sys)
                  Interface OUTSIDE (192.168.10.2): Normal (Waiting)
                  Interface INSIDE (192.168.10.9): Normal (Waiting)
                  Interface DMZ (0.0.0.0): No Link (Waiting)
                slot 1: CXSC5545 hw/sw rev (N/A/9.2.1.1) status (Up/Up)
                  ASA CX, 9.2.1.1, Up
        Other host: Primary - Standby Ready
                Active time: 796669 (sec)
                slot 0: ASA5545 hw/sw rev (1.0/9.1(3)) status (Up Sys)
                  Interface OUTSIDE (0.0.0.0): Unknown (Waiting)
                  Interface INSIDE (0.0.0.0): Unknown (Waiting)
                  Interface DMZ (0.0.0.0): No Link (Waiting)
                slot 1: CXSC5545 hw/sw rev (N/A/9.2.1.1) status (Up/Up)
                  ASA CX, 9.2.1.1, Up
             
Stateful Failover Logical Update Statistics
        Link : Unconfigured.
             
Asa(config)#

Best Regards!

Hi,

If the CX is causing random Fail-over events on the HA pair , Check this Defect:- https://tools.cisco.com/bugsearch/bug/CSCun48868/?reffering_site=dumpcr

Thanks and Regards,

Vibhor Amrodia

Thank´s for the answer Vibhor,

This is exactly the behavior of the ASA. According to the next release notes this issue was fixed on the release 9.1(5).

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html#pgfId-751147

I will perform the upgrade of this failover pair on this weekend. Just one more thing, would you suggest me how to perform an upgrade of a failover pair?

I mean, should I stop the failover process between these devices, perform upgrades and then restablish the failover?

Regards!

Hi,

I have been facing the same issue with even 9.1(5) also. 

Anybody know the solution. Kindly help.

Thanks in advance.

Thanks and regards,

Ashok Kumar S.

Hi Ashok,

Would it be possible if you can open a separate post and provide some outputs from the ASA device which would help us understand the issue ?

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor,

Thank you for your reply. I have opened new discussion and updated show fail output.

Thanks and regards,

Ashok Kumar S.

Thank´s for the answer Vibhor,

I will keep monitoring the state of the cxsc module, in this moment it shows an UP status.

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 ips Unknown                        No Image Present Not Applicable
cxsc ASA CX                         Up               9.2.1.1

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   0 Up Sys             Not Applicable        
 ips Unresponsive       Not Applicable        
cxsc Up                 Up                    

Mod  License Name   License Status  Time Remaining
---- -------------- --------------- ---------------
 ips IPS Module     Disabled        perpetual     

Getting back to the ouput of the show failover history command, the event of 03:25:03 GMT Dec 24 2014 about changing from Active to Standby Ready because Other unit wants me Standby.

Does it mean that someone entered the command no failover active?

Regards!

Thank´s for the answer Ajay,

I will keep monitoring the cxsc software module. About the commando you suggested me to issue, the show monitor-interface, It show the next output:

# show monitor-interface 
        This host: Primary - Active 
                Interface OUTSIDE (192.168.10.2): Unknown (Waiting)
                Interface INSIDE (192.168.10.9): Unknown (Waiting)
                Interface DMZ (0.0.0.0): No Link (Waiting)
        Other host: Secondary - Standby Ready 
                Interface OUTSIDE (0.0.0.0): Normal (Waiting)
                Interface INSIDE (0.0.0.0): Normal (Waiting)
                Interface DMZ (0.0.0.0): No Link (Waiting)

The interfaces of the Primary-Active device show an "Unknown" state, is it a good sign?

Regards!