Failover in Off state after applying new license

john.wright · ‎03-25-2013

We apply a new anyconnect mobile license to our primary asa 5520 and the failover feature went into an off state.

WE have now applied a second purchased anyconnect mobile to our secondary asa but the failover is still inactive/off.

bcoh1fw50# sh failover state

State Last Failure Reason Date/Time

This host - Primary

Disabled Ifc Failure 14:43:21 EST Jan 30 2013

Inside: No Link

DMZ-Servers: No Link

DMZ-Web-Hosting: No Link

Outside: No Link

Other host - Secondary

Not Detected Comm Failure 14:43:32 EST Jan 30 2013

====Configuration State===

====Communication State===

Here is secondary

kbcoh1fw50# sh failover state

State Last Failure Reason Date/Time

This host - Secondary

Disabled Comm Failure 14:42:02 EST Jan 30 2013

Other host - Primary

Not Detected Comm Failure 14:43:42 EST Jan 30 2013

====Configuration State===

====Communication State===

What is the process to restore failover to normal state?

Marvin Rhoads · ‎03-25-2013

A couple of questions:

What is your ASA software version? The licenses can be shared (i.e., purchased for only one unit and applied to the Active unit in a failover pair) if you have any relatively recent software version.
How is your failover setup? The error messages above indicate the interface configured for failover is not seeing the peer on the link ("Disabled Ifc Failure"). That would not normally be anything associated with the AnyConnect license(s).

In general, one enables failover globally starting with the "failover lan unit primary" command which requires several other commands to make the HA pair functional. The detailed configuration guide is here.

john.wright · ‎03-26-2013

Mr. Rhoads

The version is 8.0.4

The reason I mentioned the anyconnect relationship is because the off state happened after we applied the new anconnect license to the primary unit. The TAC people told me that we needed to put the same license on the secondary unit in order to fix it.

I have not heard back from the TAC people so I opened a discussion here.

I decided to call them back today and they are now telling me that the issue is the original license that they sent me last week for the primary unit.

Marvin Rhoads · ‎03-26-2013

Yes, the older version (released April 2009) that you have requires the licenses (including feature licenses such as AnyConnect Mobile) to match between the two units. Additionally, if they mistakenly issued you a license that removed a pre-existing active feature such as 3DES-AES, that would also break the failover pair.

If the TAC's delayed response is causing you to experience an extended period of degraded network availability you can elevate your case priority to P2 in order to get the next available engineer to work with you real time to fix it. The standard P3 case priority only requires periodic e-mail updates to meet their SLA.