02-15-2010 04:17 AM - edited 03-11-2019 10:09 AM
Hi Guys,
This morning I upgraded a failover-set of ASA-5520's from 8.2(1.11) to 8.2(2), by loading the new software onto flash on both devices, setting the boot parameter and reloading the standby-unit to 8.2(2).
The secondary unit boots 8.2(2), and I can verify by 'show failover' that it goes into 'standby ready'. So far, so good.
But when I tried to switch the active unit to the one running 8.2(2) by issuing 'no failover active' on the primary unit, something weird happens;
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=80,my=Standby Ready,peer=Standby Ready.
%ASA-6-720028: (VPN-Secondary) HA status callback: Peer state Standby Ready.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_STATE, my state Standby Ready, peer state Standby Ready.
%ASA-1-104001: (Secondary) Switching to ACTIVE - Other unit wants me Active. Primary unit switch reason: Set by the config command. .
%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=200,op=10,my=Just Active,peer=Standby Ready.
%ASA-7-720048: (VPN-Secondary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_active_fast.
%ASA-7-720049: (VPN-Secondary) FSM action trace end: state=, last event=, return=0, func=vpnfo_fsm_active_fast.
%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_ACTIVE_FAST, my state Just Active, peer state Standby Ready.
%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=201,op=10,my=Active Drain,peer=Standby Ready.
%ASA-7-720048: (VPN-Secondary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_active_drain.
%ASA-7-720049: (VPN-Secondary) FSM action trace end: state=, last event=, return=0, func=vpnfo_fsm_active_drain.
%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_ACTIVE_DRAIN, my state Active Drain, peer state Standby Ready.
%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=202,op=10,my=Active Applying Config,peer=Standby Ready.
%ASA-7-720048: (VPN-Secondary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_active_pre_config.
%ASA-7-720049: (VPN-Secondary) FSM action trace end: state=, last event=, return=0, func=vpnfo_fsm_active_pre_config.
%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_ACTIVE_PRECONFIG, my state Active Applying Config, peer state Standby Ready.
%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=203,op=10,my=Active Config Applied,peer=Standby Ready.
%ASA-7-720048: (VPN-Secondary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_active_post_config.
%ASA-7-720049: (VPN-Secondary) FSM action trace end: state=, last event=, return=0, func=vpnfo_fsm_active_post_config.
%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_ACTIVE_POSTCONFIG, my state Active Config Applied, peer state Standby Ready.
%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=204,op=10,my=Active,peer=Standby Ready.
%ASA-7-720048: (VPN-Secondary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_active.
%ASA-6-720039: (VPN-Secondary) VPN failover client is transitioning to active state
%ASA-7-720049: (VPN-Secondary) FSM action trace end: state=, last event=, return=0, func=vpnfo_fsm_active.
%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_ACTIVE, my state Active, peer state Standby Ready.
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=405,op=130,my=Active,peer=Standby Ready.
%ASA-6-720027: (VPN-Secondary) HA status callback: My state Active.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_MY_STATE, my state Active, peer state Standby Ready.
%ASA-6-720027: (VPN-Primary) HA status callback: My state Standby Ready.
%ASA-1-105003: (Primary) Monitoring on interface inside waiting
%ASA-1-105003: (Primary) Monitoring on interface DMZ_Management waiting
%ASA-1-105003: (Primary) Monitoring on interface ISA_Outside waiting
%ASA-1-105003: (Primary) Monitoring on interface DMZ waiting
- The secondary unit (8.2.2) becomes active, but almost immediatly reloads (either due to crash or because the primary unit makes it?), making the primary unit go from standby again. This doesn't happen before i make the 8.2(2) unit active.
- Vieving the 'show failover history' on the primary unit (8.2(1.11)) telles me 'HELLO not heard from mate', indicating that the failover communication stops when the 8.2(2) unit goes active, perhaps because the secondary unit crashes when becoming active.
I've noticed some weird failover counters, when running 8.2(1.11) and 8.2(2):
Output from primary (8.2(1.11)) :
Stateful Failover Logical Update Statistics
Link : statefull GigabitEthernet0/3.702 (up)
Stateful Obj xmit xerr rcv rerr
General 4948752 0 7681 11
sys cmd 1269 0 1269 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 3625569 0 4289 5
UDP conn 1319661 0 2007 6
ARP tbl 1362 0 8 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 317 0 0 0
VPN IPSEC upd 316 0 108 0
VPN CTCP upd 258 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Output from Secondary (8.2(2)) :
KBN-ASA01/pri/act# fail exec mate show fail | beg Stateful Failover Logical Up$
Stateful Failover Logical Update Statistics
Link : statefull GigabitEthernet0/3.702 (up)
Stateful Obj xmit xerr rcv rerr
General 8 0 14604 2434
sys cmd 8 0 8 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 9902 1894
UDP conn 0 0 4476 540
ARP tbl 0 0 68 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 52 0
VPN IPSEC upd 0 0 52 0
VPN CTCP upd 0 0 46 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Solved! Go to Solution.
02-15-2010 12:35 PM
Hello,
DUde I think that i Have found the issue.
Bug:CSCtb27147
Try to disable SNMP and try again.
Let me know
02-15-2010 08:36 AM
Could you send me the current show failover as well the sho failover history.
Can you also ping or check connectivity between the devices through the failover link.
02-15-2010 11:21 AM
02-15-2010 11:34 AM
This issue might be happening due of a bug but I would like to check the Show
Crash info from both units. I will try to find a bug related, for the meantime get that info.
02-15-2010 12:03 PM
02-15-2010 12:35 PM
Hello,
DUde I think that i Have found the issue.
Bug:CSCtb27147
Try to disable SNMP and try again.
Let me know
02-15-2010 01:04 PM
I think you're right on!
After issuing the 'no snmp-server enable', I was able to do a failover, without the 8.2(2) unit crashing on me. aprox 10 seconds after I tried to re-enable SNMP, the ASA crashed (probably when some of the allowed servers SNMP polled the ASA.
So I'm thinking that it's very likely that the bug you're mentioning is what i'm seing - Good spotted!
What do you recommend in terms of an upgrade path? (Kind of need 8.2(2) due to the new no-licensing of UC-mobility)
Regards
--
Lasse
02-15-2010 12:39 PM
Send me the related SNMP configuration on your ASA. But I'm sure that the
issue is with SNMP
02-15-2010 12:51 PM
Below is the SNMP-config:
----------------------------------------
KBN-ASA01/pri/act# sh run | inc snmp
snmp-server host inside 10.100.10.112 community *****
snmp-server host inside 10.100.10.119 community *****
snmp-server host inside 10.100.10.99 community *****
snmp-server host inside 10.100.2.140 community *****
snmp-server host inside 10.100.254.1 community *****
snmp-server host inside 10.100.254.3 poll community ***** version 2c
snmp-server host inside 10.100.3.14 community *****
snmp-server host inside 10.100.3.160 community *****
snmp-server host inside 10.100.3.44 trap community ***** version 2c
snmp-server host inside 10.100.3.50 trap community ***** version 2c
snmp-server location KBN-ASA01
snmp-server contact IT-Support
snmp-server community *****
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide