Cisco ASA IPS Detect service card failure Service card in other unit has failed - Page 2

teatrodelsogno · ‎03-04-2015

Hi Guys,

I have a strange problem in a part connected to one cisco asa bug, but is not belonging to my version.

I have one cluster active/standby failover and in random time this is the behavior that is happening:

From State To State Reason
==========================================================================
12:48:10 CEST Mar 4 2015
Just Active Active Drain Service card in other unit has failed

12:48:10 CEST Mar 4 2015
Active Drain Active Applying Config Service card in other unit has failed

12:48:10 CEST Mar 4 2015
Active Applying Config Active Config Applied Service card in other unit has failed

12:48:10 CEST Mar 4 2015
Active Config Applied Active Service card in other unit has failed

12:59:04 CEST Mar 4 2015
Active Standby Ready Other unit wants me Standby

12:59:05 CEST Mar 4 2015
Standby Ready Failed Detect service card failure

12:59:11 CEST Mar 4 2015
Failed Standby Ready My service card is as good as peer

12:59:11 CEST Mar 4 2015
Standby Ready Just Active Service card in other unit has failed

12:59:11 CEST Mar 4 2015
Just Active Active Drain Service card in other unit has failed

12:59:11 CEST Mar 4 2015
Active Drain Active Applying Config Service card in other unit has failed

12:59:11 CEST Mar 4 2015
Active Applying Config Active Config Applied Service card in other unit has failed

12:59:11 CEST Mar 4 2015
Active Config Applied Active Service card in other unit has failed

13:03:07 CEST Mar 4 2015
Active Standby Ready Set by the config command

13:03:55 CEST Mar 4 2015
Standby Ready Failed Detect service card failure

13:06:38 CEST Mar 4 2015
Failed Standby Ready My service card is as good as peer

13:10:15 CEST Mar 4 2015
Standby Ready Just Active Other unit wants me Active

13:10:15 CEST Mar 4 2015
Just Active Active Drain Other unit wants me Active

13:10:15 CEST Mar 4 2015
Active Drain Active Applying Config Other unit wants me Active

13:10:15 CEST Mar 4 2015
Active Applying Config Active Config Applied Other unit wants me Active

13:10:15 CEST Mar 4 2015
Active Config Applied Active Other unit wants me Active

I try to manually reset the IPS module with hw-module module 1 reset but I'm receiving the same messages.

Some other information:

Cisco Adaptive Security Appliance Software Version 8.2(1)

Mod Card Type                                    Model              Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5520 Adaptive Security Appliance         ASA5520            JMX1414L0X3
1 ASA 5500 Series Security Services Module-10 ASA-SSM-10         JAB10070GJP

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 0026.99c0.c0df to 0026.99c0.c0e3 2.0          1.0(11)2     8.2(1)
1 0015.c6fa.3b31 to 0015.c6fa.3b31 1.0          1.0(10)0     7.1(8)E4

Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Up 7.1(8)E4

Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
0 Up Sys             Not Applicable
1 Up                 Up

------------------ show memory ------------------

Free memory:      1722778808 bytes (80%)
Used memory:       424704840 bytes (20%)
-------------     ----------------
Total memory:     2147483648 bytes (100%)

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Failover On
Failover unit Primary
Failover LAN Interface: faillink Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 13:10:15 CEST Mar 4 2015
   This host: Primary - Active
       Active time: 665238 (sec)
       slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
          Interface outside (x.x.x.x): Normal
          Interface inside (10.254.0.3): Normal
          Interface WIFI_no (10.254.14.1): Normal (Not-Monitored)
          Interface DMZ_dsoi (172.16.1.1): Normal (Not-Monitored)
          Interface Adfafd (x.x.x.x): No Link (Not-Monitored)
       slot 1: ASA-SSM-10 hw/sw rev (1.0/7.1(8)E4) status (Up/Up)
          IPS, 7.1(8)E4, Up
   Other host: Secondary - Standby Ready
       Active time: 70225 (sec)
       slot 0: ASA5520 hw/sw rev (1.1/8.2(1)) status (Up Sys)
          Interface outside (81.208.53.221): Normal
          Interface inside (10.254.0.4): Normal
          Interface WIFI_no (0.0.0.0): Normal (Not-Monitored)
          Interface DMZ_dsoi (172.16.1.3): Normal (Not-Monitored)
          Interface Adfafd (85.20.9.11): Normal (Not-Monitored)
       slot 1: ASA-SSM-10 hw/sw rev (1.0/7.1(8)E4) status (Up/Up)
          IPS, 7.1(8)E4, Up

Stateful Failover Logical Update Statistics
   Link : faillink Management0/0 (up)
   Stateful Obj    xmit       xerr       rcv        rerr
   General       483879055 0          14089818   10606
   sys cmd     97977      0          97977      0
   up time     0          0          0          0
   RPC services     0          0          0          0
   TCP conn    97196877   0          4327486    1514
   UDP conn    386494404 0          9650250    9092
   ARP tbl     45801      0          4968       0
   Xlate_Timeout     0          0          0          0
   VPN IKE upd    17191      0          1784       0
   VPN IPSEC upd    26805      0          7353       0
   VPN CTCP upd    0          0          0          0
   VPN SDI upd    0          0          0          0
   VPN DHCP upd    0          0          0          0
   SIP Session    0          0          0          0

   Logical Update Queue Information
         Cur    Max    Total
   Recv Q:    0    25    16395021
   Xmit Q:    0    111    505815152

Could you please send me some suggestion or share past experience about it?

Many regards

Matteo

Marvin Rhoads · ‎03-05-2015

Matteo,

Upgrading the ASA is the same process with or without the SSM installed. Most of the type of bugs you are seeing are relate to the base ASA software, not the IPS version.

Of course once you get the ASA updated it would not hurt to also have the IPS SSM up to the latest release. You have 7.1(8)E4 from October 2013 and there is a version 7.1(9)E4 from October 2014 available for that platform.

IPS download

IPS Release notes

teatrodelsogno · ‎03-05-2015

Hi Marvin,

thanks once again for your support.

Ok, I can think to upgrade the ASA...

Regarding the IPS, I can't with the software release by you suggested.
Cause ASA5520 doesn't support this version.

Marvin Rhoads · ‎03-05-2015

You have an ASA 5520 with the IPS on an SSM-10. The release notes list:

"ASA 5500 AIP SSM-10".

5500 means 5500 series - 5510, 5520 etc.

teatrodelsogno · ‎03-05-2015

ah yes sorry, you are right.

regards