Facing problem on ASA while using 'write standby' command

Dulal Ray · ‎03-15-2010

Hi All,

We are running on ASA version 8.2(2) using ASA in Active-Standby setup. As observed if issued 'write standby' command on active ASA the standby ASA network traffic interfaces are flapping (as observed in syslog messages the line protocol flap messages). Also observed error message 'configuration mismatch' in output of 'show failover history' command.

Please help us to know if some one is facing the same problem and what could be done to fix this behaviour.

Kindly let me know if any additional information is required to get further clarity on issue.

Regards,

Dulal

KARUPPUCHAMY MALAIYANDI · ‎03-15-2010

Hi,

Can you paste the output of the below commands on both the firewalls(active and standby)

#sh run | i failover

#sh failover status

Regards

Karuppu

Prakash Chauhan · ‎03-16-2010

Hi Pl find the o/p below from Primary & Secondary ASA :

Primary :

my asa# sh run | i failover

failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/3

failover polltime unit 2 holdtime 10

failover key *****

failover replication http

failover link failover GigabitEthernet0/3

failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2

my asa# show failover state

State Last Failure Reason Date/Time

This host - Primary

Active Ifc Failure 08:29:18 IST Mar 14 2010

Inside: No Link

Outside: No Link

Other host - Secondary

Standby Ready Ifc Failure 08:55:05 IST Mar 14 2010

Outside: Failed

====Configuration State===

Sync Done

====Communication State===

Mac set

my asa# sh failover

Failover On

Failover unit Primary

Failover LAN Interface: failover GigabitEthernet0/3 (up)

Unit Poll frequency 2 seconds, holdtime 10 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 160 maximum

failover replication http

Version: Ours 8.2(2), Mate 8.2(2)

Last Failover at: 08:29:55 IST Mar 14 2010

This host: Primary - Active

Active time: 288553 (sec)

slot 0: ASA5520 hw/sw rev (2.0/8.2(2)) status (Up Sys)

Interface Inside (172.27.x.x): Normal

Interface Outside (Public IP): Normal

slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)

IPS, 7.0(1)E3, Up

Other host: Secondary - Standby Ready

Active time: 3023217 (sec)

slot 0: ASA5520 hw/sw rev (2.0/8.2(2)) status (Up Sys)

Interface Inside (172.27.Y.Y): Normal

Interface Outside (Public IP): Normal

slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)

IPS, 7.0(1)E3, Up

Stateful Failover Logical Update Statistics

Link : failover GigabitEthernet0/3 (up)

Stateful Obj xmit xerr rcv rerr

General 18725075 0 105012041 948

sys cmd 441120 0 441119 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 17239120 0 91778590 882

UDP conn 1016118 0 12501049 44

ARP tbl 28712 0 291115 22

Xlate_Timeout 0 0 0 0

IPv6 ND tbl 0 0 0 0

VPN IKE upd 2 0 85 0

VPN IPSEC upd 3 0 83 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

SIP Session 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 23 108087306

Xmit Q: 0 1024 19028635

Secondary :

my asa# show run | i failover

failover

failover lan unit secondary

failover lan interface failover GigabitEthernet0/3

failover polltime unit 2 holdtime 10

failover key *****

failover replication http

failover link failover GigabitEthernet0/3

failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2

my asa# sh failover state

State Last Failure Reason Date/Time

This host - Secondary

Standby Ready Ifc Failure 08:55:05 IST Mar 14 2010

Other host - Primary

Active Ifc Failure 08:29:18 IST Mar 14 2010

====Configuration State===

Sync Done - STANDBY

====Communication State===

Mac set

my asa# show failover

Failover On

Failover unit Secondary

Failover LAN Interface: failover GigabitEthernet0/3 (up)

Unit Poll frequency 2 seconds, holdtime 10 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 160 maximum

failover replication http

Version: Ours 8.2(2), Mate 8.2(2)

Last Failover at: 08:29:55 IST Mar 14 2010

This host: Secondary - Standby Ready

Active time: 3023217 (sec)

slot 0: ASA5520 hw/sw rev (2.0/8.2(2)) status (Up Sys)

Interface Inside (172.27.Y.Y): Normal

Interface Outside (Public IP): Normal

slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)

IPS, 7.0(1)E3, Up

Other host: Primary - Active

Active time: 288581 (sec)

slot 0: ASA5520 hw/sw rev (2.0/8.2(2)) status (Up Sys)

