Cisco ASA Failover issue

Mahendra B · ‎12-19-2014

Hi,

I recently came across a peculiar cisco asa fail over issue where the device failover occurred when some of the interfaces went down even though the interface were not configured to be monitored.

I have verified the below mentioned possibilities

a) The failover link is up

b) Both the firewalls are running same IOS version's and have same licenses.

c) Failover keys are the same on both the devices.

Below are some show commands i ran during the initial troubleshooting to solve this.

Any help or inputs regarding this issue would be really appreciated.

Primary Device Config's

sh failover history
==========================================================================
From State To State Reason
==========================================================================
17:28:07 PDT Jul 10 2014
Not Detected Negotiation No Error

17:28:12 PDT Jul 10 2014
Negotiation Cold Standby Detected an Active mate

17:28:13 PDT Jul 10 2014
Cold Standby Sync Config Detected an Active mate

17:28:27 PDT Jul 10 2014
Sync Config Sync File System Detected an Active mate

17:28:27 PDT Jul 10 2014
Sync File System Bulk Sync Detected an Active mate

17:28:38 PDT Jul 10 2014
Bulk Sync Standby Ready Detected an Active mate

05:58:56 PDT Jul 31 2014
Standby Ready Cold Standby Configuration mismatch

05:58:57 PDT Jul 31 2014
Cold Standby Sync Config Configuration mismatch

05:59:10 PDT Jul 31 2014
Sync Config Sync File System Configuration mismatch

05:59:10 PDT Jul 31 2014
Sync File System Bulk Sync Configuration mismatch

05:59:23 PDT Jul 31 2014
Bulk Sync Standby Ready Configuration mismatch

17:07:09 PDT Sep 5 2014
Standby Ready Failed Interface check

17:07:12 PDT Sep 5 2014
Failed Standby Ready Interface check

11:04:50 PDT Oct 10 2014
Standby Ready Just Active HELLO not heard from mate

11:04:50 PDT Oct 10 2014
Just Active Active Drain HELLO not heard from mate

11:04:50 PDT Oct 10 2014
Active Drain Active Applying Config HELLO not heard from mate

11:04:50 PDT Oct 10 2014
Active Applying Config Active Config Applied HELLO not heard from mate

11:04:50 PDT Oct 10 2014
Active Config Applied Active HELLO not heard from mate

==========================================================================

failover
failover lan unit primary
failover lan interface f_over GigabitEthernet0/7
failover polltime unit 1 holdtime 5
failover polltime interface 3 holdtime 15
failover link f_over GigabitEthernet0/7
failover interface ip f_over 10.1.1.1 255.255.255.252 standby 10.1.1.2

Secondary Device Config's

failover exec mate sh failover history
==========================================================================
From State To State Reason
==========================================================================
11:22:17 PDT Oct 10 2014
Not Detected Negotiation No Error

11:22:25 PDT Oct 10 2014
Negotiation Cold Standby Detected an Active mate

11:22:26 PDT Oct 10 2014
Cold Standby Sync Config Detected an Active mate

11:22:40 PDT Oct 10 2014
Sync Config Sync File System Detected an Active mate

11:22:40 PDT Oct 10 2014
Sync File System Bulk Sync Detected an Active mate

11:22:53 PDT Oct 10 2014
Bulk Sync Standby Ready Detected an Active mate

19:59:37 PDT Oct 10 2014
Standby Ready Failed Interface check

19:59:40 PDT Oct 10 2014
Failed Standby Ready Interface check

10:17:22 PST Nov 19 2014
Standby Ready Failed Interface check

==========================================================================

failover
failover lan unit secondary
failover lan interface f_over GigabitEthernet0/7
failover polltime unit 1 holdtime 5
failover polltime interface 3 holdtime 15
failover link f_over GigabitEthernet0/7
failover interface ip f_over 10.1.1.1 255.255.255.252 standby 10.1.1.2

Vibhor Amrodia · ‎12-19-2014

Hi,

Can you be a bit more specific about the time when the failover happened which you are checking for.

Also , try to get the show failover state output from both the ASA units.

Thanks and Regards,

Vibhor Amrodia