cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8397
Views
0
Helpful
18
Replies

(Primary) Lost Failover communications with mate

clark-white
Level 1
Level 1

Hi,

One of the interface on the primary fails and it switchover to secondary, this is happening with the primary firewall with irregular intervals, the ABC interface is a sub-interface and is connected to DMZ switch configured as a trunk. No other SUB-interfaces are failing except ABC interface and the failover switchovers to secondary firewall. As per the cisco documentation it is network problem but the DMZ switches are OK ,no errors in the sh logging , How can i troubleshoot such problem.

: %ASA-1-105005: (Primary) Lost Failover communications with mate on interface ABC

: %ASA-1-105008: (Primary) Testing Interface ABC

%ASA-1-105009: (Primary) Testing on interface ABC Failed

: %ASA-1-104002: (Primary) Switching to STNDBY - Interface check

: %ASA-1-104004: (Primary) Switching to OK.

RG

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Clark,

Well, it looks like the hello packets being exchanged between both units are not succesful.

You could do captures, you could try to ping the interface while the issue happens just to make sure connectivity exists.

Check the configuration on the switch for that particular trunk okay?

Regards,

Any other question..Sure..Just remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

18 Replies 18

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Clark,

Well, it looks like the hello packets being exchanged between both units are not succesful.

You could do captures, you could try to ping the interface while the issue happens just to make sure connectivity exists.

Check the configuration on the switch for that particular trunk okay?

Regards,

Any other question..Sure..Just remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

Well, it looks like the hello packets being exchanged between both units are not succesful

If hello's are not successful then why other interfaces are not failing ???

You could do captures, you could try to ping the interface while the issue happens just to make sure connectivity exists

It happen when i m out of office and at irregulat interface.

Check the configuration on the switch for that particular trunk okay.

the trunk is up if the trunk is facing problem than all the interface should fail.

RG

If hello's are not successful then why other interfaces are not failing ???

A/ The hellos will be failing just over that interface.

I would say the captures and the Ping packets to check connectivy will allow us to make sure it's not a network failure.

You could change the cables just to begging.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi

But why the hellos are failing on that particular interface only ??? there is no reason in the logging

I would say the captures and the Ping packets to check connectivy will allow us to make sure it's not a network failure.

How could  i do this ?? just keeping continuos ping from interface ABC from priamary ASA to interface ABC on secondary ASA

You could change the cables just to begging

u mean to say the failover crosscable between the 2 ASA ??

Hello Clark,

When you start seeing the issues try to ping from each ASA the mate interface ( not working) Ip add.

Now, that I think about it if this were a cable issue we could have seen this on all the sub-interfaces but we are seeing it only on one, so forget that.

On the ASA do you see any errors on the sub-interface?

You could change the ASA behavior ( Do not failover if the monitoring process on that particular sub-interface fails)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Thanks for ur replies,

when failover happen from primary to secondary, then it remains on the active on the secondary it doens'nt failover back to primary until and unless we force to change to primary this means there is some issue on the primary ASA.

The problem is happening when i m out of office and it happen any time no specific time.

On the ASA do you see any errors on the sub-interface?

i was having doubt for the interface so i deleted and recreated the sub interface.

You could change the ASA behavior ( Do not failover if the monitoring process on that particular sub-interface fails)

how i could this??? i guess by no monitor interface

how i could this??? i guess by no monitor interface

A/Exactly.

when failover happen from primary to secondary, then it remains on the active on the secondary it doens'nt failover back to primary until and unless we force to change to primary this means there is some issue on the primary ASA.

The ASA does not support preemtion on active/standby. That is why only over a failure it will happen

Remember to rate all of my helpful answers?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio

NO

I have done the basic config with default timers

Hello Clark,

as my lastmessage said:

The ASA does not support preemtion on active/standby. That is why only over a failure it will happen or manually specified.

You will need to be at the time the issue happens or at least get some logs

Remember to rate all of my helpful answers

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Thanks for ur support,

The ASA does not support preemtion on active/standby. That is why only over a failure it will happen or manually specified

Julio i have not configured preemption and i mean to say that why the interface are failing only when the primary ASA is active , when secondary becomes active it remain active for days and days without any issues,

or at least get some logs

which logs more i should collect can you guide me pls

Hello Clark,

Based on all the information gathered so far,

It looks like there is a communication issue between the internal switch and the sub-interface for the primary ASA.

Any logs related to the ASA at the time of the issue ( The interface  going down, the swich interface, going down)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

julio,

If the switch interface would have gone down then the effect would have been on all the interface of the firewall not on only ABC interface. Switch interface is up at the times when the failover happen.

Thanks

Hello Clark,

But you are not helping me man, I mean no logs, no additional info???

We need more information for an issue like this.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi julio,

U r helping my queries to solve and i will not help you this is not possible.

Tell me from where you want me to collect logs ???, In the switch there are no logs for the interface which is connected to ASA.

If you want anything form the ASA pls tell me which commands i shld execute.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: