07-29-2020 08:42 AM
Hi all,
I issued the Failover Active on Standby ASA and No Failover Active on Active ASA but both ASA all cannot change the state. At the time after issuing this command, the SSH session on the ASA also drop and has to restart session again.
The two ASA now with the Secondary Set acts as Active and Primary Set acts as Standby.
Attach is the snapshot for the Failover state and configuration.
Please let me know what is the problem and how to resolve it? Thanks!
regards,
Tan Tang Suan
Solved! Go to Solution.
08-06-2020 09:46 PM
There is no equivalent concept for preempt in ASA High Availability setup.
The preempt feature with HSRP/VRRP is designed to allow you to always favor one device to be active. With ASA that feature is not available.
07-29-2020 09:12 AM
Are your command outputs edited? an ASA HA pair should both be showing the same hostname. We use the prompt to add the role and state.
If you connect with anything other than the unique management address, issuing "no failover active" is normally expected to disconnect your ssh session as the other unit will assume the configured address for all data plane interfaces.
07-29-2020 06:57 PM
Hi Marvin,
Thanks to your reply. Yes, the command outputs have been edited to show which one is primary and secondary. Now, the primary is on Standby and secondary is on Active.
Now even I issue command Failover active in the Standby ASA, the SSH session also drops.
From the Failover state, there is COMM ERROR in the Standby ASA. Is this shows abnormality on this Failover setup?
By the way, I have some logs in the Standby ASA, do you need it?
Thanks and regards,
Tangsuan Tan
07-29-2020 10:51 PM
Anytime you issue "failover active" from a unit that is not currently active it will assume the active role and change its dataplane interface address(es) accordingly. That will cause the current ssh session to be terminated (assuming you've ssh'd into a dataplane interface).
You should not have a "comm error". That most commonly indicates that the failover link connection is not active.
07-30-2020 08:47 PM
Hi Marvin,
I have done repeating 100 times ping on all the four failover IP address 10.1.1.2, 10.1.1.1, 10.2.1.1 and 10.2.1.2. The results are all smooth.
These two ASA are placed side by side in two different racks. The failover cable distance between them are short.
I copy and paste here the log for the Standby ASA which is having a lot of time of records I activae the "No failover active" on the Active ASA but it cannot succeed.
Please let me know any finding you can help on this problem.
Thanks and hope to hear you soon.
Jul | 26 | 2:00:31 AM | 172.20.13.8 | %ASA-5-111008: | User 'enable_15' executed the 'no failover active' command. |
Jul | 26 | 2:00:32 AM | 172.20.13.8 | %ASA-5-111010: | User 'enable_15', running 'CLI' from IP 172.20.13.6, executed 'no failover active' |
Jul | 26 | 2:00:32 AM | 172.20.13.8 | %ASA-6-720032: | (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=130,my=Standby Ready,peer=Active. |
Jul | 26 | 2:00:32 AM | 172.20.13.8 | %ASA-6-720028: | (VPN-Secondary) HA status callback: Peer state Active. |
Jul | 26 | 2:00:32 AM | 172.20.13.8 | %ASA-6-721002: | (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_STATE, my state Standby Ready, peer state Active. |
Jul | 26 | 2:00:32 AM | 172.20.13.8 | %ASA-6-720032: | (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=130,my=Standby Ready,peer=Active. |
Jul | 26 | 2:00:32 AM | 172.20.13.8 | %ASA-6-720028: | (VPN-Secondary) HA status callback: Peer state Active. |
Jul | 26 | 2:00:32 AM | 172.20.13.8 | %ASA-6-721002: | (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_STATE, my state Standby Ready, peer state Active. |
Jul | 26 | 2:00:32 AM | 172.20.13.8 | %ASA-1-104002: | (Secondary) Switching to STANDBY - Set by the config command |
Jul | 26 | 2:00:34 AM | 172.20.13.8 | %ASA-6-720037: | (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=104,op=1,my=Standby Ready,peer=Active. |
Jul | 26 | 2:00:34 AM | 172.20.13.8 | %ASA-7-720048: | (VPN-Secondary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_standby_ready. |
Jul | 26 | 2:00:34 AM | 172.20.13.8 | %ASA-6-720040: | (VPN-Secondary) VPN failover client is transitioning to standby state |
Jul | 26 | 2:00:34 AM | 172.20.13.8 | %ASA-7-720049: | (VPN-Secondary) FSM action trace end: state=, last event=, return=2, func=vpnfo_fsm_standby_ready. |
Jul | 26 | 2:00:34 AM | 172.20.13.8 | %ASA-7-720042: | (VPN-Secondary) Receiving Command Link Bulk Sync message (Command 6) from active unit |
Jul | 26 | 2:00:34 AM | 172.20.13.8 | %ASA-7-720042: | (VPN-Secondary) Receiving Sync Self-Signed Cert message (VF-0) from active unit |
Jul | 26 | 2:00:34 AM | 172.20.13.8 | %ASA-7-720042: | (VPN-Secondary) Receiving Sync Self-Signed Cert message (VF-0) from active unit |
Jul | 26 | 2:00:34 AM | 172.20.13.8 | %ASA-7-720042: | (VPN-Secondary) Receiving WebVPN SYNC CSD XML Data message src flash:/sdesktop/data.xml, dst cache:/sdesktop/data.xml from active unit |
Jul | 26 | 2:00:34 AM | 172.20.13.8 | %ASA-7-720042: | (VPN-Secondary) Receiving Trustpool certs message CLEAN from active unit |
Jul | 26 | 2:00:34 AM | 172.20.13.8 | %ASA-7-720042: | (VPN-Secondary) Receiving Command Link Bulk Sync message (Command 7) from active unit |
Jul | 26 | 2:00:34 AM | 172.20.13.8 | %ASA-6-721003: | (WebVPN-Secondary) HA progression change: event HA_PROG_STANDBY_READY, my state Standby Ready, peer state Active. |
Jul | 26 | 2:00:34 AM | 172.20.13.8 | %ASA-6-720032: | (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=405,op=80,my=Standby Ready,peer=Active. |
Jul | 26 | 2:00:34 AM | 172.20.13.8 | %ASA-6-720027: | (VPN-Secondary) HA status callback: My state Standby Ready. |
Jul | 26 | 2:00:34 AM | 172.20.13.8 | %ASA-6-721002: | (WebVPN-Secondary) HA status change: event HA_STATUS_MY_STATE, my state Standby Ready, peer state Active. |
Jul | 26 | 2:00:39 AM | 172.20.13.8 | %ASA-1-105003: | (Secondary) Monitoring on interface outside waiting |
Jul | 26 | 2:00:39 AM | 172.20.13.8 | %ASA-1-105003: | (Secondary) Monitoring on interface APP waiting |
Jul | 26 | 2:00:39 AM | 172.20.13.8 | %ASA-1-105003: | (Secondary) Monitoring on interface DB waiting |
Jul | 26 | 2:00:39 AM | 172.20.13.8 | %ASA-1-105003: | (Secondary) Monitoring on interface mgmt waiting |
Jul | 26 | 2:00:49 AM | 172.20.13.8 | %ASA-1-105004: | (Secondary) Monitoring on interface outside normal |
Jul | 26 | 2:00:49 AM | 172.20.13.8 | %ASA-1-105004: | (Secondary) Monitoring on interface APP normal |
Jul | 26 | 2:00:49 AM | 172.20.13.8 | %ASA-1-105004: | (Secondary) Monitoring on interface DB normal |
Jul | 26 | 2:00:49 AM | 172.20.13.8 | %ASA-1-105004: | (Secondary) Monitoring on interface mgmt normal |
Jul | 26 | 2:02:04 AM | 172.20.13.8 | %ASA-6-720032: | (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=80,my=Standby Ready,peer=Standby Ready. |
Jul | 26 | 2:02:04 AM | 172.20.13.8 | %ASA-6-720028: | (VPN-Secondary) HA status callback: Peer state Standby Ready. |
Jul | 26 | 2:02:04 AM | 172.20.13.8 | %ASA-6-721002: | (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_STATE, my state Standby Ready, peer state Standby Ready. |
Jul | 26 | 2:02:04 AM | 172.20.13.8 | %ASA-5-111008: | User 'enable_15' executed the 'no failover active' command. |
Jul | 26 | 2:02:05 AM | 172.20.13.8 | %ASA-5-111010: | User 'enable_15', running 'CLI' from IP 172.20.13.6, executed 'no failover active' |
Jul | 26 | 2:02:05 AM | 172.20.13.8 | %ASA-6-720032: | (VPN-Primary) HA status callback: id=3,seq=200,grp=0,event=406,op=130,my=Standby Ready,peer=Active. |
Jul | 26 | 2:02:05 AM | 172.20.13.8 | %ASA-6-720028: | (VPN-Primary) HA status callback: Peer state Active. |
Jul | 26 | 2:02:05 AM | 172.20.13.8 | %ASA-6-721002: | (WebVPN-Primary) HA status change: event HA_STATUS_PEER_STATE, my state Standby Ready, peer state Active. |
Jul | 26 | 2:02:05 AM | 172.20.13.8 | %ASA-6-720032: | (VPN-Primary) HA status callback: id=3,seq=200,grp=0,event=406,op=130,my=Standby Ready,peer=Active. |
Jul | 26 | 2:02:05 AM | 172.20.13.8 | %ASA-6-720028: | (VPN-Primary) HA status callback: Peer state Active. |
Jul | 26 | 2:02:05 AM | 172.20.13.8 | %ASA-6-721002: | (WebVPN-Primary) HA status change: event HA_STATUS_PEER_STATE, my state Standby Ready, peer state Active. |
Jul | 26 | 2:02:05 AM | 172.20.13.8 | %ASA-1-104002: | (Primary) Switching to STANDBY - Set by the config command |
Jul | 26 | 2:02:07 AM | 172.20.13.8 | %ASA-6-720037: | (VPN-Primary) HA progression callback: id=3,seq=200,grp=0,event=104,op=1,my=Standby Ready,peer=Active. |
Jul | 26 | 2:02:07 AM | 172.20.13.8 | %ASA-7-720048: | (VPN-Primary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_standby_ready. |
Jul | 26 | 2:02:07 AM | 172.20.13.8 | %ASA-6-720040: | (VPN-Primary) VPN failover client is transitioning to standby state |
Jul | 26 | 2:02:07 AM | 172.20.13.8 | %ASA-7-720049: | (VPN-Primary) FSM action trace end: state=, last event=, return=2, func=vpnfo_fsm_standby_ready. |
Jul | 26 | 2:02:07 AM | 172.20.13.8 | %ASA-7-720042: | (VPN-Primary) Receiving Command Link Bulk Sync message (Command 6) from active unit |
Jul | 26 | 2:02:07 AM | 172.20.13.8 | %ASA-7-720042: | (VPN-Primary) Receiving Sync Self-Signed Cert message (VF-0) from active unit |
Jul | 26 | 2:02:07 AM | 172.20.13.8 | %ASA-7-720042: | (VPN-Primary) Receiving Sync Self-Signed Cert message (VF-0) from active unit |
Jul | 26 | 2:02:07 AM | 172.20.13.8 | %ASA-7-720042: | (VPN-Primary) Receiving WebVPN SYNC CSD XML Data message src flash:/sdesktop/data.xml, dst cache:/sdesktop/data.xml from active unit |
Jul | 26 | 2:02:07 AM | 172.20.13.8 | %ASA-7-720042: | (VPN-Primary) Receiving Trustpool certs message CLEAN from active unit |
Jul | 26 | 2:02:07 AM | 172.20.13.8 | %ASA-7-720042: | (VPN-Primary) Receiving Command Link Bulk Sync message (Command 7) from active unit |
Jul | 26 | 2:02:07 AM | 172.20.13.8 | %ASA-6-721003: | (WebVPN-Primary) HA progression change: event HA_PROG_STANDBY_READY, my state Standby Ready, peer state Active. |
Jul | 26 | 2:02:07 AM | 172.20.13.8 | %ASA-6-720032: | (VPN-Primary) HA status callback: id=3,seq=200,grp=0,event=405,op=80,my=Standby Ready,peer=Active. |
Jul | 26 | 2:02:07 AM | 172.20.13.8 | %ASA-6-720027: | (VPN-Primary) HA status callback: My state Standby Ready. |
Jul | 26 | 2:02:07 AM | 172.20.13.8 | %ASA-6-721002: | (WebVPN-Primary) HA status change: event HA_STATUS_MY_STATE, my state Standby Ready, peer state Active. |
Jul | 26 | 2:02:08 AM | 172.20.13.8 | %ASA-6-210022: | LU missed 12 updates |
Jul | 26 | 2:02:13 AM | 172.20.13.8 | %ASA-1-105003: | (Primary) Monitoring on interface outside waiting |
Jul | 26 | 2:02:13 AM | 172.20.13.8 | %ASA-1-105003: | (Primary) Monitoring on interface APP waiting |
Jul | 26 | 2:02:13 AM | 172.20.13.8 | %ASA-1-105003: | (Primary) Monitoring on interface DB waiting |
Jul | 26 | 2:02:13 AM | 172.20.13.8 | %ASA-1-105003: | (Primary) Monitoring on interface mgmt waiting |
Jul | 26 | 2:02:28 AM | 172.20.13.8 | %ASA-1-105004: | (Primary) Monitoring on interface outside normal |
Jul | 26 | 2:02:28 AM | 172.20.13.8 | %ASA-1-105004: | (Primary) Monitoring on interface APP normal |
Jul | 26 | 2:02:28 AM | 172.20.13.8 | %ASA-1-105004: | (Primary) Monitoring on interface DB normal |
Jul | 26 | 2:02:28 AM | 172.20.13.8 | %ASA-1-105004: | (Primary) Monitoring on interface mgmt normal |
Jul | 26 | 2:03:25 AM | 172.20.13.8 | %ASA-1-104002: | (Secondary) Switching to STANDBY - Other unit wants me Standby. Primary unit switch reason: Set by the config command. |
07-31-2020 10:16 AM
Those are normal log messages associated with failover. From them it shows member state of "Standby Ready" which we would not expect if there's a COMM FAILURE as you indicated earlier.
08-06-2020 11:14 AM
Don't use the standby option when configuring your management interfaces. Primary unit should have one address and secondary unit another one. That way you can always log into the right one and not have to know which is in Active or Standby role at the time.
08-06-2020 06:37 PM
Hi Marvin,
Many thanks to your reply.
May I know that this standby option is it similar to preempt action to make the first IP address always active?
Is it there is a preempt command for Cisco ASA so that we can use the preempt command instead?
thanks and regards,
tangsuan
08-06-2020 09:46 PM
There is no equivalent concept for preempt in ASA High Availability setup.
The preempt feature with HSRP/VRRP is designed to allow you to always favor one device to be active. With ASA that feature is not available.
08-06-2020 11:26 PM
Hi Marvin,
Thanks to all your helps and replies on this problem.
regards,
Tangsuan Tan
09-22-2023 03:58 AM
@Marvin Rhoads just five cents from me - there IS preempt in ASA failover groups. You can deliberately set one unit as preffered, this also helps with steps during upgrade as there is one manual step less (switching over between stby and active again after reload):
failover group 1
preempt
failover group 2
secondary
preempt
09-22-2023 05:30 AM
@tomeq82 the "failover group" command is only applicable on devices configured for multiple context mode.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide