Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7615
Views
0
Helpful
5
Replies

ASA5515-X active/stand-by problems

Daniel Leonard
Level 1
Level 1

‎05-31-2013 11:09 AM - edited ‎03-11-2019 06:51 PM

Hi Experts!

I've successfully setup two ASA5515-X (both with 5515-IPS) in active/standby mode. When the primary ASA's goes offline(failover testing) the standby ASA became active. So far so good.

When I test the following situation, 70% of the time I'm running into trouble.

1.     Reload/powerfail secondary ASA

2.     a few seconds later, reload/powerfail primary ASA

After doing this, the secondary ASA doesn't see an "active mate" and will become the “active” ASA. The primary ASA will also became in "active" state and sees the standby ASA in "failed state"!!

When I look in the secondary (now active) ASA I can see that the failover configuration is disabled!!

no failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/5

failover key *****

failover link failover GigabitEthernet0/5

failover interface ip failover 1.0.0.5 255.255.255.252 standby 1.0.0.6

When I configure the secondary ASA (console ), with the following configuration. The secondary ASA gets back online in “Standby ready” state… problem solved ........

asa# conf t

asa(config)# failover

This is an undesirable and not stable failover situation! Both of the ASA's became active and causes ip conflicts.

Within a few weeks, I need to install this devices. Hopefully you can help me with this problem.

Device overview:

ASA5515-X software: 9.1(2)

ASDM: 7.1.3

ASA5515-IPS Software version:  7.2(1)E4

Please rate or mark answered for helpful posts.
Labels:
0 Helpful
5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

‎05-31-2013 01:10 PM

Hello Sr,

Certainly not expected at all,

So you reload the secondary box and when it comes up it sees itself as the active unit (even if the primary one is there acting as the active one) right ?

Can you share the

show failover history (with the relevant information after the standby unit comes back up)

Do you have logging enabled, anything interesting regarding the logs at the time of the problem ( level 1 messages )

show failover events

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Daniel Leonard
Level 1
Level 1
In response to Julio Carvajal

‎06-01-2013 07:28 AM

Hi Julio,

Thanks!

"So you reload the secondary box and when it comes up it sees itself as the active unit (even if the primary one is there acting as the active one) right ?"

No, on that moment both of the ASA's where booting. Like I said; I reload the secondary ASA first and a few seconds later I reload the primary ASA. Then the problem arises

When I reload the secondary ASA and the primary ASA stays active, then there is no problem at all.

thanks,

Niels

     

Please rate or mark answered for helpful posts.
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Daniel Leonard

‎06-01-2013 09:09 AM

Hello,

Okey, now it's a little more clear

You reboot it the ASA Secondary firewall first, so it will came up first but as soon as the other ASA booted it should detect it,

So again after both of the devices boot up can you share the commands requested before:

All of them will be need it to move forward. Also I will need the following command ( show startup-config)

If u do not want to publish your startup-config on this site u could send it privately to my cisco email address

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Daniel Leonard
Level 1
Level 1
In response to Julio Carvajal

‎06-02-2013 11:24 AM

Hi Julio,

Thank you for taking time

I just reproduced the problem to get the needed log files. I will send the configuration by mail, hopefully you can help me further with it.

To reproduce this problem I reloaded the standby ASA first, a few seconds later I reloaded the active ASA.

primary (normal active) ASA:

MS-DC-ASA02# sh failover

Failover On

Failover unit Primary

Failover LAN Interface: failover GigabitEthernet0/5 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 114 maximum

Version: Ours 9.1(2), Mate 9.1(2)

Last Failover at: 19:40:20 CEDT Jun 2 2013

        This host: Primary - Active

                Active time: 1034 (sec)

                slot 0: ASA5515 hw/sw rev (1.0/9.1(2)) status (Up Sys)

                  Interface outside (xx.xx.xx.xx): Normal (Not-Monitored)

                  Interface mngt-lan (172.16.251.6): Normal (Not-Monitored)

                  Interface internet-lan (172.16.255.65): Normal (Waiting)

                  Interface dmz-lan (172.16.255.97): Normal (Waiting)

                  Interface management (192.168.241.6): Normal (Not-Monitored)

                slot 1: IPS5515 hw/sw rev (N/A/7.2(1)E4) status (Up/Up)

                  IPS, 7.2(1)E4, Up

        Other host: Secondary - Failed

                Active time: 0 (sec)

                slot 0: ASA5515 hw/sw rev (1.0/9.1(2)) status (Unknown/Unknown)

                  Interface outside (0.0.0.0): Unknown (Not-Monitored)

                  Interface mngt-lan (172.16.251.7): Unknown (Not-Monitored)

                  Interface internet-lan (172.16.255.66): Unknown (Waiting)

                  Interface dmz-lan (172.16.255.98): Unknown (Waiting)

