10-08-2012 10:10 AM - edited 03-11-2019 05:06 PM
Hi,
One of the interface on the primary fails and it switchover to secondary, this is happening with the primary firewall with irregular intervals, the ABC interface is a sub-interface and is connected to DMZ switch configured as a trunk. No other SUB-interfaces are failing except ABC interface and the failover switchovers to secondary firewall. As per the cisco documentation it is network problem but the DMZ switches are OK ,no errors in the sh logging , How can i troubleshoot such problem.
: %ASA-1-105005: (Primary) Lost Failover communications with mate on interface ABC
: %ASA-1-105008: (Primary) Testing Interface ABC
%ASA-1-105009: (Primary) Testing on interface ABC Failed
: %ASA-1-104002: (Primary) Switching to STNDBY - Interface check
: %ASA-1-104004: (Primary) Switching to OK.
RG
Solved! Go to Solution.
10-08-2012 11:20 AM
Hello Clark,
Well, it looks like the hello packets being exchanged between both units are not succesful.
You could do captures, you could try to ping the interface while the issue happens just to make sure connectivity exists.
Check the configuration on the switch for that particular trunk okay?
Regards,
Any other question..Sure..Just remember to rate all of the helpful posts
10-08-2012 11:20 AM
Hello Clark,
Well, it looks like the hello packets being exchanged between both units are not succesful.
You could do captures, you could try to ping the interface while the issue happens just to make sure connectivity exists.
Check the configuration on the switch for that particular trunk okay?
Regards,
Any other question..Sure..Just remember to rate all of the helpful posts
10-08-2012 11:50 AM
Hello,
Well, it looks like the hello packets being exchanged between both units are not succesful
If hello's are not successful then why other interfaces are not failing ???
You could do captures, you could try to ping the interface while the issue happens just to make sure connectivity exists
It happen when i m out of office and at irregulat interface.
Check the configuration on the switch for that particular trunk okay.
the trunk is up if the trunk is facing problem than all the interface should fail.
RG
10-08-2012 12:24 PM
If hello's are not successful then why other interfaces are not failing ???
A/ The hellos will be failing just over that interface.
I would say the captures and the Ping packets to check connectivy will allow us to make sure it's not a network failure.
You could change the cables just to begging.
Regards
10-08-2012 12:38 PM
Hi
But why the hellos are failing on that particular interface only ??? there is no reason in the logging
I would say the captures and the Ping packets to check connectivy will allow us to make sure it's not a network failure.
How could i do this ?? just keeping continuos ping from interface ABC from priamary ASA to interface ABC on secondary ASA
You could change the cables just to begging
u mean to say the failover crosscable between the 2 ASA ??
10-08-2012 12:42 PM
Hello Clark,
When you start seeing the issues try to ping from each ASA the mate interface ( not working) Ip add.
Now, that I think about it if this were a cable issue we could have seen this on all the sub-interfaces but we are seeing it only on one, so forget that.
On the ASA do you see any errors on the sub-interface?
You could change the ASA behavior ( Do not failover if the monitoring process on that particular sub-interface fails)
Regards,
Julio
10-08-2012 12:51 PM
Hi Julio,
Thanks for ur replies,
when failover happen from primary to secondary, then it remains on the active on the secondary it doens'nt failover back to primary until and unless we force to change to primary this means there is some issue on the primary ASA.
The problem is happening when i m out of office and it happen any time no specific time.
On the ASA do you see any errors on the sub-interface?
i was having doubt for the interface so i deleted and recreated the sub interface.
You could change the ASA behavior ( Do not failover if the monitoring process on that particular sub-interface fails)
how i could this??? i guess by no monitor interface
10-08-2012 12:55 PM
how i could this??? i guess by no monitor interface
A/Exactly.
when failover happen from primary to secondary, then it remains on the active on the secondary it doens'nt failover back to primary until and unless we force to change to primary this means there is some issue on the primary ASA.
The ASA does not support preemtion on active/standby. That is why only over a failure it will happen
Remember to rate all of my helpful answers?
10-08-2012 12:58 PM
Hi Julio
NO
I have done the basic config with default timers
10-08-2012 01:00 PM
Hello Clark,
as my lastmessage said:
The ASA does not support preemtion on active/standby. That is why only over a failure it will happen or manually specified.
You will need to be at the time the issue happens or at least get some logs
Remember to rate all of my helpful answers
10-08-2012 01:05 PM
Hi Julio,
Thanks for ur support,
The ASA does not support preemtion on active/standby. That is why only over a failure it will happen or manually specified
Julio i have not configured preemption and i mean to say that why the interface are failing only when the primary ASA is active , when secondary becomes active it remain active for days and days without any issues,
or at least get some logs
which logs more i should collect can you guide me pls
10-08-2012 01:45 PM
Hello Clark,
Based on all the information gathered so far,
It looks like there is a communication issue between the internal switch and the sub-interface for the primary ASA.
Any logs related to the ASA at the time of the issue ( The interface going down, the swich interface, going down)
10-08-2012 08:50 PM
julio,
If the switch interface would have gone down then the effect would have been on all the interface of the firewall not on only ABC interface. Switch interface is up at the times when the failover happen.
Thanks
10-08-2012 10:54 PM
Hello Clark,
But you are not helping me man, I mean no logs, no additional info???
We need more information for an issue like this.
10-09-2012 01:48 AM
Hi julio,
U r helping my queries to solve and i will not help you this is not possible.
Tell me from where you want me to collect logs ???, In the switch there are no logs for the interface which is connected to ASA.
If you want anything form the ASA pls tell me which commands i shld execute.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide