ASA Failover pair Active/Standby

S.ashok S · ‎03-30-2015

Hi,

Two days ago I had a problem with secondary unit in the ASA HA. The problem is because of the CX module failed in the secondary unit (service module failed) showing the standby unit failed in the "show fail" output.

Just I reloaded CX module in the secondary unit and then it was working fine.

Now the same problem facing in Active unit. Kindly find the show fail output below. we are running ASA 5.1(5) in ASA and 9.3.2.1 system image in CX module.

SOC-FW# sh fail
Failover On
Failover unit Secondary
Failover LAN Interface: fail-1 GigabitEthernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 6 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
Version: Ours 9.1(5), Mate 9.1(5)
Last Failover at: 03:54:49 IST Mar 28 2015
This host: Secondary - Active
Active time: 206373 (sec)
slot 0: ASA5515 hw/sw rev (1.0/9.1(5)) status (Up Sys)
Interface OUTSIDE (112.133.222.218): Normal (Monitored)
Interface INSIDE (10.0.60.1): Normal (Monitored)
Interface DMZ_1 (10.0.40.1): Normal (Monitored)
Interface DMZ_2 (10.0.50.1): Normal (Monitored)
Interface management (172.16.10.49): Normal (Not-Monitored)
slot 1: CXSC5515 hw/sw rev (N/A/9.3.2.1) status (Up/Up)
ASA CX, 9.3.2.1, Up
Other host: Primary - Failed
Active time: 326213 (sec)
slot 0: ASA5515 hw/sw rev (1.0/9.1(5)) status (Up Sys)
Interface OUTSIDE (112.133.222.219): Normal (Monitored)
Interface INSIDE (10.0.60.2): Normal (Monitored)
Interface DMZ_1 (10.0.40.2): Normal (Monitored)
Interface DMZ_2 (10.0.50.2): Normal (Monitored)
Interface management (172.16.10.50): Normal (Not-Monitored)
slot 1: CXSC5515 hw/sw rev (N/A/9.3.2.1) status (Up/Down)
ASA CX, 9.3.2.1, Up

Kindly help if anybody have the solution.

Thanks in advance.

Thanks and regards,

Ashok Kumar S.

S.ashok S · ‎03-30-2015

Hi,

Running 9.1(5) typo error in previous mail.

Thanks and regards,

Ashok Kumar S.

S.ashok S · ‎03-30-2015

Hi,

I have observed that the blow in both CX modules.

Present active unit: slot 1: CXSC5515 hw/sw rev (N/A/9.3.2.1) status (Up/Up)

Present failed unit: slot 1: CXSC5515 hw/sw rev (N/A/9.3.2.1) status (Up/Down)

Thanks and regards,

Ashok Kumar S.

Vibhor Amrodia · ‎03-30-2015

Hi,

Thank you for opening a separate thread. This seems to be the issue with the DATA plane going down on the CX module and causing the fail-over event.

Were there any configuration / updates etc done on the CX which caused this ?

I think this might require some diagnostics log analysis on the CX and so i would request you to open a Cisco TAC case.

If you want you can send the diagnostic from the CX to my email address and i can check the issue if possible. (vamrodia@cisco.com)

Thanks and Regards,

Vibhor Amrodia

S.ashok S · ‎03-30-2015

Hi Vibhor,

Thank you for your mail. We have applied only default IPS signatures on.

Kindly find the support diagnostics from the running ASA-CX module in the attachment.

Last time we had the problem in this ASA because of the CX module.Unable to get the diagnostic file from the CX module which is having problem now.

Request you to help to resolve the issue.

Thanks and regards,

Ashok Kumar S.

Vibhor Amrodia · ‎04-02-2015

Hi,

Would you be able to open a TAC. As i some different problems in this output and we would need more outputs on this issue ?

Let me know once you open a TAC

Thanks and Regards,

Vibhor Amrodia

S.ashok S · ‎04-10-2015

Hi Vibhor,

I have opened a case, TAC engineer reloaded the failed CX module and asked CX logs when the issue happens again. The device is under monitoring and not get the same issue again to collect logs till now.

Thanks and regards,

Ashok