                  Interface management (192.168.241.7): Unknown (Not-Monitored)

                slot 1: IPS5515 hw/sw rev (N/A/) status (Unknown/Unknown)

Stateful Failover Logical Update Statistics

        Link : failover GigabitEthernet0/5 (up)

        Stateful Obj    xmit       xerr       rcv        rerr     

        General         0          0          0          0        

        sys cmd         0          0          0          0        

        up time         0          0          0          0        

        RPC services    0          0          0          0        

        TCP conn        0          0          0          0        

        UDP conn        0          0          0          0        

        ARP tbl         0          0          0          0        

        Xlate_Timeout   0          0          0          0        

        IPv6 ND tbl     0          0          0          0        

        VPN IKEv1 SA    0          0          0          0        

        VPN IKEv1 P2    0          0          0          0        

        VPN IKEv2 SA    0          0          0          0        

        VPN IKEv2 P2    0          0          0          0        

        VPN CTCP upd    0          0          0          0        

        VPN SDI upd     0          0          0          0        

        VPN DHCP upd    0          0          0          0        

        SIP Session     0          0          0          0        

        Route Session   0          0          0          0        

        User-Identity   0          0          0          0        

        CTS SGTNAME     0          0          0          0        

        CTS PAC         0          0          0          0        

        TrustSec-SXP    0          0          0          0        

        IPv6 Route      0          0          0          0        

       Logical Update Queue Information

                        Cur     Max     Total

        Recv Q:         0       0       0

        Xmit Q:         0       0       0

MS-DC-ASA02# sh failover history

==========================================================================

From State                 To State                   Reason

==========================================================================

19:40:15 CEDT Jun 2 2013

Not Detected               Negotiation                No Error

19:40:20 CEDT Jun 2 2013

Negotiation                Just Active                No Active unit found

19:40:20 CEDT Jun 2 2013

Just Active                Active Drain               No Active unit found

19:40:20 CEDT Jun 2 2013

Active Drain               Active Applying Config     No Active unit found

19:40:20 CEDT Jun 2 2013

Active Applying Config     Active Config Applied      No Active unit found

19:40:20 CEDT Jun 2 2013

Active Config Applied      Active                     No Active unit found

==========================================================================

MS-DC-ASA02#


Secondary (normal standby) ASA:

MS-DC-ASA02# sh failover

Failover Off (pseudo-Standby)

Failover unit Secondary

Failover LAN Interface: failover GigabitEthernet0/5 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 114 maximum

MS-DC-ASA02#

MS-DC-ASA02# sh failover history

==========================================================================

From State                 To State                   Reason

==========================================================================

19:39:49 CEDT Jun 2 2013

Not Detected               Negotiation                No Error

19:40:20 CEDT Jun 2 2013

Negotiation                Cold Standby               Detected an Active mate

19:40:22 CEDT Jun 2 2013

Cold Standby               Disabled                   HA state progression failed

==========================================================================

MS-DC-ASA02#

Below the configuration I've made on the secondary (normal standby) ASA to let it work again.


MS-DC-ASA02(config)# failover

        Detected an Active mate

Beginning configuration replication from mate.

WARNING: Failover is enabled but standby IP address is not configured for this interface.

ERROR: Failed to start client services

End configuration replication from mate.

MS-DC-ASA02(config)#

MS-DC-ASA02# sh failover history

==========================================================================

From State                 To State                   Reason

==========================================================================

19:39:49 CEDT Jun 2 2013

Not Detected               Negotiation                No Error

19:40:20 CEDT Jun 2 2013

Negotiation                Cold Standby               Detected an Active mate

19:40:22 CEDT Jun 2 2013

Cold Standby               Disabled                   HA state progression failed

20:01:06 CEDT Jun 2 2013

Disabled                   Negotiation                Set by the config command

20:01:08 CEDT Jun 2 2013

Negotiation                Cold Standby               Detected an Active mate

20:01:09 CEDT Jun 2 2013

Cold Standby               Sync Config                Detected an Active mate

20:01:18 CEDT Jun 2 2013

Sync Config                Sync File System           Detected an Active mate

20:01:18 CEDT Jun 2 2013

Sync File System           Bulk Sync                  Detected an Active mate

20:01:32 CEDT Jun 2 2013

Bulk Sync                  Standby Ready              Detected an Active mate

==========================================================================

MS-DC-ASA02#

Thanks,

Niels

Please rate or mark answered for helpful posts.
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Daniel Leonard

‎06-02-2013 01:48 PM

Hello,

It looks like somehow after rebooting the Standby firewall it does not maintain the "failover" command,

I can't check the configuration on my cisco account email until tomorrow (dont have access from home) so I will analize it tomorrow but interesting case man,

Glad to help on this one

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card