Re: Cisco ASA Failover - Standby Failed sfr unresponsive

Patrik Nechajev · ‎07-12-2021

Hello,

We have ASA Active/Standby Failover. I have noticed that Standby unit is in Failed state. For some reason sfr module in Standby unit is Unresponsive/Down. I'm a bit new into this so i'm not sure what is the best solution.

Should i remove module from monitoring and restart it?

Thanks for any advice!

Info from Standby ASA:

sh failover:

Last Failover at: 19:53:43 CEST Jun 26 2020
This host: Secondary - Failed
Active time: 13575988 (sec)
slot 1: ASA5508 hw/sw rev (3.3/9.8(4)15) status (Up Sys)
Interface - Normal (Waiting)
Interface - Normal (Waiting)
Interface - Normal (Waiting)
Interface - Normal (Not-Monitored)
Interface - Normal (Waiting)
Interface - Normal (Waiting)
Interface - Normal (Waiting)
Interface - Normal (Waiting)
slot 2: SFR5508 hw/sw rev (N/A/6.2.2-81) status (Unresponsive/Down)
ASA FirePOWER, 6.2.2-81, Not Applicable, (Monitored)
slot 2: SFR5508 hw/sw rev (N/A/6.2.2-81) status (Unresponsive/Down)
ASA FirePOWER, 6.2.2-81, Not Applicable, (Monitored)
Other host: Primary - Active
Active time: 32892755 (sec)
slot 1: ASA5508 hw/sw rev (3.3/9.8(4)15) status (Up Sys)
Interface - Normal (Waiting)
Interface - Normal (Waiting)
Interface - Normal (Waiting)
Interface - Normal (Not-Monitored)
Interface - Normal (Waiting)
Interface - Normal (Waiting)
Interface - Normal (Waiting)
Interface - Normal (Waiting)
slot 2: SFR5508 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 2: SFR5508 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)

sh failover history:

From State To State Reason
==========================================================================
07:40:16 CET Jan 17 2020
Sync Config Sync File System Detected an Active mate

07:40:16 CET Jan 17 2020
Sync File System Bulk Sync Detected an Active mate

07:40:17 CET Jan 17 2020
Bulk Sync Standby Ready Detected an Active mate

07:40:17 CET Jan 17 2020
Standby Ready Failed Detect service card failure

07:41:11 CET Jan 17 2020
Failed Standby Ready My service card is as good as peer

07:41:43 CET Jan 17 2020
Standby Ready Failed Detect service card failure

07:41:49 CET Jan 17 2020
Failed Standby Ready My service card is as good as peer

07:43:31 CET Jan 17 2020
Standby Ready Just Active Other unit wants me Active

07:43:31 CET Jan 17 2020
Just Active Active Drain Other unit wants me Active

07:43:31 CET Jan 17 2020
Active Drain Active Applying Config Other unit wants me Active

07:43:31 CET Jan 17 2020
Active Applying Config Active Config Applied Other unit wants me Active

07:43:31 CET Jan 17 2020
Active Config Applied Active Other unit wants me Active

15:39:26 CET Jan 21 2020
Active Standby Ready Set by the config command

15:54:33 CET Jan 21 2020
Standby Ready Just Active Other unit wants me Active

15:54:33 CET Jan 21 2020
Just Active Active Drain Other unit wants me Active

15:54:33 CET Jan 21 2020
Active Drain Active Applying Config Other unit wants me Active

15:54:33 CET Jan 21 2020
Active Applying Config Active Config Applied Other unit wants me Active

15:54:33 CET Jan 21 2020
Active Config Applied Active Other unit wants me Active

19:53:43 CEST Jun 26 2020
Active Standby Ready Other unit wants me Standby

19:53:44 CEST Jun 26 2020
Standby Ready Failed Detect service card failure

Marvin Rhoads · ‎07-12-2021

Are you even using the Firepower service module in your ASA pair? You can verify by checking your policy map with "show run policy-map". You should see lines like:

 class SFR
  sfr fail-open

If those aren't there then the module is not in use and can be removed from monitoring as follows:

no monitor-interface service-module

More details can be found here:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200944-Disable-Service-Module-Monitoring-on-ASA.html

Patrik Nechajev · ‎07-12-2021

Dear Marvin,

class SFR
  sfr fail-open

Lines are in our config so i believe module is in use.

I saw no monitor-interface service-module command in documentation, but i believe this command would solve my issue just temporary. Can I restart module or what is best practise to solve this?

Thank you.

Marvin Rhoads · ‎07-12-2021

@Patrik Nechajev the command you mentioned will prevent failover from happening as a result of the service module status.

However if it is in use then monitoring it is a good idea. From the version it is running (very old 6.2.2) I would guess somebody set it up and then hasn't taken care of it. While you could restart it on the failed instance, it should be investigated in more detail as to why it's down.

We manage Firepower service modules either locally (with ASDM) or via a central server (Firepower Management Center). The command "show module sfr detail" on the Primary Active appliance will show how yours is being managed.

Patrik Nechajev · ‎07-12-2021

I believe we are not using any central management for this. I'm using ASDM and on Primary Unit there is also ASA FirePOWER Configuration bookmark.

show module sfr detail on Primary unit:

Card Type: FirePOWER Services Software Module
Model: ASA5508
Hardware version: N/A
Serial Number: -
Firmware version: N/A
Software version: 6.2.2-81
MAC Address Range: 08ec.f5ff.fe84 to 08ec.f5ff.fe84
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.2.2-81
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured
Mgmt IP addr: 172.28.1.7
Mgmt Network mask: 255.255.255.240
Mgmt Gateway: 172.28.1.1
Mgmt web ports: 443
Mgmt TLS enabled: true

Marvin Rhoads · ‎07-12-2021

So on your ASDM managing the Active firewall do you show any actual policies or other setup for the Firepower service module?

The problem with Firepower service modules on HA ASA pairs that are locally managed is that the modules themselves are completely separately managed - there is no synchronization of their policy between the Primary and Secondary appliance.

Patrik Nechajev · ‎07-12-2021

No, everything is empty, i dont see any configuration.

Yes, exactly, when i clicked on ASA FirePOWER Configuration bookmark in ASDM a pop up appeared with something like "This ASA is configured for failover. The ASA FirePOWER configuration is not automatically synchronized between the primary and secondary unit..."

Meanwhile i thought, if Standby unit is in Failed state that also replication will not work, but it seems to be working fine. I did some changes in last weeks and everything is also replicated to Standby unit.

What should i do now?

Thank you, i really appreciate your help.

Marvin Rhoads · ‎07-12-2021

It's only the Firepower configuration that doesn't replicate. The ASA configs should continue to replicate fine if Firepower service module is the only problem with HA health.

If you don't have any configuration, then there's no problem with just disabling monitoring for the service module. It would also make sense to remove the class-map reference in your policy-map as well. While the class-map is "fail open" (i.e. no working Firepower module doesn't affect traffic), it's still unnecessary to have it at all if the Firepower service module isn't configured (or licensed).

Patrik Nechajev · ‎07-13-2021

So disabling Firepower with no monitor-interface service-module command on both units should bring Secondary Unit from Failed state to Standby, right?

Wouldnt be better to try restart module on Standby unit and if wont help then disable monitoring with no monitor-interface service-module ?

Thank you for your help.