cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

228
Views
0
Helpful
5
Replies
Highlighted
Beginner

Cisco ASA 5585X Failover No Working

Hi all,

 

I issued the Failover Active on Standby ASA and No Failover Active on Active ASA but both ASA all cannot change the state. At the time after issuing this command, the SSH session on the ASA also drop and has to restart session again.

 

The two ASA now with the Secondary Set acts as Active and Primary Set acts as Standby.

Attach is the snapshot for the Failover state and configuration.

 

Please let me know what is the problem and how to resolve it? Thanks!

 

regards,

Tan Tang Suan

 

 

5 REPLIES 5
Highlighted
Hall of Fame Guru

Re: Cisco ASA 5585X Failover No Working

Are your command outputs edited? an ASA HA pair should both be showing the same hostname. We use the prompt to add the role and state.

If you connect with anything other than the unique management address, issuing "no failover active" is normally expected to disconnect your ssh session as the other unit will assume the configured address for all data plane interfaces.

Highlighted
Beginner

Re: Cisco ASA 5585X Failover No Working

Hi Marvin,

 

Thanks to your reply. Yes, the command outputs have been edited to show which one is primary and secondary. Now, the primary is on Standby and secondary is on Active.

Now even I issue command Failover active in the Standby ASA, the SSH session also drops.

From the Failover state, there is COMM ERROR in the Standby ASA. Is this shows abnormality on this Failover setup?

By the way, I have some logs in the Standby ASA, do you need it?

 

Thanks and regards,

Tangsuan Tan

Highlighted
Hall of Fame Guru

Re: Cisco ASA 5585X Failover No Working

Anytime you issue "failover active" from a unit that is not currently active it will assume the active role and change its dataplane interface address(es) accordingly. That will cause the current ssh session to be terminated (assuming you've ssh'd into a dataplane interface).

You should not have a "comm error". That most commonly indicates that the failover link connection is not active.

Highlighted
Beginner

Re: Cisco ASA 5585X Failover No Working

Hi Marvin,

 

I have done repeating 100 times ping on all the four failover IP address 10.1.1.2, 10.1.1.1, 10.2.1.1 and 10.2.1.2. The results are all smooth.

 

These two ASA are placed side by side in two different racks. The failover cable distance between them are short.

I copy and paste here the log for the Standby ASA which is having a lot of time of records I activae the "No failover active" on the Active ASA but it cannot succeed.

 

 

 

Please let me know any finding you can help on this problem.

 

Thanks and hope to hear you soon.

 

