cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2841
Views
0
Helpful
11
Replies

Cisco ASA 5585X Failover No Working

Tang-Suan Tan
Level 1
Level 1

Hi all,

 

I issued the Failover Active on Standby ASA and No Failover Active on Active ASA but both ASA all cannot change the state. At the time after issuing this command, the SSH session on the ASA also drop and has to restart session again.

 

The two ASA now with the Secondary Set acts as Active and Primary Set acts as Standby.

Attach is the snapshot for the Failover state and configuration.

 

Please let me know what is the problem and how to resolve it? Thanks!

 

regards,

Tan Tang Suan

 

 

1 Accepted Solution

Accepted Solutions

There is no equivalent concept for preempt in ASA High Availability setup.

The preempt feature with HSRP/VRRP is designed to allow you to always favor one device to be active. With ASA that feature is not available.

View solution in original post

11 Replies 11

Marvin Rhoads
Hall of Fame
Hall of Fame

Are your command outputs edited? an ASA HA pair should both be showing the same hostname. We use the prompt to add the role and state.

If you connect with anything other than the unique management address, issuing "no failover active" is normally expected to disconnect your ssh session as the other unit will assume the configured address for all data plane interfaces.

Hi Marvin,

 

Thanks to your reply. Yes, the command outputs have been edited to show which one is primary and secondary. Now, the primary is on Standby and secondary is on Active.

Now even I issue command Failover active in the Standby ASA, the SSH session also drops.

From the Failover state, there is COMM ERROR in the Standby ASA. Is this shows abnormality on this Failover setup?

By the way, I have some logs in the Standby ASA, do you need it?

 

Thanks and regards,

Tangsuan Tan

Anytime you issue "failover active" from a unit that is not currently active it will assume the active role and change its dataplane interface address(es) accordingly. That will cause the current ssh session to be terminated (assuming you've ssh'd into a dataplane interface).

You should not have a "comm error". That most commonly indicates that the failover link connection is not active.

Hi Marvin,

 

I have done repeating 100 times ping on all the four failover IP address 10.1.1.2, 10.1.1.1, 10.2.1.1 and 10.2.1.2. The results are all smooth.

 

These two ASA are placed side by side in two different racks. The failover cable distance between them are short.

I copy and paste here the log for the Standby ASA which is having a lot of time of records I activae the "No failover active" on the Active ASA but it cannot succeed.

 

 

 

Please let me know any finding you can help on this problem.

 

Thanks and hope to hear you soon.

 

Jul 262:00:31 AM172.20.13.8 %ASA-5-111008: User 'enable_15' executed the 'no failover active' command.
Jul 262:00:32 AM172.20.13.8 %ASA-5-111010: User 'enable_15', running 'CLI' from IP 172.20.13.6, executed 'no failover active'
Jul 262:00:32 AM172.20.13.8 %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=130,my=Standby Ready,peer=Active.
Jul 262:00:32 AM172.20.13.8 %ASA-6-720028: (VPN-Secondary) HA status callback: Peer state Active.
Jul 262:00:32 AM172.20.13.8 %ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_STATE, my state Standby Ready, peer state Active.
Jul 262:00:32 AM172.20.13.8 %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=130,my=Standby Ready,peer=Active.
Jul 262:00:32 AM172.20.13.8 %ASA-6-720028: (VPN-Secondary) HA status callback: Peer state Active.
Jul 262:00:32 AM172.20.13.8 %ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_STATE, my state Standby Ready, peer state Active.
Jul 262:00:32 AM172.20.13.8 %ASA-1-104002: (Secondary) Switching to STANDBY - Set by the config command
Jul 262:00:34 AM172.20.13.8 %ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=104,op=1,my=Standby Ready,peer=Active.
Jul 262:00:34 AM172.20.13.8 %ASA-7-720048: (VPN-Secondary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_standby_ready.
Jul 262:00:34 AM172.20.13.8 %ASA-6-720040: (VPN-Secondary) VPN failover client is transitioning to standby state
Jul 262:00:34 AM172.20.13.8 %ASA-7-720049: (VPN-Secondary) FSM action trace end: state=, last event=, return=2, func=vpnfo_fsm_standby_ready.
Jul 262:00:34 AM172.20.13.8 %ASA-7-720042: (VPN-Secondary) Receiving Command Link Bulk Sync message (Command 6) from active unit
Jul 262:00:34 AM172.20.13.8 %ASA-7-720042: (VPN-Secondary) Receiving Sync Self-Signed Cert message (VF-0) from active unit
Jul 262:00:34 AM172.20.13.8 %ASA-7-720042: (VPN-Secondary) Receiving Sync Self-Signed Cert message (VF-0) from active unit
Jul 262:00:34 AM172.20.13.8 %ASA-7-720042: (VPN-Secondary) Receiving WebVPN SYNC CSD XML Data message src flash:/sdesktop/data.xml, dst cache:/sdesktop/data.xml from active unit
Jul 262:00:34 AM172.20.13.8 %ASA-7-720042: (VPN-Secondary) Receiving Trustpool certs message CLEAN from active unit
Jul 262:00:34 AM172.20.13.8 %ASA-7-720042: (VPN-Secondary) Receiving Command Link Bulk Sync message (Command 7) from active unit
Jul 262:00:34 AM172.20.13.8 %ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_STANDBY_READY, my state Standby Ready, peer state Active.
Jul 262:00:34 AM172.20.13.8 %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=405,op=80,my=Standby Ready,peer=Active.
Jul 262:00:34 AM172.20.13.8 %ASA-6-720027: (VPN-Secondary) HA status callback: My state Standby Ready.
Jul 262:00:34 AM172.20.13.8 %ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_MY_STATE, my state Standby Ready, peer state Active.
Jul 262:00:39 AM172.20.13.8 %ASA-1-105003: (Secondary) Monitoring on interface outside waiting
Jul 262:00:39 AM172.20.13.8 %ASA-1-105003: (Secondary) Monitoring on interface APP waiting
Jul 262:00:39 AM172.20.13.8 %ASA-1-105003: (Secondary) Monitoring on interface DB waiting
Jul 262:00:39 AM172.20.13.8 %ASA-1-105003: (Secondary) Monitoring on interface mgmt waiting
Jul 262:00:49 AM172.20.13.8 %ASA-1-105004: (Secondary) Monitoring on interface outside normal
Jul 262:00:49 AM172.20.13.8 %ASA-1-105004: (Secondary) Monitoring on interface APP normal
Jul 262:00:49 AM172.20.13.8 %ASA-1-105004: (Secondary) Monitoring on interface DB normal
Jul 262:00:49 AM172.20.13.8 %ASA-1-105004: (Secondary) Monitoring on interface mgmt normal
Jul 262:02:04 AM172.20.13.8 %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=80,my=Standby Ready,peer=Standby Ready.
Jul 262:02:04 AM172.20.13.8 %ASA-6-720028: (VPN-Secondary) HA status callback: Peer state Standby Ready.
Jul 262:02:04 AM172.20.13.8 %ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_STATE, my state Standby Ready, peer state Standby Ready.
Jul 262:02:04 AM172.20.13.8 %ASA-5-111008: User 'enable_15' executed the 'no failover active' command.
Jul 262:02:05 AM172.20.13.8 %ASA-5-111010: User 'enable_15', running 'CLI' from IP 172.20.13.6, executed 'no failover active'
Jul 262:02:05 AM172.20.13.8 %ASA-6-720032: (VPN-Primary) HA status callback: id=3,seq=200,grp=0,event=406,op=130,my=Standby Ready,peer=Active.
Jul 262:02:05 AM172.20.13.8 %ASA-6-720028: (VPN-Primary) HA status callback: Peer state Active.
Jul 262:02:05 AM172.20.13.8 %ASA-6-721002: (WebVPN-Primary) HA status change: event HA_STATUS_PEER_STATE, my state Standby Ready, peer state Active.
Jul 262:02:05 AM172.20.13.8 %ASA-6-720032: (VPN-Primary) HA status callback: id=3,seq=200,grp=0,event=406,op=130,my=Standby Ready,peer=Active.
Jul 262:02:05 AM172.20.13.8 %ASA-6-720028: (VPN-Primary) HA status callback: Peer state Active.
Jul 262:02:05 AM172.20.13.8 %ASA-6-721002: (WebVPN-Primary) HA status change: event HA_STATUS_PEER_STATE, my state Standby Ready, peer state Active.
Jul 262:02:05 AM172.20.13.8 %ASA-1-104002: (Primary) Switching to STANDBY - Set by the config command
Jul 262:02:07 AM172.20.13.8 %ASA-6-720037: (VPN-Primary) HA progression callback: id=3,seq=200,grp=0,event=104,op=1,my=Standby Ready,peer=Active.
Jul 262:02:07 AM172.20.13.8 %ASA-7-720048: (VPN-Primary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_standby_ready.
Jul 262:02:07 AM172.20.13.8 %ASA-6-720040: (VPN-Primary) VPN failover client is transitioning to standby state
Jul 262:02:07 AM172.20.13.8 %ASA-7-720049: (VPN-Primary) FSM action trace end: state=, last event=, return=2, func=vpnfo_fsm_standby_ready.
Jul 262:02:07 AM172.20.13.8 %ASA-7-720042: (VPN-Primary) Receiving Command Link Bulk Sync message (Command 6) from active unit
Jul 262:02:07 AM172.20.13.8 %ASA-7-720042: (VPN-Primary) Receiving Sync Self-Signed Cert message (VF-0) from active unit
Jul 262:02:07 AM172.20.13.8 %ASA-7-720042: (VPN-Primary) Receiving Sync Self-Signed Cert message (VF-0) from active unit
Jul 262:02:07 AM172.20.13.8 %ASA-7-720042: (VPN-Primary) Receiving WebVPN SYNC CSD XML Data message src flash:/sdesktop/data.xml, dst cache:/sdesktop/data.xml from active unit
Jul 262:02:07 AM172.20.13.8 %ASA-7-720042: (VPN-Primary) Receiving Trustpool certs message CLEAN from active unit
Jul 262:02:07 AM172.20.13.8 %ASA-7-720042: (VPN-Primary) Receiving Command Link Bulk Sync message (Command 7) from active unit
Jul 262:02:07 AM172.20.13.8 %ASA-6-721003: (WebVPN-Primary) HA progression change: event HA_PROG_STANDBY_READY, my state Standby Ready, peer state Active.
Jul 262:02:07 AM172.20.13.8 %ASA-6-720032: (VPN-Primary) HA status callback: id=3,seq=200,grp=0,event=405,op=80,my=Standby Ready,peer=Active.
Jul 262:02:07 AM172.20.13.8 %ASA-6-720027: (VPN-Primary) HA status callback: My state Standby Ready.
Jul 262:02:07 AM172.20.13.8 %ASA-6-721002: (WebVPN-Primary) HA status change: event HA_STATUS_MY_STATE, my state Standby Ready, peer state Active.
Jul 262:02:08 AM172.20.13.8 %ASA-6-210022: LU missed 12 updates
Jul 262:02:13 AM172.20.13.8 %ASA-1-105003: (Primary) Monitoring on interface outside waiting
Jul 262:02:13 AM172.20.13.8 %ASA-1-105003: (Primary) Monitoring on interface APP waiting
Jul 262:02:13 AM172.20.13.8 %ASA-1-105003: (Primary) Monitoring on interface DB waiting
Jul 262:02:13 AM172.20.13.8 %ASA-1-105003: (Primary) Monitoring on interface mgmt waiting
Jul 262:02:28 AM172.20.13.8 %ASA-1-105004: (Primary) Monitoring on interface outside normal
Jul 262:02:28 AM172.20.13.8 %ASA-1-105004: (Primary) Monitoring on interface APP normal
Jul 262:02:28 AM172.20.13.8 %ASA-1-105004: (Primary) Monitoring on interface DB normal
Jul 262:02:28 AM172.20.13.8 %ASA-1-105004: (Primary) Monitoring on interface mgmt normal
Jul 262:03:25 AM172.20.13.8 %ASA-1-104002: (Secondary) Switching to STANDBY - Other unit wants me Standby. Primary unit switch reason: Set by the config command.

