09-08-2016 09:06 AM - edited 03-12-2019 01:15 AM
Hi Friends,
In my ASA 8.4(7)30 HA setup, i do see standby failed when i run show failover in Primary FW (Active) as given below.
Primary - Active FW
# show failover
This host: Primary - Active
Other host: Secondary - Failed
Secondary - Standby FW
# show failover
This host: Secondary - Standby Ready
Other host: Primary - Active
I have executed below debugs in the standby FW, and got few logs.
debug fover verify
debug fover fail
debug fover sync
ASA failover HA TRANS: received out of sequence message
fover_ip: HA TRANS: received out of sequence message, seq - ba4514b, expect - ba45144
fover_ip: HA TRANS: send aggressive ACK
fover_ip: HA TRANS: received out of sequence message, seq - ba45147, expect - ba45144
fover_ip: HA TRANS: send aggressive ACK
fover_ip: HA TRANS: received out of sequence message, seq - ba45150, expect - ba45144
fover_ip: HA TRANS: send aggressive ACK
%ASA-6-720024: (VPN-Secondary) HA status callback: Control channel is down.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_CTL_COMM, my state Standby Ready, peer state Active.
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=401,op=1,my=Standby Ready,peer=Active.
%ASA-6-720024: (VPN-Secondary) HA status callback: Control channel is up.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_PEER_CTL_COMM, my state Standby Ready, peer state Active.
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=411,op=52,my=Standby Ready,peer=Active.
%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_CLIENT_NEGOTIATED_VERSION, my state Standby Ready, peer state Active.
%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=401,op=0,my=Standby Ready,peer=Active.
%ASA-6-720024: (VPN-Secondary) HA status callback: Control channel is down.
These messages floods in the show logging..
Can someone assist me..
09-08-2016 01:09 PM
Hello,
Could you kindly please, check the status of the interface that works as the failover link, and attach a show failover and show failover state.
09-09-2016 04:02 AM
09-12-2016 04:44 AM
09-12-2016 04:59 AM
Please check first if you are able to ping Management interface IP of each other. If no then check cable connectivity between this two. If still see the issue you can reboot the standby unit but make sure yous should do this in non production hours because it has risk of both unit become Active at a time.
09-12-2016 06:09 AM
Hi,
in case of reboot a standby Unit i disconnect all interface cables and connect only failover interface cable.
Then wait for negotiate failover active and passive then connect all other cables again
In this case there is no risk that both units become active
Regards Marco
09-12-2016 06:15 AM
Ok Marco, By seeing the debug logs and show failover outputs of both Fws, I seriously suspect issue with standby fw only, so I will go ahead remove all the cables except Mgmt0/0, reboot the Standby fw, then i will connect cables one by one.
09-12-2016 06:34 AM
Yes, so you can do ;-)
Make sure that active / passive negotiation is already done.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide