Solved: HA Configuration Issue

eworthington1 · ‎09-11-2013

Hi All,

I have an issue when attempting to pair 2 x ASA's in an Active/Stanby pair, all checks pass using ASDM execpt the "Hardware module compatibility test for platform failed".

Could you tell me why I am getting this from these sh ver?

Firewall 1:

Cisco Adaptive Security Appliance Software Version 9.1(2)

Device Manager Version 7.1(2)

Compiled on Thu 09-May-13 15:37 by builders

System image file is "disk0:/asa912-k8.bin"

Config file at boot was "startup-config"

welon01asa0102 up 1 hour 29 mins

Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2_05

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.08

Number of accelerators: 1

0: Ext: GigabitEthernet0/0 : address is 0027.0d48.1b94, irq 9

1: Ext: GigabitEthernet0/1 : address is 0027.0d48.1b95, irq 9

2: Ext: GigabitEthernet0/2 : address is 0027.0d48.1b96, irq 9

3: Ext: GigabitEthernet0/3 : address is 0027.0d48.1b97, irq 9

4: Ext: Management0/0 : address is 0027.0d48.1b93, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 150 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

Encryption-DES : Enabled perpetual

Encryption-3DES-AES : Enabled perpetual

Security Contexts : 2 perpetual

GTP/GPRS : Disabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 750 perpetual

Total VPN Peers : 750 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

Cluster : Disabled perpetual

This platform has an ASA 5520 VPN Plus license.

Firewall 2:

Cisco Adaptive Security Appliance Software Version 9.1(2)

Device Manager Version 7.1(2)

Compiled on Thu 09-May-13 15:37 by builders

System image file is "disk0:/asa912-k8.bin"

Config file at boot was "startup-config"

welon01asa0101 up 1 hour 30 mins

Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xfff00000, 1024KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2_05

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.08

Number of accelerators: 1

0: Ext: GigabitEthernet0/0 : address is 001b.d5e8.f260, irq 9

1: Ext: GigabitEthernet0/1 : address is 001b.d5e8.f261, irq 9

2: Ext: GigabitEthernet0/2 : address is 001b.d5e8.f262, irq 9

3: Ext: GigabitEthernet0/3 : address is 001b.d5e8.f263, irq 9

4: Ext: Management0/0 : address is 001b.d5e8.f264, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 150 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

Encryption-DES : Enabled perpetual

Encryption-3DES-AES : Enabled perpetual

Security Contexts : 2 perpetual

GTP/GPRS : Disabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 750 perpetual

Total VPN Peers : 750 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

Cluster : Disabled perpetual

This platform has an ASA 5520 VPN Plus license.

Many Thanks,

Eddie

sokakkar · ‎09-12-2013

Hi Eddie,

The BIOS Flash size is not used/compared between mates when determining whether two devices can form a failover pair.

So, that is not the problem. H/w requirements for failover:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1132197

This smells like a bug in ASDM, if you want the exact bug, you can open a TAC case. Otherwise, just configure failover using CLI:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

HTH.

-

Regards,

Sourav Kakkar

View solution in original post

Oscar Castillo · ‎09-11-2013

Hi,

I have been having many issues with 9.1 (x) lately, I upgraded mine, I have 2 and seems that it still has bugs. I tried to NAT a telnet host and a FTP server and didnt work, that was via CLI. when I tried with ASDM, it worked. At the time of saving the configuration with the ASDM, i grabbed the logs and they were totally the same as CLI, but for some reason didnt wirk with the CLI.

sokakkar · ‎09-11-2013

Hi Eddie,

Sounds like you have some SSM module on one of the ASA's. Can you paste 'show module 1 detail' from both ASA's?

-

Regards,

Sourav Kakkar

eworthington1 · ‎09-12-2013

Hi Sourav,

Both modules report the same from sh module 1 detail:

Card type:

Model:

Hardware version:

Serial Number:

Firmware version:

Software version:

MAC Address range: none

Data Plane Status: Not Applicable

Status: Not Present Not powered on completely.

I've also opened them up and neither have a module.

Regards,

Eddie

eworthington1 · ‎09-12-2013

Could it be that these lines are different:

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

BIOS Flash M50FW080 @ 0xfff00000, 1024KB

What does this mean and how do I upgrade the second one so they match?

Regards,

Eddie

sokakkar · ‎09-12-2013

Hi Eddie,

The BIOS Flash size is not used/compared between mates when determining whether two devices can form a failover pair.

So, that is not the problem. H/w requirements for failover:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1132197

This smells like a bug in ASDM, if you want the exact bug, you can open a TAC case. Otherwise, just configure failover using CLI:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

HTH.

-

Regards,

Sourav Kakkar

eworthington1 · ‎09-12-2013

You were correct. Thanks very much.

When I did it from the CLI it worked first time.

Interesting....

sokakkar · ‎09-12-2013

Awesome! Glad I could help!

sokakkar · ‎09-12-2013

If you're not openind a TAC case, keep looking at Cisco.com for any new versions of ASDM, hopefully those will have the fix.

Although I don't think you really need it now as failover is already configured ;-)