Interface Inside (172.27.x.x): Normal

Interface Outside (Public IP): Normal

slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)

IPS, 7.0(1)E3, Up

Stateful Failover Logical Update Statistics

Link : failover GigabitEthernet0/3 (up)

Stateful Obj xmit xerr rcv rerr

General 227423807 0 8723022 1953

sys cmd 441064 0 441064 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 210849538 0 7357750 1877

UDP conn 15841895 0 895477 69

ARP tbl 291101 0 28727 7

Xlate_Timeout 0 0 0 0

IPv6 ND tbl 0 0 0 0

VPN IKE upd 85 0 2 0

VPN IPSEC upd 124 0 2 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

SIP Session 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 17 9023484

Xmit Q: 0 1024 230497438

Prakash Chauhan · ‎08-13-2010

Hi Karuppu,

Please find your req o/p as below :

Primary

Hostname# sh run | i failover

failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/3

failover polltime unit 2 holdtime 10

failover key *****

failover replication http

failover link failover GigabitEthernet0/3

failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2

Secondary

Hostname# sh run | i failover

failover

failover lan unit secondary

failover lan interface failover GigabitEthernet0/3

failover polltime unit 2 holdtime 10

failover key *****

failover replication http

failover link failover GigabitEthernet0/3

failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2

sh failover status wont supported so captured sh failover state

Primary

Hostname# sh failover state

State Last Failure Reason Date/Time

This host - Primary

Active Ifc Failure 16:52:23 IST May 23 2010

Inside: No Link

Other host - Secondary

Standby Ready Ifc Failure 10:21:04 IST Jun 21 2010

Inside: Failed

====Configuration State===

Sync Done

Sync Done - STANDBY

====Communication State===

Mac set

Secondary

Hostname# sh failover state

State Last Failure Reason Date/Time

This host - Secondary

Standby Ready Ifc Failure 10:21:04 IST Jun 21 2010

Other host - Primary

Active Ifc Failure 16:52:23 IST May 23 2010

====Configuration State===

Sync Done

Sync Done - STANDBY

====Communication State===

Mac set

Let me know if req more inputs.

Prakash

harshsi · ‎09-21-2010

Hi Dulal,

As per your problem description:

We are running on ASA version 8.2(2) using ASA in Active-Standby setup. As observed if issued 'write standby' command on active ASA the standby ASA network traffic interfaces are flapping (as observed in syslog messages the line protocol flap messages).

As per my understanding this is expected because when you issue 'write standby' command all the configuration from standby asa is removed and added again from the active unit, which will result in loss of connectivity to the standby ASA.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#cmd

Your second question:

Also observed error message 'configuration mismatch' in output of 'show failover history' command.

This is only possible if you have made any config. change on the standby unit by mistake.

Regards

Harsh

Prakash Chauhan · ‎09-21-2010

Hello Harsh,

thanks for your response.

The software (IOS) which was currently running on both of the devices are recently changed (i.e. four months back when this issue noted). Prior to same which 8.1 series there was not interface flactuations during execution of wr standby on primary... so make us wonder how suddenly this behaviour changed.

for Point 2, we have erased config on secondary unit and rebuild pair again (i.e. sync) but its remains same and config was end to end verified on both units but no specific findings.

Let me know if you require more inputs.

harsh · ‎09-15-2011

Hi Prakash,

Did you find the problem?

Can you please share how you resolved this issue?

Thanks

Harsh

Prakash Chauhan · ‎09-15-2011

Hello Harsh,

Problem is still there however it is not impacting traffic flow as flactuations happening on standby f/w.

However the understanding as druing wr standby firwall again reapply config on standby mate due to replication of new config its interfaces are flactuating ..... u can assue how ur production router/switch behaves while applying command copy start run.

Thanks

Prakash

Madhan Kumar · ‎08-28-2013

Hi,

I belive one time your standby unit became as primary. I belive by restarting the secandary this can be resolved. There wont be any impact for live traffic and you can test any time.

Magnus Mortensen · ‎03-24-2015

This is 100% expected. Issuing 'write standby' flushed the entire config on the standby and re-replicates. This causes the interfaces to flap and the failover history message to be seen.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117906-qanda-asa-00.html

Basically stop running 'write standby'

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115999-write-standby-command-qanda-00.html