 

Those are normal log messages associated with failover. From them it shows member state of "Standby Ready" which we would not expect if there's a COMM FAILURE as you indicated earlier.

Don't use the standby option when configuring your management interfaces. Primary unit should have one address and secondary unit another one. That way you can always log into the right one and not have to know which is in Active or Standby role at the time.

Hi Marvin,

 

Many thanks to your reply.

 

May I know that this standby option is it similar to preempt action to make the first IP address always active?

 

Is it there is a preempt command for Cisco ASA so that we can use the preempt command instead?

 

thanks and regards,

tangsuan

There is no equivalent concept for preempt in ASA High Availability setup.

The preempt feature with HSRP/VRRP is designed to allow you to always favor one device to be active. With ASA that feature is not available.

Hi Marvin,

 

Thanks to all your helps and replies on this problem.

 

regards,

Tangsuan Tan

tomeq82
Level 1
Level 1

@Marvin Rhoads just five cents from me - there IS preempt in ASA failover groups. You can deliberately set one unit as preffered, this also helps with steps during upgrade as there is one manual step less (switching over between stby and active again after reload):

failover group 1
preempt
failover group 2
secondary
preempt

@tomeq82 the "failover group" command is only applicable on devices configured for multiple context mode.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/m_fa-fd.html#wp2497407336

Review Cisco Networking for a $25 gift card