08-07-2019 04:28 AM
Hello,
I have an active/ active pair of ASA with context enabled.
Suddenly, the failover switch to the secondary and then back to primary.
From show failover state, I see that the reason was "comm failure" on the primary.
The failover cable is directly connected to each FW.
How could I determine why the failover occurred?
Could be sw or hw issue?
Thanks and regards,
Konstantinos
08-07-2019 06:29 AM
hi,
can you post a show failover state and show failover history output from the primary/active FW?
08-07-2019 06:39 AM
FW/pri/act# sh failover history
==========================================================================
Group From State To State Reason
==========================================================================
16:17:43 EEST Aug 5 2019
1 Sync File System Bulk Sync Detected an Active mate
16:17:57 EEST Aug 5 2019
2 Bulk Sync Standby Ready Detected an Active mate
16:17:57 EEST Aug 5 2019
1 Bulk Sync Standby Ready Detected an Active mate
16:20:20 EEST Aug 5 2019
0 Sync Config Sync File System Recovered from communication failure
16:20:20 EEST Aug 5 2019
0 Sync File System Bulk Sync Recovered from communication failure
16:20:21 EEST Aug 5 2019
1 Standby Ready Bulk Sync No Error
16:20:21 EEST Aug 5 2019
2 Standby Ready Bulk Sync No Error
16:20:21 EEST Aug 5 2019
0 Bulk Sync Standby Ready Recovered from communication failure
16:20:27 EEST Aug 5 2019
2 Bulk Sync Standby Ready No Error
16:20:37 EEST Aug 5 2019
1 Bulk Sync Standby Ready No Error
16:20:58 EEST Aug 5 2019
1 Standby Ready Just Active Failover state check
16:20:59 EEST Aug 5 2019
1 Just Active Active Drain Failover state check
16:20:59 EEST Aug 5 2019
1 Active Drain Active Applying Config Failover state check
16:20:59 EEST Aug 5 2019
1 Active Applying Config Active Config Applied Failover state check
16:20:59 EEST Aug 5 2019
1 Active Config Applied Active Failover state check
16:21:00 EEST Aug 5 2019
0 Standby Ready Just Active Failover state check
16:21:00 EEST Aug 5 2019
0 Just Active Active Drain Failover state check
16:21:00 EEST Aug 5 2019
0 Active Drain Active Applying Config Failover state check
16:21:00 EEST Aug 5 2019
0 Active Applying Config Active Config Applied Failover state check
16:21:00 EEST Aug 5 2019
0 Active Config Applied Active Failover state check
===================================================
sh failover state State Last Failure Reason Date/Time This host - Primary Group 1 Active Comm Failure 16:16:24 EEST Aug 5 2019 Group 2 Standby Ready Comm Failure 16:16:24 EEST Aug 5 2019 Other host - Secondary Group 1 Standby Ready None Group 2 Active None ====Configuration State=== Sync Done - STANDBY ====Communication State=== Mac set
08-07-2019 08:45 AM
08-07-2019 11:27 PM
Hello Mohammed,
I will have this point in mind for future deployments.
So right now I cannot tell which asa failed. The management connection is a L2.
In failover state, only active asa shows comm failure. The secondary shows none.
All in all, there is not a command in asa I could determine where the actual failure occurred(Hardware fault, software fault).
Regards,
Konstantinos
08-08-2019 06:08 PM
hi,
can you check for errors on the failover cable with a show interface g0/x?
most of our active-standby FW deployment have direct failover cable between them.
this will save switch ports and avoid design complexity and troubleshooting.
we have very few deployments via L2 switch or patch panels if the two FWs are in different racks..
08-08-2019 11:39 PM
Hello,
This is the output of the command
Interface Ethernet1/16 "", is up, line protocol is up
Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
MAC address zzzz.zzzz.zzzz, MTU not set
IP address unassigned
Interface Ethernet1/16.4001 "FAILOVER", is up, line protocol is up
Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
VLAN identifier 4001
Description: LAN Failover Interface
MAC address zzzz.zzzz.zzzz, MTU 1500
IP address xxx.xxx.xxx.xxx, subnet mask xxx.xxx.xxx.xxx
Interface Ethernet1/16.4002 "FOLINK", is up, line protocol is up
Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
VLAN identifier 4002
Description: STATE Failover Interface
MAC address zzzz.zzzz.zzzz, MTU 1500
IP address xxx.xxx.xxx.xxx, subnet mask xxx.xxx.xxx.xxx
Is that any helpful?
Regards,
Konstantinos
08-09-2019 07:15 AM
Not really. I think we would like to see the output of each member of the cluster on their HA interface.
https://www.tunnelsup.com/understanding-cisco-asa-interface-counters-and-statistics/
04-28-2022 06:43 AM
Hi bro
I have same issue failover history "Recovered from communication failure" , how troubshoot it?
two unit ping eachouther not any packet loss.
08-26-2019 12:21 AM
Hello,
We have enabled collection of logs and if anything appears we will examine it.
Thank you all for your help.
Regards,
Konstantinos
04-25-2022 03:32 AM
Hi Konstantinos
I have similar trouble with ASA. Do you recollect whether you got it resolved? If yes.. Can you please brief me how?
Regards
Hariz
04-28-2022 06:46 AM
Hi bro
I have same too . have you find any resolution ?
05-19-2022 07:57 AM
Hi Jadon
It is not yet resolved. Im still searching for the solution, please let me know if you find something.
05-21-2022 11:45 PM
Hi harizmthaha
I found a temporay solution . you can try increase the HA poll time ,interface time.
in my use case. the HA state comm failure due to HA pairs lost community , when HA pairs community lost packet .
06-12-2022 10:55 PM
Hi Jadon,
Thanks for letting me know. we have planned for Rommon and IOS upgrade this week. I will update you if that permanently fixes this trouble.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide