Solved: Failover ASA LU allocate xlate failed

sistemaspcsnet · ‎10-11-2011

Hello , we have two ASA 5520, on the failover unit is showing LU allocate xlate failed. We read on http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html that it could be a memory problem , but have cheked it and we have 85% of memory free on both nodes.

We also can see all xlate on failover unit.

We have forced failover this evenig and we can´t stablish outbound connexions by outside interface, we think xlates or nat cant work properly.

varrao · ‎10-11-2011

Hi Cesar,

That could be the problem with the failover, once you have the failover working fine then chcek for those error messages. If the xlates on the active and standby unit are same, then this might be cosmetic issue.

The first priority should be troubleshooting failover, I see that interface was a monitored interface, so if that goes down then you might have issue, so if not required then remove the interface from both Primary and Secondary firewall and test your failover again. The secondary should say "standby ready" in the show failover output

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎10-11-2011

What is the software version that you are running? Can you paste an ooutput of teh following from both the firewalls:

show failover

show run failover

show failover history

show xlate

Varun

Thanks,
Varun Rao

sistemaspcsnet · ‎10-11-2011

ACTIVE

--------------

ASAPCS01# sh ver

Cisco Adaptive Security Appliance Software Version 8.3(2)

Device Manager Version 6.3(4)

Compiled on Fri 30-Jul-10 17:49 by builders

System image file is "disk0:/asa832-k8.bin"

Config file at boot was "startup-config"

ASAPCS01 up 2 hours 54 mins

failover cluster up 2 hours 59 mins

Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

ASAPCS01# show failover

Failover On

Failover unit Primary

Failover LAN Interface: FAILOVER GigabitEthernet1/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 10 of 160 maximum

failover replication http

Version: Ours 8.3(2), Mate 8.3(2)

Last Failover at: 14:49:32 CEDT Oct 11 2011

This host: Primary - Active

Active time: 10390 (sec)

slot 0: ASA5520 hw/sw rev (2.0/8.3(2)) status (Up Sys)

Interface OUTSIDE (SMILEHERE.68): Normal

Interface INSIDE (10.10.0.1): Normal

Interface PREPRODUCCION (0.0.0.0): Normal (Not-Monitored)

Interface INFOPORT (10.251.0.1): Normal

Interface APV (10.157.0.1): Normal

Interface management (10.50.0.208): Normal

Interface LSP (10.6.0.1): Normal

Interface VLANS (0.0.0.0): Normal (Waiting)

Interface TEST (10.5.0.1): Normal

Interface pruebas-apv (10.180.0.1/fe80::5675:d0ff:fe50:90f7): Normal (Not-Monitored)

Interface DNSAD (10.160.0.1/fe80::5675:d0ff:fe50:90f7): Normal (Waiting)

Interface ipv6-inside (10.175.25.1/fe80::5675:d0ff:fe50:90f7): Normal (Not-Monitored)

Interface Ipv6 (10.176.25.1/fe80::5675:d0ff:fe50:90f8): Normal (Waiting)

slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)

Other host: Secondary - Failed

Active time: 0 (sec)

slot 0: ASA5520 hw/sw rev (2.0/8.3(2)) status (Up Sys)

Interface OUTSIDE (SMILEHERE.69): Normal

Interface INSIDE (10.10.0.2): Normal

Interface PREPRODUCCION (0.0.0.0): Normal (Not-Monitored)

Interface INFOPORT (10.251.0.2): Normal

Interface APV (10.157.0.2): Normal

Interface management (10.50.0.209): Normal

Interface LSP (10.6.0.2): Normal

Interface VLANS (0.0.0.0): Normal (Waiting)

Interface TEST (10.5.0.2): Normal

Interface pruebas-apv (0.0.0.0/fe80::5675:d0ff:fe28:43b5): Normal (Not-Monitored)

Interface DNSAD (10.160.0.2/fe80::5675:d0ff:fe28:43b5): Normal

Interface ipv6-inside (0.0.0.0/fe80::5675:d0ff:fe28:43b5): Normal (Not-Monitored)

Interface Ipv6 (0.0.0.0/fe80::5675:d0ff:fe28:43b6): No Link (Waiting)

slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)

Stateful Failover Logical Update Statistics

Link : FAILOVER GigabitEthernet1/3 (up)

Stateful Obj xmit xerr rcv rerr

General 1021196 0 1345 0

sys cmd 1345 0 1345 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 982782 0 0 0

UDP conn 32155 0 0 0

ARP tbl 4909 0 0 0

Xlate_Timeout 0 0 0 0

IPv6 ND tbl 0 0 0 0

VPN IKE upd 2 0 0 0

VPN IPSEC upd 3 0 0 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

SIP Session 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 17 1345

Xmit Q: 0 1469 1032925

ASAPCS01# failover

ERROR: % Incomplete command

ASAPCS01# show failover history

==========================================================================

From State To State Reason

==========================================================================

14:48:47 CEDT Oct 11 2011

Not Detected Negotiation No Error

14:49:32 CEDT Oct 11 2011

Negotiation Just Active No Active unit found

14:49:32 CEDT Oct 11 2011

Just Active Active Drain No Active unit found

14:49:32 CEDT Oct 11 2011

Active Drain Active Applying Config No Active unit found

14:49:32 CEDT Oct 11 2011

Active Applying Config Active Config Applied No Active unit found

14:49:32 CEDT Oct 11 2011

Active Config Applied Active No Active unit found

==========================================================================

ASAPCS01# show xlate

62 in use, 108 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

NAT from INSIDE:10.10.0.0/24 to OUTSIDE:10.10.0.0/24

flags sI idle 2:54:01 timeout 0:00:00

NAT from INSIDE:10.10.0.0/24, 10.30.0.0/24, 10.50.0.0/24,

10.70.0.0/24 to OUTSIDE:10.10.0.0/24, 10.30.0.0/24,

10.50.0.0/24, 10.70.0.0/24

flags sI idle 2:54:01 timeout 0:00:00

NAT from INSIDE:10.30.0.80 to OUTSIDE:10.30.0.80

flags sI idle 2:54:01 timeout 0:00:00

NAT from INSIDE:10.10.0.208, 10.10.0.209, 10.10.0.176,

10.10.0.177 to OUTSIDE:10.10.0.208, 10.10.0.209,

10.10.0.176, 10.10.0.177

flags sI idle 0:12:21 timeout 0:00:00

NAT from INSIDE:10.50.0.80 to OUTSIDE:10.50.0.80

flags sI idle 2:54:01 timeout 0:00:00

NAT from INSIDE:10.10.0.189 to OUTSIDE:10.10.0.189

flags sI idle 2:54:01 timeout 0:00:00

NAT from INSIDE:10.10.0.209, 10.10.0.208 to OUTSIDE:10.10.0.209,

10.10.0.208

flags sI idle 2:54:01 timeout 0:00:00

NAT from INSIDE:10.70.0.210 to OUTSIDE:10.70.0.210

flags sI idle 2:54:01 timeout 0:00:00

NAT from TEST:10.5.0.10 to OUTSIDE:SMILEHERE.101

flags s idle 0:00:59 timeout 0:00:00

NAT from INSIDE:10.10.0.13 to OUTSIDE:SMILEHERE.100

flags s idle 0:00:29 timeout 0:00:00

NAT from INSIDE:10.10.0.14 to OUTSIDE:SMILEHERE.102

flags s idle 0:00:13 timeout 0:00:00

NAT from INSIDE:10.10.0.20 to OUTSIDE:SMILEHERE.20

flags s idle 0:00:02 timeout 0:00:00

NAT from INSIDE:10.10.0.40 to OUTSIDE:SMILEHERE.10

flags s idle 0:00:00 timeout 0:00:00

NAT from INSIDE:10.10.0.82 to OUTSIDE:SMILEHERE.11

flags s idle 0:00:00 timeout 0:00:00

NAT from INSIDE:10.10.0.83 to OUTSIDE:SMILEHERE.103

flags s idle 0:00:20 timeout 0:00:00

NAT from INSIDE:10.10.0.84 to OUTSIDE:SMILEHERE.30

flags s idle 1:22:56 timeout 0:00:00

NAT from INSIDE:10.10.0.240 to OUTSIDE:SMILEHERE.185

flags s idle 0:17:13 timeout 0:00:00

NAT from INSIDE:10.10.0.241 to OUTSIDE:SMILEHERE.186

flags s idle 0:01:24 timeout 0:00:00

NAT from INSIDE:10.10.0.242 to OUTSIDE:SMILEHERE.199

flags s idle 2:54:03 timeout 0:00:00

NAT from INSIDE:10.30.0.50 to OUTSIDE:SMILEHERE.87

flags s idle 0:01:46 timeout 0:00:00

NAT from INSIDE:10.30.0.51 to OUTSIDE:SMILEHERE.88

flags s idle 2:54:00 timeout 0:00:00

NAT from INSIDE:10.50.0.81 to OUTSIDE:SMILEHERE.71

flags s idle 0:00:00 timeout 0:00:00

UDP PAT from DNSAD:10.160.0.10/62491 to OUTSIDE:SMILEHERE.92/48662 flags ri idle 0:00:17 timeout 0:00:30

