Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1898
Views
0
Helpful
3
Replies

ASA Problem

Carmine De Rienzo
Level 1
Level 1

‎02-24-2013 01:56 PM - edited ‎03-11-2019 06:04 PM

Hi at all,

I have the following problem:

The primary ASA  after some hours became unreachable on the Management interface and another interface while answer at ping on the others interfaces.

At same time for me it' s impossible to enter via ssh and telnet while before was possible it.

The Secondary ASA becames active and I can enter in it with ssh but If after some hours I have the same problem and then I have two firewall that don't work.

When I reboot both they became newly working.

Can suggest me which controls and troubleshooting I can do ?

I don't have crashinfo

The failover (when one only is working) shows the primary status failed but I m not able to know why ?

Let me know

Best Regards

Carmine

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎02-24-2013 07:45 PM

What version of ASA are you running?

How was the CPU and memory of the ASA when it's not responding (you might need to console to check out the status).

Do you find anything in the logs that might tell you the reason?

0 Helpful

Carmine De Rienzo
Level 1
Level 1
In response to Jennifer Halim

‎02-24-2013 11:03 PM

Cisco Adaptive Security Appliance Software Version 9.0(1)

Device Manager Version 7.1(1)52 and cpu usage is 5%. In the logs I see only these errors:

FW-OPS-SUP(config)# sh logging asdm

6|Feb 24 2013 14:40:16|110002: Failed to locate egress interface for UDP from OUTSIDE:x.x.15.1/4445 to x.x.12.202/4445

6|Feb 24 2013 14:40:36|110002: Failed to locate egress interface for UDP from INSIDE:x.x.7.102/55196 to 1.1.1.1/53

6|Feb 24 2013 14:40:56|110002: Failed to locate egress interface for UDP from OUTSIDE:x.x.15.1/4444 to x.x.12.202/4444

3|Feb 24 2013 14:40:59|713902: IP = public address, Invalid packet detected!

3|Feb 24 2013 14:41:07|713902: IP = public address, Invalid packet detected!

3|Feb 24 2013 14:41:15|713902: IP = public address, Invalid packet detected!

The only debug that send me a error message is:

debug fover cable

fover event trace on

FW-OPS-SUP(config)# fover_health_monitoring_thread: fover_lan_check() Failover LAN Check

fover_health_monitoring_thread: fover_lan_check() Possible mate failure

fover_health_monitoring_thread: fover_lan_check() Failover LAN Check

fover_health_monitoring_thread: fover_lan_check() Possible mate failure

fover_health_monitoring_thread: fover_lan_check() Failover LAN Check

fover_health_monitoring_thread: fover_lan_check() Possible mate failure

fover_health_monitoring_thread: fover_lan_check() Failover LAN Check

fover_health_monitoring_thread: fover_lan_check() Possible mate failure

fover_health_monitoring_thread: fover_lan_check() Failover LAN Check

fover_health_monitoring_thread: fover_lan_check() Possible mate failure

fover_health_monitoring_thread: fover_lan_check() Failover LAN Check

fover_health_monitoring_thread: fover_lan_check() Possible mate failure

fover_health_monitoring_thread: fover_lan_check() Failover LAN Check

fover_health_monitoring_thread: fover_lan_check() Possible mate failure

fover_health_monitoring_thread: fover_lan_check() Failover LAN Check

fover_health_monitoring_thread: fover_lan_check() Possible mate failure

fover_health_monitoring_thread: fover_lan_check() Failover LAN Check

fover_health_monitoring_thread: fover_lan_check() Possible mate failure

debug fover cable fover_health_monitoring_thread: fover_lan_check() Failover LAN Check

fover_health_monitoring_thread: fover_lan_check() Possible mate failure

fover_health_monitoring_thread: fover_lan_check() Failover LAN Check

fover_health_monitoring_thread: fover_lan_check() Possible mate failure

fover_health_monitoring_thread: fover_lan_check() Failover LAN Check

fover_health_monitoring_thread: fover_lan_check() Possible mate failure

fover_health_monitoring_thread: fover_lan_check() Failover LAN Check

fover_health_monitoring_thread: fover_lan_check() Possible mate failure

ndebug fover cable odebug fover cable  debug fover cable fover_health_monitoring_thread: fover_lan_check() Failover LAN Check

fover_health_monitoring_thread: fover_lan_check() Possible mate failure

FW-OPS-SUP(config)# sh failover

Failover On

Failover unit Secondary

Failover LAN Interface: FAILOVER Ethernet0/2 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 5 of 110 maximum

failover replication http

Version: Ours 9.0(1), Mate 9.0(1)

Last Failover at: 13:05:10 UTC Feb 24 2013

    This host: Secondary - Active

        Active time: 7216 (sec)

        slot 0: ASA5510 hw/sw rev (2.0/9.0(1)) status (Up Sys)

          Interface OUTSIDE (x.x.s.5): Normal (Waiting)

          Interface VDDS (x.x.d.4): No Link (Waiting)

          Interface VIDEOSTREAMING (x.x.y.4): No Link (Waiting)

          Interface INSIDE (x.x.t.1): Normal (Waiting)

          Interface management (x.x.g.250): Normal (Waiting)

        slot 1: empty

    Other host: Primary - Failed

        Active time: 48300 (sec)

        slot 0: ASA5510 hw/sw rev (2.0/9.0(1)) status (Unknown/Unknown)

          Interface OUTSIDE (x.x.s.6): Unknown (Monitored)

          Interface VDDS (x.x.d.5): Unknown (Waiting)

          Interface VIDEOSTREAMING (x.x.y.5): Unknown (Waiting)

<--- More --->                        Interface INSIDE (x.x.t.2): Unknown (Monitored)

          Interface management (x.x.g.251): Unknown (Monitored)

        slot 1: empty

Stateful Failover Logical Update Statistics

    Link : FAILOVER Ethernet0/2 (up)

    Stateful Obj     xmit       xerr       rcv        rerr     

    General        6418       0          31846      12080    

    sys cmd      6418       0          6415       0        

    up time      0          0          0          0        

    RPC services      0          0          0          0        

    TCP conn     0          0          464        0        

    UDP conn     0          0          23449      28       

    ARP tbl      0          0          1405       0        

    Xlate_Timeout      0          0          0          0        

    IPv6 ND tbl      0          0          0          0        

    VPN IKEv1 SA     0          0          23         0        

    VPN IKEv1 P2     0          0          89         0        

    VPN IKEv2 SA     0          0          0          0        

    VPN IKEv2 P2     0          0          0          0        

    VPN CTCP upd     0          0          0          0        

    VPN SDI upd     0          0          0          0        

    VPN DHCP upd     0          0          0          0        

    SIP Session     0          0          0          0        

    Route Session     0          0          0          12052    

    User-Identity     0          0          1          0        

    CTS SGTNAME     0          0          0          0        

    CTS PAC     0          0          0          0        

    TrustSec-SXP     0          0          0          0        

    IPv6 Route     0          0          0          0        

    Logical Update Queue Information

              Cur     Max     Total

    Recv Q:     0     17     100765

    Xmit Q:     0     1     6418

Thanks a lot

Carmine

0 Helpful

i.va
Level 3
Level 3
In response to Carmine De Rienzo

‎02-25-2013 05:08 AM

Hi Carmine

I have had severe problems with 9.0(1)...mainly regarding NAT though...but maybe its worth thinking about an upgrade to v9.1(1).

Ingo

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card