Jul 262:00:31 AM172.20.13.8 %ASA-5-111008: User 'enable_15' executed the 'no failover active' command.
Jul 262:00:32 AM172.20.13.8 %ASA-5-111010: User 'enable_15', running 'CLI' from IP 172.20.13.6, executed 'no failover active'
Jul 262:00:32 AM172.20.13.8 %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=130,my=Standby Ready,peer=Active.
Jul 262:00:32 AM172.20.13.8 %ASA-6-720028: (VPN-Secondary) HA status callback: Peer state Active.
Jul 262:00:32 AM172.20.13.8 %ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_STATE, my state Standby Ready, peer state Active.
Jul 262:00:32 AM172.20.13.8 %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=130,my=Standby Ready,peer=Active.
Jul 262:00:32 AM172.20.13.8 %ASA-6-720028: (VPN-Secondary) HA status callback: Peer state Active.
Jul 262:00:32 AM172.20.13.8 %ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_STATE, my state Standby Ready, peer state Active.
Jul 262:00:32 AM172.20.13.8 %ASA-1-104002: (Secondary) Switching to STANDBY - Set by the config command
Jul 262:00:34 AM172.20.13.8 %ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=104,op=1,my=Standby Ready,peer=Active.
Jul 262:00:34 AM172.20.13.8 %ASA-7-720048: (VPN-Secondary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_standby_ready.
Jul 262:00:34 AM172.20.13.8 %ASA-6-720040: (VPN-Secondary) VPN failover client is transitioning to standby state
Jul 262:00:34 AM172.20.13.8 %ASA-7-720049: (VPN-Secondary) FSM action trace end: state=, last event=, return=2, func=vpnfo_fsm_standby_ready.
Jul 262:00:34 AM172.20.13.8 %ASA-7-720042: (VPN-Secondary) Receiving Command Link Bulk Sync message (Command 6) from active unit
Jul 262:00:34 AM172.20.13.8 %ASA-7-720042: (VPN-Secondary) Receiving Sync Self-Signed Cert message (VF-0) from active unit
Jul 262:00:34 AM172.20.13.8 %ASA-7-720042: (VPN-Secondary) Receiving Sync Self-Signed Cert message (VF-0) from active unit
Jul 262:00:34 AM172.20.13.8 %ASA-7-720042: (VPN-Secondary) Receiving WebVPN SYNC CSD XML Data message src flash:/sdesktop/data.xml, dst cache:/sdesktop/data.xml from active unit
Jul 262:00:34 AM172.20.13.8 %ASA-7-720042: (VPN-Secondary) Receiving Trustpool certs message CLEAN from active unit
Jul 262:00:34 AM172.20.13.8 %ASA-7-720042: (VPN-Secondary) Receiving Command Link Bulk Sync message (Command 7) from active unit
Jul 262:00:34 AM172.20.13.8 %ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_STANDBY_READY, my state Standby Ready, peer state Active.
Jul 262:00:34 AM172.20.13.8 %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=405,op=80,my=Standby Ready,peer=Active.
Jul 262:00:34 AM172.20.13.8 %ASA-6-720027: (VPN-Secondary) HA status callback: My state Standby Ready.
Jul 262:00:34 AM172.20.13.8 %ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_MY_STATE, my state Standby Ready, peer state Active.
Jul 262:00:39 AM172.20.13.8 %ASA-1-105003: (Secondary) Monitoring on interface outside waiting
Jul 262:00:39 AM172.20.13.8 %ASA-1-105003: (Secondary) Monitoring on interface APP waiting
Jul 262:00:39 AM172.20.13.8 %ASA-1-105003: (Secondary) Monitoring on interface DB waiting
Jul 262:00:39 AM172.20.13.8 %ASA-1-105003: (Secondary) Monitoring on interface mgmt waiting
Jul 262:00:49 AM172.20.13.8 %ASA-1-105004: (Secondary) Monitoring on interface outside normal
Jul 262:00:49 AM172.20.13.8 %ASA-1-105004: (Secondary) Monitoring on interface APP normal
Jul 262:00:49 AM172.20.13.8 %ASA-1-105004: (Secondary) Monitoring on interface DB normal
Jul 262:00:49 AM172.20.13.8 %ASA-1-105004: (Secondary) Monitoring on interface mgmt normal
Jul 262:02:04 AM172.20.13.8 %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=80,my=Standby Ready,peer=Standby Ready.
Jul 262:02:04 AM172.20.13.8 %ASA-6-720028: (VPN-Secondary) HA status callback: Peer state Standby Ready.
Jul 262:02:04 AM172.20.13.8 %ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_STATE, my state Standby Ready, peer state Standby Ready.
Jul 262:02:04 AM172.20.13.8 %ASA-5-111008: User 'enable_15' executed the 'no failover active' command.
