cannot activate failover on cisco asa 5580

Luis Carranza · ‎09-28-2011

Hi guys:

I got a problem with a cisco asa 5580 like two days ago and the device stop working (there was a mainteinance window and after that the device didn't work). Now we receive the RMA and we are trying to configure the failover so the new device get the configuration form the one that is working.

But this is the message that I gettin:

Failover message decryption failure. Please make sure

both units have the same failover shared key and crypto license

or system is not out of memory

We already changed the shared key and crypto license but the failover is still down, does anybody know what are the features that the cisco need to avtivate to enable the failover?

Regards

varrao · ‎09-28-2011

Hi Luis,

Can you provide the following outputs from both the firewalls:

show run faillover

show failover

show failover history

more system running-config | in failover

show version

This would help isolating it,

Thanks,

Varun

Thanks,
Varun Rao

Luis Carranza · ‎09-28-2011

Do you need this from both devices?

varrao · ‎09-28-2011

Yes Luis, definitely, to compare the two configs.

Varun

Thanks,
Varun Rao

Luis Carranza · ‎09-28-2011

Varun:

I already attach 2 txt files, the one that says primary unit is the ASA that is working fine and the Secondary Unit is the one that we receive from CISCO

Regards

varrao · ‎09-28-2011

Hi Luis,

some of the huge differences that I could see on the firewalls:

1). Versions are different

Primary:

sat338a-asa5580-1# sh ver

Cisco Adaptive Security Appliance Software Version 8.1(2)

Device Manager Version 6.4(5)106

Compiled on Thu 09-Oct-08 10:28 by builders

System image file is "disk0:/asa812-smp-k8.bin"

Config file at boot was "startup-config"

Secondary:

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(4)4

Device Manager Version 6.4(5)106

Compiled on Thu 03-Mar-11 18:39 by builders

System image file is "disk0:/asa824-4-smp-k8.bin"

Config file at boot was "startup-config"

2.) Licenses

Primary:

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 250

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 5

GTP/GPRS : Disabled

SSL VPN Peers : 2

Total VPN Peers : 10000

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

Licensed Cores : 4

Secondary:

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 250

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 5

GTP/GPRS : Disabled

SSL VPN Peers : 2

Total VPN Peers : 10000

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Licensed Cores : 4

Botnet Traffic Filter : Disabled

3.) Failover keys:

Make sure both the units have the same failover keys configured. I saw that you did not get any out put or the more system command I gave you. M sorry about that, the complete command is:

more system: running-config | in failover

Chcek the failover keys, they shoudl be the same.

Make sure that on teh RMA device, you have the version, license and failover keys exactly the same on both the units.

Thanks,

Varun

Thanks,
Varun Rao