Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1416
Views
10
Helpful
5
Replies

ASA FirePOWER module down

Go to solution
atsukane
Level 1
Level 1

‎08-02-2022 02:01 AM

Hi there,

We have an issue with one of the ASA FirePOWER modules.

On the active primary ASA unit the sfr module state is Up but Data Plane Status is Down. This module was showing Unresponsive 10 mionutes earlier while I was looking and came back up without any intervention, not sure why.

The sfr module on the standby secondary ASA unit is showing Up/Up.

I'm planning on reloading the module with  sw-module module sfr reload, but wondered whether I need to failover the ASA first before doing so, or just putting the sfr to promiscuous mode is enough before reloading the module?

Please advise, and also please let me know if there are anything that I should be aware of before attempting to reload etc,.

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Unresponsive Not Applicable
sfr Up Down

Many thanks,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-02-2022 07:32 AM

If the primary ASA is active despite the module being up/down then you must have disabled monitoring of the module. Normally we would monitor this and then a failover event would occur automatically in the event of a fault.

So, in your case do a failover (after verifying that the secondary unit is in state Standby - Ready). Then you can reload primary unit's module (or ASA itself) at will.

View solution in original post

5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-02-2022 07:32 AM

If the primary ASA is active despite the module being up/down then you must have disabled monitoring of the module. Normally we would monitor this and then a failover event would occur automatically in the event of a fault.

So, in your case do a failover (after verifying that the secondary unit is in state Standby - Ready). Then you can reload primary unit's module (or ASA itself) at will.

Go to solution
atsukane
Level 1
Level 1
In response to Marvin Rhoads

‎08-02-2022 08:00 AM

Thank you @Marvin Rhoads 

I shall failover ASA first, then once the new standby (former primary/active) is in "standby-ready" i'll reload the module, and maybe ASA if needed. Then discuss with my senior why the monitoring on the module is disabled, maybe to avoid unnecessary failover.

Thanks again.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-02-2022 08:23 AM

Slight correction - check that it is Standby-Ready state BEFORE doing the failover. The manual failover should then cause it to switch to Active state.

Go to solution
atsukane
Level 1
Level 1

‎08-02-2022 08:27 AM

that makes sense.

0 Helpful

Go to solution
atsukane
Level 1
Level 1

‎08-03-2022 12:20 AM

Reloaded the module but as the it was showing Unresponsive, reloaded the ASA  as well but the module is still in Unresponsive state. Getting the below when running sfr debugs, suppose SFR isn't very well. Opened a support case.

 

DP SFR Msg: SFR flow handle was not populated, so not informing SFR about flow cleanup.

cp_connect: Connecting to card 1, socket 3, port 7000
cp_connect: Error - cp_connect() returned -1
cp_check_connection: handle -1, conflicts with connection 1 (-1)
cp_check_connection: handle -1, conflicts with connection 2 (-1)
cp_check_connection: handle -1, conflicts with connection 3 (-1)
cp_update_connection: Error updating connection_id 0

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card