Problem with failover when replacing primary ASA - required reboot

baskervi · ‎06-19-2012

We had our primary ASA-5520 fail. Both primary and secondary were running 8.4(1). The primary was active, and we only configured the failover commands on new primary ASA. However, upon inserting the primary ASA into the network and powering it up, we subsequently lost access to everything. We ended up having to power down the new primary and reboot the old secondary that had been primary.

The next question probably deserves a separate post, but upon rebooting the secondary, we had several hosts that were not accessible - the traffic to and from these hosts simply wouldn't pass through the firewall. You could ping them from the firewall, but not traffic to go through the firewall to/from these hosts. Even if I turned on icmp debugging, the traffic to and from these hosts simply didn't show up in the debugging, and there were no hits on the access lists. Again, this is both inside and outside interfaces. I turned on packet captures using the "capture" command, and very interestingly, as soon as I would add a host into the access list, it magically started to pass traffic.

cgreene548 · ‎06-19-2012

I just had the exact same issue this morning. I had the following errors in my logs.

<164>%ASA-4-405001: Received ARP response collision from [ip address]/[mac address] on interface failover with existing ARP entry [ip address]/[mac address]

Permalink

<164>%ASA-4-411005: Interface GigabitEthernet0/3 experienced a hardware transmit hang. A software reset has been performed.

<161>%ASA-1-105043: (Secondary) Failover interface failed

--

Karsten Iwen · ‎06-19-2012

I would upgrade to a more recent version. I also ran into multiple problems with 8.4.1. These problems were all solved from 8.4.3 on and now it's running stable again.

Sent from Cisco Technical Support iPad App