Cisco ASA 5525 9.7(1) 4 unable to access privileged mode & ASDM randomly.

Constantin Scurac · ‎06-28-2017

Hi folks,

recenlty got trouble with ASA 5525 running os 9.7 (1) 4 in multicontext mode and ACTIVE/STANDBY failover mode.
The is with active unit.
Problem description :
I have single user configured locally. I'm able to login to device, but after I try to access privileged mode , in 8 case out of 10 I get access denied, in rest of the case its OK. Also, when I'm finally logged in to privileged mode ASA randomly kicks me out with putty saying "Network error: software caused connection abort".
The same situation happens when accessing ASA via ASDM ( sometimes it's OK , sometimes it doesn't allow ) . This ASA keeps VPN by which I access the remote environment and this VPN also drops once per ~20 minutes for 3-4 seconds.

Secondary unit is in "Cold standby" mode and I do not have access to it to check what's going on.

I suspect it is some software issue, but on notes release didn't find something simillar, so may be somebody of you guys might be familliar with such cases and could give some tips how to proceed.

At time being writing this post I was unable to access exec mode to display run config, so once I log in I will provide it if necessary :)

Thanks in advance!

Marvin Rhoads · ‎06-28-2017

Is it possible that the HA pair is flipping which is active due to hardwware or environment instability? If tht is the case and one of the units isnt properly synced or setup it could cause what you're experiencing.

When you are able to get in, try to get the output of "show failover" and "show failover history".

Constantin Scurac · ‎06-28-2017

show failover

Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/4 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.7(1)4, Mate 9.7(1)4
Serial Number: Ours XXXXXX, Mate Unknown
Last Failover at: 18:41:48 UTC Jun 18 2017
This host: Primary - Active
Active time: 834604 (sec)
slot 0: ASA5525 hw/sw rev (3.0/9.7(1)4) status (Up Sys)

Other host: Secondary - Cold Standby
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (3.0/9.7(1)4) status (Up Sys)

SHOW failover history ( see attachment, it's more user-friendly )

Marvin Rhoads · ‎06-28-2017

It's not seeing the mate at all according to the output. It could be that the system is "split brain" and that you are seeing intermittent connectivity due to the standby unit asserting the same IP address as the primary because of that.

The failover LAN interface is "up" but it might go via a switch vs. direct connect and show that condition.

That's just a theory based on what information I'm seeing thus far.

Can you get somebody on site to physically power off (or perhaps login to the upstream and downstream switches to disaable to interfaces that connect to) the mate?

Constantin Scurac · ‎06-28-2017

Marvin,

second firewall is pingable by heart-beat IP address, so it's running.
Both units are connected to switch and I don't see on it any ARP conflicts, etc.

Btw, only next week somebody would be able to check it physically , so I wanted in meanwhile to discuss here.

Marvin, thanks for your attention and time !

patoberli · ‎07-06-2017

Looks like failover is currently broken. Do NOT reboot the secondary with the interfaces plugged in (do leave the failover link running!) or you'll have a split brain situation.

Can you login to the failover unit and enter a show failover?

Constantin Scurac · ‎07-06-2017

No. I can't access secondary unit.
I've already asked somebody who is locally in datacenter to deal with that and configure failover correctly.
Hope exactly that was the cause of the issue.