ASA Failover, Primary becomes secondary but stays active

richyvrlimited · ‎09-19-2024

I have a pair of FPR2130 running ASA code in HA. Everything looks configured OK to me, though obviously there's an issue somewhere! sho failover presents no errors.

I need to failover to compete a firmware upgrade, however when via the primary device I enter no failover active, rather than the secondary becoming the active device that happens is that the primary device becomes the secondary, but stays in an the active state.

What would cause this behaviour? I thought it may be because some interfaces don't have a seconday IP onfigured, so took those out of a monitoring state but it didn't resolve the issue.

Marvin Rhoads · ‎09-19-2024

"show failover state" to make sure what you are seeing matches the firewall's view of things. It helps to have your prompt set to show the priority (Primary or Secondary) and state (Active or Standby).

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/pr-pz-commands.html#wp3322671337

richyvrlimited · ‎09-19-2024

I already have those set, that's how I know the primary is staying active
but changing role to secondary when attempting a forced fail over

Cheers

MHM Cisco World · ‎09-20-2024

Then it was not healthy before you run command'

Check failover history

MHM

richyvrlimited · ‎09-20-2024

I'm not sure what the issue is thoough as everything lkooks ok and pretty similar to other HA configs I've done on ASA's before.

Below is a cut and paste of the failover history. I note it does state standby ready but then pretty quickly goes abck to the active state

18:02:31 UTC Sep 15 2024
Active Standby Ready Set by the config command
(no failover active)

18:02:56 UTC Sep 15 2024
Standby Ready Just Active Other unit wants me Active
(Set by the config command)

18:02:57 UTC Sep 15 2024
Just Active Active Drain Other unit wants me Active
(Set by the config command)

18:02:57 UTC Sep 15 2024
Active Drain Active Applying Config Other unit wants me Active
(Set by the config command)

18:02:57 UTC Sep 15 2024
Active Applying Config Active Config Applied Other unit wants me Active
(Set by the config command)

18:02:57 UTC Sep 15 2024
Active Config Applied Active Other unit wants me Active
(Set by the config command)

Sheraz.Salim · ‎09-20-2024

Based on the information provided, it seems there may be an issue with the failover configuration or communication between the two FPR2130 devices running ASA code in high availability. Here are some potential causes and troubleshooting steps to consider you can look into.

Interface monitoring: Even though you disabled monitoring on some interfaces without secondary IPs, there could still be issues with other monitored interfaces.

Failover link problems: The dedicated failover link may have connectivity or configuration issues.

Configuration sync problems: The configurations may not be properly synchronized between the two units.

Troubleshooting -Verify failover status: Run "show failover" and "show failover state" on both units to compare their views of the HA setup.
Check interface status: Use "show interface" to ensure all interfaces are up and properly configured on both units. Examine failover link: Verify the failover link is up and configured correctly using "show failover interface". Test connectivity: Try pinging between the two units on their failover link and other interfaces.

if possible could you show the output of these command show run failover from both units and show run monitor interfaces

please do not forget to rate.