Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5841
Views
0
Helpful
9
Replies

Secondary ASA failover failed

robinandjiang
Level 1
Level 1

‎11-26-2018 12:20 PM - edited ‎02-21-2020 08:30 AM

I have a pair of ASA-5545-X in an active-standby failover configuration, i found a failover problem with the secondary ASA, one of the interface was showing faiiled (waiting). it worked before. just stopped working recently.

 

 This host: Primary - Active
                Active time: 4077523 (sec)
                slot 0: ASA5545 hw/sw rev (3.0/9.8(2)24) status (Up Sys)
                  Interface outside (): Normal (Monitored)
                  Interface inside (): Normal (Monitored)
                  Interface dmz (): Normal (Monitored)
                  Interface management (): Normal (Monitored)
                  Interface mpls ( 10.10.1.2 ): Normal (Waiting)
                slot 1: SFR5545 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
                  ASA FirePOWER, 6.2.2-81, Up, (Monitored)
                slot 1: SFR5545 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
                  ASA FirePOWER, 6.2.2-81, Up, (Monitored)


        Other host: Secondary - Failed ----------------------------------------Failover failed
                Active time: 0 (sec)
                slot 0: ASA5545 hw/sw rev (3.0/9.8(2)24) status (Up Sys)
                  Interface outside (): Normal (Monitored)
                  Interface inside (): Normal (Monitored)
                  Interface dmz (): Normal (Monitored)
                  Interface management (): Normal (Monitored)
                  Interface mpls ( 10.10.1.3 ): Failed (Waiting)  -------------------------------------Failed
                slot 1: SFR5545 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
                  ASA FirePOWER, 6.2.2-81, Up, (Monitored)
                slot 1: SFR5545 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
                  ASA FirePOWER, 6.2.2-81, Up, (Monitored)

 

interface GigabitEthernet0/2
 nameif mpls
 security-level 100
 ip address 10.10.1.2 255.255.255.0 standby 10.10.1.3

 

two ASA interfaces are on the same vlan.

i already rebooted the Secondary ASA but it still shows as 'failed'

and i also changed the cable but still no luck.

i found when i disconnected the cable and connected back into the Secondary ASA interface or shutdown and no shut the port at the switch side, it would take more than 20 seconds to get up, but for that Primary ASA interface it was up immediately.

 

any idea for this issue, is it a physical bad interface issue?

thanks everybody.

 

 

 

1 person had this problem
0 Helpful
9 Replies 9

Nadav
Level 7
Level 7

‎11-26-2018 12:31 PM

How was this filed under "Security Blogs"?
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎11-26-2018 12:32 PM

Can you post switch side config ?

 

do you see any logs on Switch side ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

robinandjiang
Level 1
Level 1

‎11-26-2018 12:51 PM

i checked the logs on the switch side, there was nothing special, just some ports up and down, but the switch rebooted two days ago, and the ASA failover stopped working after that.

 

interface GigabitEthernet1/0/11
 description Primary MPLS_Circuit
 switchport access vlan 16
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast
end

interface GigabitEthernet2/0/11
 description Secondary ASA MPLS_Circuit
 switchport access vlan 16
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast

0 Helpful

robinandjiang
Level 1
Level 1

‎11-26-2018 01:27 PM

i tried to move the cable from the existing switch port 11 to port 12 with the same config, but the link never came back up.

is there something wrong with switch port or ASA port?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎11-26-2018 01:31 PM

At this stage we can not say what is wrong, can you check connecting port 11 your laptop and see how it working ?

 

As you mentioned before switch rebooted all working, after rebooting stop working, have you compared any changes in the config, if you have old backup config.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

robinandjiang
Level 1
Level 1

‎11-26-2018 02:24 PM

actually all the two ASA ports are connected to that uplink stack switch (inside, dmz and failover link). only this port is down, i was not able ping 10.10.1.3 from the firewall itself and other remote devices.

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎11-26-2018 02:29 PM

can you check connecting port 11 your laptop and see how it working ?  and port come up as normal ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

robinandjiang
Level 1
Level 1
In response to balaji.bandi

‎11-27-2018 09:03 AM

port 11 is ok, because i can ping 10.10.1.3 from our secondary ASA but not the primary one.
and i found by the "show int ip br command", the port mathod is not the same,
Primary ASA
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/2 10.10.1.2 YES manual up up

Secondary ASA
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/2 10.10.1.3 YES CONFIG up up

The Secondary ASA rebooted once before because of the power outage, so the method changed from menu to config, not sure if it is the reason for this issue, i will reboot the primary ASA to see the result.
0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to robinandjiang

‎11-27-2018 10:09 AM

can you give us the both the firewall problematic and its switch port information

 

give command

 

show interface gig0/1 on both side switch and the firewall where (gig0/1 is your firewall and switchport no).

 

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card