cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14394
Views
0
Helpful
9
Replies

Facing problem on ASA while using 'write standby' command

Dulal Ray
Level 1
Level 1

Hi All,

We are running on ASA version 8.2(2) using ASA in Active-Standby setup. As observed if issued 'write standby' command on active ASA the standby ASA network traffic interfaces are flapping (as observed in syslog messages the line protocol flap messages). Also observed error message 'configuration mismatch' in output of 'show failover history' command.

Please help us to know if some one is facing the same problem and what could be done to fix this behaviour.

Kindly let me know if any additional information is required to get further clarity on issue.

Regards,

Dulal

9 Replies 9

Hi,

Can you paste the output of the below commands on both the firewalls(active and standby)

#sh run | i failover

#sh failover status

Regards

Karuppu

Hi Pl find the o/p below from Primary & Secondary ASA :
Primary :
my asa# sh run | i failover
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover polltime unit 2 holdtime 10
failover key *****
failover replication http
failover link failover GigabitEthernet0/3
failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2
my asa# show failover state
               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         Ifc Failure              08:29:18 IST Mar 14 2010
                              Inside: No Link
                              Outside: No Link
Other host -   Secondary
               Standby Ready  Ifc Failure              08:55:05 IST Mar 14 2010
                              Outside: Failed
====Configuration State===
        Sync Done
====Communication State===
        Mac set
my asa# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/3 (up)
Unit Poll frequency 2 seconds, holdtime 10 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 160 maximum
failover replication http
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 08:29:55 IST Mar 14 2010
        This host: Primary - Active
                Active time: 288553 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                  Interface Inside (172.27.x.x): Normal
                  Interface Outside (Public IP): Normal
                slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
                  IPS, 7.0(1)E3, Up
        Other host: Secondary - Standby Ready
                Active time: 3023217 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                  Interface Inside (172.27.Y.Y): Normal
                  Interface Outside (Public IP): Normal
                slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
                  IPS, 7.0(1)E3, Up
Stateful Failover Logical Update Statistics
        Link : failover GigabitEthernet0/3 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         18725075   0          105012041  948
        sys cmd         441120     0          441119     0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        17239120   0          91778590   882
        UDP conn        1016118    0          12501049   44
        ARP tbl         28712      0          291115     22
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKE upd     2          0          85         0
        VPN IPSEC upd   3          0          83         0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0
        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       23      108087306
        Xmit Q:         0       1024    19028635
Secondary :
my asa# show run | i failover
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/3
failover polltime unit 2 holdtime 10
failover key *****
failover replication http
failover link failover GigabitEthernet0/3
failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2
my asa# sh failover state
               State          Last Failure Reason      Date/Time
This host  -   Secondary
               Standby Ready  Ifc Failure              08:55:05 IST Mar 14 2010
Other host -   Primary
               Active         Ifc Failure              08:29:18 IST Mar 14 2010
====Configuration State===
        Sync Done - STANDBY
====Communication State===
        Mac set
my asa# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet0/3 (up)
Unit Poll frequency 2 seconds, holdtime 10 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 160 maximum
failover replication http
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 08:29:55 IST Mar 14 2010
        This host: Secondary - Standby Ready
                Active time: 3023217 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                  Interface Inside (172.27.Y.Y): Normal
                  Interface Outside (Public IP): Normal
                slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
                  IPS, 7.0(1)E3, Up
        Other host: Primary - Active
                Active time: 288581 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                  Interface Inside (172.27.x.x): Normal
                  Interface Outside (Public IP): Normal
                slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(1)E3) status (Up/Up)
                  IPS, 7.0(1)E3, Up
Stateful Failover Logical Update Statistics
        Link : failover GigabitEthernet0/3 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         227423807  0          8723022    1953
        sys cmd         441064     0          441064     0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        210849538  0          7357750    1877
        UDP conn        15841895   0          895477     69
        ARP tbl         291101     0          28727      7
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKE upd     85         0          2          0
        VPN IPSEC upd   124        0          2          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0
        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       17      9023484
        Xmit Q:         0       1024    230497438

Hi Karuppu,

Please find your req o/p as below :

Primary

Hostname# sh run | i failover

failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/3

failover polltime unit 2 holdtime 10

failover key *****

failover replication http

failover link failover GigabitEthernet0/3

failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2

Secondary

Hostname# sh run | i failover

failover

failover lan unit secondary

failover lan interface failover GigabitEthernet0/3

failover polltime unit 2 holdtime 10

failover key *****

failover replication http

failover link failover GigabitEthernet0/3

failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2

sh failover status wont supported so captured sh failover state

Primary

Hostname# sh failover state

               State          Last Failure Reason      Date/Time

This host  -   Primary

               Active         Ifc Failure              16:52:23 IST May 23 2010

                              Inside: No Link

Other host -   Secondary

               Standby Ready  Ifc Failure              10:21:04 IST Jun 21 2010

                              Inside: Failed

====Configuration State===

        Sync Done

        Sync Done - STANDBY

====Communication State===

        Mac set

Secondary

Hostname#  sh failover state

               State          Last Failure Reason      Date/Time

This host  -   Secondary

               Standby Ready  Ifc Failure              10:21:04 IST Jun 21 2010

Other host -   Primary

               Active         Ifc Failure              16:52:23 IST May 23 2010

====Configuration State===

        Sync Done

        Sync Done - STANDBY

====Communication State===

        Mac set

Let me know if req more inputs.

Prakash

Hi Dulal,

As per your problem description:

We are running on ASA version 8.2(2) using ASA in Active-Standby setup.  As observed if issued 'write standby' command on active ASA the standby  ASA network traffic interfaces are flapping (as observed in syslog  messages the line protocol flap messages).

As per my understanding this is expected because when you issue 'write standby' command all the configuration from standby asa is removed and added again from the active unit, which will result in loss of connectivity to the standby ASA.

Your second question:

Also observed error message 'configuration mismatch' in output of 'show failover history' command.

This is only possible if you have made any config. change on the standby unit by mistake.

Regards

Harsh

Hello Harsh,

thanks for your response.

The software (IOS) which was currently running on both of the devices are recently changed (i.e. four months back when this issue noted). Prior to same which 8.1 series there was not interface flactuations during execution of wr standby on primary... so make us wonder how suddenly this behaviour changed.

for Point 2, we have erased config on secondary unit and rebuild pair again (i.e. sync) but its remains same and config was end to end verified on both units but no specific findings.

Let me know if you require more inputs.

Hi Prakash,

Did you find the problem?

Can you please share how you resolved this issue?

Thanks

Harsh

Hello Harsh,

Problem is still there however it is not impacting traffic flow as flactuations happening on standby f/w.

However the understanding as druing wr standby firwall again reapply config on standby mate due to replication of new config its interfaces are flactuating ..... u can assue how ur production router/switch behaves while applying command copy start run.

Thanks

Prakash    

Hi,

I belive one time your standby unit became as primary. I belive by restarting the secandary this can be resolved. There wont be any impact for live traffic and you can test any time.

Magnus Mortensen
Cisco Employee
Cisco Employee

This is 100% expected. Issuing 'write standby' flushed the entire config on the standby and re-replicates. This causes the interfaces to flap and the failover history message to be seen.

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117906-qanda-asa-00.html

 

Basically stop running 'write standby'

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115999-write-standby-command-qanda-00.html

Review Cisco Networking for a $25 gift card