UDP PAT from DNSAD:10.160.0.10/62715 to OUTSIDE:SMILEHERE.92/29672 flags ri idle 0:00:17 timeout 0:00:30

UDP PAT from INSIDE:10.10.0.105/123 to OUTSIDE:SMILEHERE.36/264 flags ri idle 0:02:24 timeout 0:00:30

TCP PAT from INSIDE:10.30.0.202/57904 to OUTSIDE:SMILEHERE.180/1551 flags ri idle 0:00:29 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.30/4408 to OUTSIDE:SMILEHERE.79/15917 flags ri idle 0:00:24 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.30/4407 to OUTSIDE:SMILEHERE.79/12869 flags ri idle 0:00:25 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.30/4406 to OUTSIDE:SMILEHERE.79/29023 flags ri idle 0:00:25 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61419 to OUTSIDE:SMILEHERE.79/28856 flags ri idle 0:00:00 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61418 to OUTSIDE:SMILEHERE.79/41175 flags ri idle 0:00:01 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61417 to OUTSIDE:SMILEHERE.79/51243 flags ri idle 0:00:11 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61416 to OUTSIDE:SMILEHERE.79/51939 flags ri idle 0:00:22 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61404 to OUTSIDE:SMILEHERE.79/3181 flags ri idle 0:00:36 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61392 to OUTSIDE:SMILEHERE.79/41213 flags ri idle 0:01:11 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61380 to OUTSIDE:SMILEHERE.79/10518 flags ri idle 0:01:44 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61361 to OUTSIDE:SMILEHERE.79/5127 flags ri idle 0:02:20 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61336 to OUTSIDE:SMILEHERE.79/17141 flags ri idle 0:03:00 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61323 to OUTSIDE:SMILEHERE.79/9354 flags ri idle 0:03:32 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61308 to OUTSIDE:SMILEHERE.79/22258 flags ri idle 0:04:05 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61294 to OUTSIDE:SMILEHERE.79/49876 flags ri idle 0:04:38 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61278 to OUTSIDE:SMILEHERE.79/18112 flags ri idle 0:05:08 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61272 to OUTSIDE:SMILEHERE.79/13646 flags ri idle 0:05:11 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61265 to OUTSIDE:SMILEHERE.79/16499 flags ri idle 0:05:16 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61257 to OUTSIDE:SMILEHERE.79/29316 flags ri idle 0:05:22 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61250 to OUTSIDE:SMILEHERE.79/60549 flags ri idle 0:05:44 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61235 to OUTSIDE:SMILEHERE.79/49588 flags ri idle 0:06:18 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61209 to OUTSIDE:SMILEHERE.79/46394 flags ri idle 0:07:02 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61167 to OUTSIDE:SMILEHERE.79/17328 flags ri idle 0:07:57 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61147 to OUTSIDE:SMILEHERE.79/26194 flags ri idle 0:08:38 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61133 to OUTSIDE:SMILEHERE.79/45605 flags ri idle 0:09:11 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61123 to OUTSIDE:SMILEHERE.79/48994 flags ri idle 0:09:44 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.205/61112 to OUTSIDE:SMILEHERE.79/53508 flags ri idle 0:10:16 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.176/58563 to OUTSIDE:SMILEHERE.79/8359 flags ri idle 0:00:04 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.176/58558 to OUTSIDE:SMILEHERE.79/47587 flags ri idle 0:00:14 timeout 0:00:30

TCP PAT from INSIDE:10.10.0.176/58541 to OUTSIDE:SMILEHERE.79/48140 flags ri idle 0:00:25 timeout 0:00:30

ICMP PAT from INSIDE:10.50.0.250/1 to OUTSIDE:SMILEHERE.36/21178 flags ri idle 0:00:10 timeout 0:00:30

TCP PAT from INSIDE:10.50.0.250/28468 to OUTSIDE:SMILEHERE.36/3025 flags ri idle 0:00:36 timeout 0:00:30

TCP PAT from INSIDE:10.50.0.250/28467 to OUTSIDE:SMILEHERE.36/32056 flags ri idle 0:00:36 timeout 0:00:30

TCP PAT from INSIDE:10.50.0.250/27985 to OUTSIDE:SMILEHERE.36/8866 flags ri idle 0:04:53 timeout 0:00:30

TCP PAT from INSIDE:10.50.0.250/27449 to OUTSIDE:SMILEHERE.36/37554 flags ri idle 0:09:51 timeout 0:00:30

--------

PASIVE

-----------

ASAPCS01# sh ver

Cisco Adaptive Security Appliance Software Version 8.3(2)

Device Manager Version 6.3(4)

Compiled on Fri 30-Jul-10 17:49 by builders

System image file is "disk0:/asa832-k8.bin"

Config file at boot was "startup-config"

show failover

Failover On

Failover unit Secondary

Failover LAN Interface: FAILOVER GigabitEthernet1/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 10 of 160 maximum

failover replication http

Version: Ours 8.3(2), Mate 8.3(2)

Last Failover at: 07:48:37 CEDT Oct 11 2011

This host: Secondary - Failed

Active time: 0 (sec)

slot 0: ASA5520 hw/sw rev (2.0/8.3(2)) status (Up Sys)

Interface OUTSIDE (SMILEHERE.69): Normal

Interface INSIDE (10.10.0.2): Normal

Interface PREPRODUCCION (0.0.0.0): Normal (Not-Monitored)

Interface INFOPORT (10.251.0.2): Normal

Interface APV (10.157.0.2): Normal

Interface management (10.50.0.209): Normal

Interface LSP (10.6.0.2): Normal

Interface VLANS (0.0.0.0): Normal (Waiting)

Interface TEST (10.5.0.2): Normal

Interface pruebas-apv (0.0.0.0/fe80::5675:d0ff:fe28:43b5): Normal (Not-Monitored)

Interface DNSAD (10.160.0.2/fe80::5675:d0ff:fe28:43b5): Normal

Interface ipv6-inside (0.0.0.0/fe80::5675:d0ff:fe28:43b5): Normal (Not-Monitored)

Interface Ipv6 (0.0.0.0/fe80::5675:d0ff:fe28:43b6): No Link (Waiting)

slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)

Other host: Primary - Active

Active time: 10577 (sec)

slot 0: ASA5520 hw/sw rev (2.0/8.3(2)) status (Up Sys)

Interface OUTSIDE (SMILEHERE.68): Normal

Interface INSIDE (10.10.0.1): Normal

Interface PREPRODUCCION (0.0.0.0): Normal (Not-Monitored)

Interface INFOPORT (10.251.0.1): Normal

Interface APV (10.157.0.1): Normal

Interface management (10.50.0.208): Normal

Interface LSP (10.6.0.1): Normal

Interface VLANS (0.0.0.0): Normal (Waiting)

Interface TEST (10.5.0.1): Normal

Interface pruebas-apv (10.180.0.1/fe80::5675:d0ff:fe50:90f7): Normal (Not-Monitored)

Interface DNSAD (10.160.0.1/fe80::5675:d0ff:fe50:90f7): Normal (Waiting)

Interface ipv6-inside (10.175.25.1/fe80::5675:d0ff:fe50:90f7): Normal (Not-Monitored)

Interface Ipv6 (10.176.25.1/fe80::5675:d0ff:fe50:90f8): Normal (Waiting)

slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)

Stateful Failover Logical Update Statistics

Link : FAILOVER GigabitEthernet1/3 (up)

Stateful Obj xmit xerr rcv rerr

General 1370 0 870655 52622

sys cmd 1370 0 1370 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 0 0 836737 52620

UDP conn 0 0 27528 2

ARP tbl 0 0 5016 0

Xlate_Timeout 0 0 0 0

IPv6 ND tbl 0 0 0 0

VPN IKE upd 0 0 2 0

VPN IPSEC upd 0 0 2 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

SIP Session 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 27 882572

Xmit Q: 0 1 1370

ASAPCS01# failover

ERROR: % Incomplete command

ASAPCS01# show failover history

==========================================================================

From State To State Reason

==========================================================================

07:49:03 CEDT Oct 11 2011

Not Detected Negotiation No Error

07:49:08 CEDT Oct 11 2011

Negotiation Cold Standby Detected an Active mate

07:49:10 CEDT Oct 11 2011

Cold Standby Sync Config Detected an Active mate

07:49:35 CEDT Oct 11 2011

Sync Config Sync File System Detected an Active mate

07:49:35 CEDT Oct 11 2011

Sync File System Bulk Sync Detected an Active mate

07:49:49 CEDT Oct 11 2011

Bulk Sync Standby Ready Detected an Active mate

07:49:58 CEDT Oct 11 2011

Standby Ready Failed Interface check

07:50:03 CEDT Oct 11 2011

Failed Standby Ready Interface check

07:50:13 CEDT Oct 11 2011

Standby Ready Failed Interface check

08:02:41 CEDT Oct 11 2011

Failed Standby Ready Interface check

08:02:51 CEDT Oct 11 2011

Standby Ready Failed Interface check

08:05:03 CEDT Oct 11 2011

Failed Standby Ready Interface check

08:05:13 CEDT Oct 11 2011

Standby Ready Failed Interface check

==========================================================================

ASAPCS01# sh xlate

65 in use, 103 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

NAT from INSIDE:10.10.0.0/24 to OUTSIDE:10.10.0.0/24