Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
31871
Views
10
Helpful
15
Replies

Rebooting the standby ASA

Go to solution
mahesh18
Level 6
Level 6

ā€Ž02-01-2014 10:54 AM - edited ā€Ž03-11-2019 08:39 PM

Hi Everyone,

If ASA is in active / standby failover.

And for some reason if you need to reboot standby ASA is it good practice just to reboot standby?

If standby is rebooted should it syn all the config over failover link from active ASA?

Regards

Mahesh

Labels:
0 Helpful
5 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

ā€Ž02-01-2014 12:26 PM

To reload the standby unit, on the primary unit issue the command failover reload-standby

Once the standby unit is back online  a full running config synch will take place from the active ASA to the standby ASA.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to mahesh18

ā€Ž02-01-2014 05:57 PM

Mahesh

This can happen sometimes when the standby firewall does not accept one or more of the commands in the configuration coming from the active firewall.

Have there been any configuration changes made to the active firewall recently ?

Is that all you see in the log or do you see the standby complaining about certain lines in the configuration ?

Jon

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

ā€Ž02-01-2014 09:35 PM

Hello Mahesh,

Okey but do you see any logs in the console session?

Did you really console in to the box to see all the logs?

console logging 7

It's because I have seen this behavior before and on all the cases I worked I saw a configuration command not properly written

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

ā€Ž02-02-2014 11:26 AM

Which ASA model are you using for both of the ASAs?

Is this the first time you are trying to setup Active/Standby failover for these two units?  If not is this the first time you are seeing this type of issue?

What ASA version are the ASAs running?

As Julio has mentioned, this is most likely the cause of the standby not accepting one or more of the configurations the Active unit is trying to sync across.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

ā€Ž02-05-2014 11:17 PM

What you could try doing is remove the failover configuration from the standby unit, make a copy of the Active ASA config (copy paste into notepad) and then copy the configuration to the standby unit approx. 10 lines at a time and see where the configuration is failing to be accepted.  Just remember to add the failover commands last.

Are both ASA's running the same version?

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
15 Replies 15

Go to solution
Marius Gunnerud
VIP
VIP

ā€Ž02-01-2014 12:26 PM

To reload the standby unit, on the primary unit issue the command failover reload-standby

Once the standby unit is back online  a full running config synch will take place from the active ASA to the standby ASA.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Go to solution
mahesh18
Level 6
Level 6
In response to Marius Gunnerud

ā€Ž02-01-2014 05:23 PM

Hi Marius,

We did the reboot of standby ASA and log shows

(Secondary) Beginning configuration replication: Receiving from mate.

******REPLICATION OF CONFIGURATION FROM ACTIVE TO STANDBY UNIT IS INCOMPLETE,
TO PREVENT THE STANDBY UNIT TAKING OVER AS ACTIVE WITH A PARTIAL CONFIGURATION,
THE STANDBY UNIT WILL NOW REBOOT*******

So now ASA is in booting loop and it boots up gives the above message and again reboot.

Can you tell why this is happening?

For now we have turned off standby asa.

Regards

MAhesh

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to mahesh18

ā€Ž02-01-2014 05:57 PM

Mahesh

This can happen sometimes when the standby firewall does not accept one or more of the commands in the configuration coming from the active firewall.

Have there been any configuration changes made to the active firewall recently ?

Is that all you see in the log or do you see the standby complaining about certain lines in the configuration ?

Jon

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jon Marshall

ā€Ž02-01-2014 06:15 PM

Hi John,

Thats all we see in logs from standby ASA.

Its not complaining about any lines in the config.

Standby ASA boots up fine when it is not connected to Active ASA.

As soon as we connect the standby to active ASA it gives above log message and reboot  also then active ASA is not

reachable over the network.

Currently standby ASA is powered down.

About recent changes to ASA i am checking on that.

Regards

MAhesh

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

ā€Ž02-01-2014 07:12 PM

Hello Mahesh,

You sure that is the only log you see when the issue arises?? Get a console connection to the firewall and make sure you are logging everything.

The mismatch configuration should be shown to you by the ASA.

As soon as you see the lines posted back to us and we will analize them.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

ā€Ž02-01-2014 07:33 PM

Hi Julio,

After above logs it shows

%ASA-1-105020: (Secondary) Incomplete/slow config replication

***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   failover reset
Process shutdown finished
Rebooting.....


Booting system, please wait...

That was happening again and again.

Currently standby ASA is powered off .

There were no errors for config changes in the logs of standby ASA.

Regards

MAhesh

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

ā€Ž02-01-2014 07:41 PM

Hello,

Okey and what about on the Active firewall at the time of the issue?

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

ā€Ž02-01-2014 09:11 PM

Hi Julio,

Active ASA had following symptons during that time

1>not assigning DHCP IP to users.

2>

sh run on Active ASA

it gives error

ERROR: Command Ignored, Configuration in progress...

Regards

MAhesh

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

ā€Ž02-01-2014 09:35 PM

Hello Mahesh,

Okey but do you see any logs in the console session?

Did you really console in to the box to see all the logs?

console logging 7

It's because I have seen this behavior before and on all the cases I worked I saw a configuration command not properly written

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

ā€Ž02-02-2014 11:26 AM

Which ASA model are you using for both of the ASAs?

Is this the first time you are trying to setup Active/Standby failover for these two units?  If not is this the first time you are seeing this type of issue?

What ASA version are the ASAs running?

As Julio has mentioned, this is most likely the cause of the standby not accepting one or more of the configurations the Active unit is trying to sync across.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marius Gunnerud

ā€Ž02-05-2014 02:11 PM

Hi MArius,

Active/standby failover was working fine from last few years.

This issue occur first time.

Model is  ASA5520.

Version is  8.0(5)28.

Regards

MAhesh

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

ā€Ž02-05-2014 11:17 PM

What you could try doing is remove the failover configuration from the standby unit, make a copy of the Active ASA config (copy paste into notepad) and then copy the configuration to the standby unit approx. 10 lines at a time and see where the configuration is failing to be accepted.  Just remember to add the failover commands last.

Are both ASA's running the same version?

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marius Gunnerud

ā€Ž02-06-2014 05:04 AM

Hi Marius,

YEs both ASA have same version.

Seems we will add only failover cable from active to standby first and see how it behaves.

Regards

MAhesh

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to mahesh18

ā€Ž02-07-2014 11:26 AM

Hi Marius,

I added the standby firewall with failovcer cable first and it worked fine.

After that i added all the other cables.

All is good now.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card