Jul 262:02:05 AM172.20.13.8 %ASA-5-111010: User 'enable_15', running 'CLI' from IP 172.20.13.6, executed 'no failover active'
Jul 262:02:05 AM172.20.13.8 %ASA-6-720032: (VPN-Primary) HA status callback: id=3,seq=200,grp=0,event=406,op=130,my=Standby Ready,peer=Active.
Jul 262:02:05 AM172.20.13.8 %ASA-6-720028: (VPN-Primary) HA status callback: Peer state Active.
Jul 262:02:05 AM172.20.13.8 %ASA-6-721002: (WebVPN-Primary) HA status change: event HA_STATUS_PEER_STATE, my state Standby Ready, peer state Active.
Jul 262:02:05 AM172.20.13.8 %ASA-6-720032: (VPN-Primary) HA status callback: id=3,seq=200,grp=0,event=406,op=130,my=Standby Ready,peer=Active.
Jul 262:02:05 AM172.20.13.8 %ASA-6-720028: (VPN-Primary) HA status callback: Peer state Active.
Jul 262:02:05 AM172.20.13.8 %ASA-6-721002: (WebVPN-Primary) HA status change: event HA_STATUS_PEER_STATE, my state Standby Ready, peer state Active.
Jul 262:02:05 AM172.20.13.8 %ASA-1-104002: (Primary) Switching to STANDBY - Set by the config command
Jul 262:02:07 AM172.20.13.8 %ASA-6-720037: (VPN-Primary) HA progression callback: id=3,seq=200,grp=0,event=104,op=1,my=Standby Ready,peer=Active.
Jul 262:02:07 AM172.20.13.8 %ASA-7-720048: (VPN-Primary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_standby_ready.
Jul 262:02:07 AM172.20.13.8 %ASA-6-720040: (VPN-Primary) VPN failover client is transitioning to standby state
Jul 262:02:07 AM172.20.13.8 %ASA-7-720049: (VPN-Primary) FSM action trace end: state=, last event=, return=2, func=vpnfo_fsm_standby_ready.
Jul 262:02:07 AM172.20.13.8 %ASA-7-720042: (VPN-Primary) Receiving Command Link Bulk Sync message (Command 6) from active unit
Jul 262:02:07 AM172.20.13.8 %ASA-7-720042: (VPN-Primary) Receiving Sync Self-Signed Cert message (VF-0) from active unit
Jul 262:02:07 AM172.20.13.8 %ASA-7-720042: (VPN-Primary) Receiving Sync Self-Signed Cert message (VF-0) from active unit
Jul 262:02:07 AM172.20.13.8 %ASA-7-720042: (VPN-Primary) Receiving WebVPN SYNC CSD XML Data message src flash:/sdesktop/data.xml, dst cache:/sdesktop/data.xml from active unit
Jul 262:02:07 AM172.20.13.8 %ASA-7-720042: (VPN-Primary) Receiving Trustpool certs message CLEAN from active unit
Jul 262:02:07 AM172.20.13.8 %ASA-7-720042: (VPN-Primary) Receiving Command Link Bulk Sync message (Command 7) from active unit
Jul 262:02:07 AM172.20.13.8 %ASA-6-721003: (WebVPN-Primary) HA progression change: event HA_PROG_STANDBY_READY, my state Standby Ready, peer state Active.
Jul 262:02:07 AM172.20.13.8 %ASA-6-720032: (VPN-Primary) HA status callback: id=3,seq=200,grp=0,event=405,op=80,my=Standby Ready,peer=Active.
Jul 262:02:07 AM172.20.13.8 %ASA-6-720027: (VPN-Primary) HA status callback: My state Standby Ready.
Jul 262:02:07 AM172.20.13.8 %ASA-6-721002: (WebVPN-Primary) HA status change: event HA_STATUS_MY_STATE, my state Standby Ready, peer state Active.
Jul 262:02:08 AM172.20.13.8 %ASA-6-210022: LU missed 12 updates
Jul 262:02:13 AM172.20.13.8 %ASA-1-105003: (Primary) Monitoring on interface outside waiting
Jul 262:02:13 AM172.20.13.8 %ASA-1-105003: (Primary) Monitoring on interface APP waiting
Jul 262:02:13 AM172.20.13.8 %ASA-1-105003: (Primary) Monitoring on interface DB waiting
Jul 262:02:13 AM172.20.13.8 %ASA-1-105003: (Primary) Monitoring on interface mgmt waiting
Jul 262:02:28 AM172.20.13.8 %ASA-1-105004: (Primary) Monitoring on interface outside normal
Jul 262:02:28 AM172.20.13.8 %ASA-1-105004: (Primary) Monitoring on interface APP normal
Jul 262:02:28 AM172.20.13.8 %ASA-1-105004: (Primary) Monitoring on interface DB normal
Jul 262:02:28 AM172.20.13.8 %ASA-1-105004: (Primary) Monitoring on interface mgmt normal
Jul 262:03:25 AM172.20.13.8 %ASA-1-104002: (Secondary) Switching to STANDBY - Other unit wants me Standby. Primary unit switch reason: Set by the config command.

 

Highlighted
Hall of Fame Guru

Re: Cisco ASA 5585X Failover No Working

Those are normal log messages associated with failover. From them it shows member state of "Standby Ready" which we would not expect if there's a COMM FAILURE as you indicated earlier.