Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
693
Views
1
Helpful
4
Replies

ASA stops forwarding traffic

Go to solution
jfnk
Level 1
Level 1

‎10-01-2025 08:24 AM

Hi all

We have a pair of ASA5516-X devices, running as an active/standby pair. Several times a day, the active device will stop forwarding traffic so all users lose connectivity to all data, applications and services. There is no error message in the ASA log, and all networks remain up - that is to say it's still possible to connect to the ASA, and on the ASA you can verify that the Internet connection is still up and running - but the ASA simply stops forwarding traffic between networks. The failures do not occur after a set time, it is an intermittent (but too frequent) issue.

The fix is to switch the active ASA off (or do a reload) so the standby device takes over as active. Connectivity is restored but a few hours later the same happens and we repeat the process.

This is a problem we have had in the past but the devices have been stable since March, around the time we upgraded to 9.16(4)82. This weekend I upgrade to 9.16(4)85, as recommended, and the problem returned. We have rolled back to 9.16(4)82, but the problem remains.

I have a case open with TAC, but they don't have any immediate idea so it's just a case of gathering info when the problem happens (but can't spend long doing that as we need to restore the service qiuckly)

Anyone had a similar issue?

Thanks

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jfnk
Level 1
Level 1

‎10-03-2025 02:45 AM

Thanks for your replies.

We stopped forwarding traffic to the sfr module, and disabled the module itself, yesterday morning and I believe this has resolved the issue.

Pretty sure  had shut the module down in a previous attempt to resolve the same issue some months ago, but didn't remove the forwarding (no sfr fail-open) that time.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-01-2025 08:53 AM

What kind of traffic is this ASA processing?

When you have an issue, have you collected any Logs from the device?

show processes cpu-usage

show blocks

show perfmon

show conn count

show xlate count (if nat involved)

Also, check the troubleshooting guide :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113185-asaperformance.html

When you failover, the issue is resolved, and at that time, the secondary becomes active (after some time, it also stops processing traffic).

Check on the connected switches, also any Logs, and check any interface drops

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
jfnk
Level 1
Level 1

‎10-03-2025 02:45 AM

Thanks for your replies.

We stopped forwarding traffic to the sfr module, and disabled the module itself, yesterday morning and I believe this has resolved the issue.

Pretty sure  had shut the module down in a previous attempt to resolve the same issue some months ago, but didn't remove the forwarding (no sfr fail-open) that time.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to jfnk

‎10-03-2025 03:10 AM

glad all good and resolved.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card