Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
537
Views
0
Helpful
3
Replies

Debugging interface status on failover pairs

Adrian Jones
Level 1
Level 1

‎09-28-2016 08:01 AM - edited ‎03-12-2019 01:20 AM

Hi,

We have a pair of 5585x's configured as an active/active failover pair. They are in multi-context mode with two groups.

Following issues recently we are seeing contexts with similar logging as this:

%PIX-1-105005: (Primary) Lost Failover communications with mate on interface inside
%PIX-1-105008: (Primary) Testing Interface inside
%PIX-1-105009: (Primary) Testing on interface inside Passed

We can ping across the failover and stateful failover connections on the System context without dropout. We have no errors on the interfaces but we still see this failover communications error occurring.

When debugging the failover on a context we can see the failover health traffic generated for all monitored interfaces (using debug fover txip) but on the failover mate context we do not see the traffic (using "debug fover rxip"). If we check the system context we see all the health traffic received for the failover mate.

The interfaces are directly connected with the "sh route" command giving expected result and a trace using icmp reaches the mate IP in a straight swap. Looking at the failover on System and Firewall context using "sh fail" gives the expected result with interfaces monitored and normal. We do not have routes on the system context.

There is no issue with failover - this is working fine but the monitored interface logging we are seeing is problematic as it indicates if an interface fails it will not fail over (on if whol unit fails).

Any ideas would be appreciated.

Regards

Adrian

Labels:
0 Helpful
3 Replies 3

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎09-28-2016 09:58 AM

Hi Adrian,

It seems more an issue on the connecting switch ( if it is used).

What are the logs you see on the switch ? Any interface flaps or logs on the switch ?

Also on the ASA with this flaps can you capture asp drops ?

Just use the command cap asp type asp-drop all and monitor it for few minutes and share the logs.

Also you can take captures on the inside interface and see if ip protocol 105 traffic is passing bi-directionally or not ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Adrian Jones
Level 1
Level 1
In response to Aditya Ganjoo

‎09-29-2016 12:00 AM

Hi Aditya,

    Thanks for the response. All context VLANs concerned are port-channelled down to a Layer 2 Nexus 5K pair. The failover and Stateful connections take a different route to a layer 2 switch stack and these show no errors. Logs do not show flapping on the nexus and stack.

I'll monitor the ASA to see what capturing ASA drops produces and post results. Same with ip protocol 105.

Regards

Adrian

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Adrian Jones

‎09-29-2016 12:42 AM

Hi Adrian,

Thanks for the update.  Keep me posted.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card