Re: Secondary ASA failover failed

robinandjiang · ‎11-26-2018

I have a pair of ASA-5545-X in an active-standby failover configuration, i found a failover problem with the secondary ASA, one of the interface was showing faiiled (waiting). it worked before. just stopped working recently.

This host: Primary - Active
                Active time: 4077523 (sec)
                slot 0: ASA5545 hw/sw rev (3.0/9.8(2)24) status (Up Sys)
                  Interface outside (): Normal (Monitored)
                  Interface inside (): Normal (Monitored)
                  Interface dmz (): Normal (Monitored)
                  Interface management (): Normal (Monitored)
                  Interface mpls ( 10.10.1.2 ): Normal (Waiting)
                slot 1: SFR5545 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
                  ASA FirePOWER, 6.2.2-81, Up, (Monitored)
                slot 1: SFR5545 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
                  ASA FirePOWER, 6.2.2-81, Up, (Monitored)

        Other host: Secondary - Failed ----------------------------------------Failover failed
                Active time: 0 (sec)
                slot 0: ASA5545 hw/sw rev (3.0/9.8(2)24) status (Up Sys)
                  Interface outside (): Normal (Monitored)
                  Interface inside (): Normal (Monitored)
                  Interface dmz (): Normal (Monitored)
                  Interface management (): Normal (Monitored)
                  Interface mpls ( 10.10.1.3 ): Failed (Waiting) -------------------------------------Failed
                slot 1: SFR5545 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
                  ASA FirePOWER, 6.2.2-81, Up, (Monitored)
                slot 1: SFR5545 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
                  ASA FirePOWER, 6.2.2-81, Up, (Monitored)

interface GigabitEthernet0/2
nameif mpls
security-level 100
ip address 10.10.1.2 255.255.255.0 standby 10.10.1.3

two ASA interfaces are on the same vlan.

i already rebooted the Secondary ASA but it still shows as 'failed'

and i also changed the cable but still no luck.

i found when i disconnected the cable and connected back into the Secondary ASA interface or shutdown and no shut the port at the switch side, it would take more than 20 seconds to get up, but for that Primary ASA interface it was up immediately.

any idea for this issue, is it a physical bad interface issue?

thanks everybody.

Nadav · ‎11-26-2018

How was this filed under "Security Blogs"?

balaji.bandi · ‎11-26-2018

Can you post switch side config ?

do you see any logs on Switch side ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

robinandjiang · ‎11-26-2018

i checked the logs on the switch side, there was nothing special, just some ports up and down, but the switch rebooted two days ago, and the ASA failover stopped working after that.

interface GigabitEthernet1/0/11
description Primary MPLS_Circuit
switchport access vlan 16
switchport mode access
switchport nonegotiate
spanning-tree portfast
end

interface GigabitEthernet2/0/11
description Secondary ASA MPLS_Circuit
switchport access vlan 16
switchport mode access
switchport nonegotiate
spanning-tree portfast

robinandjiang · ‎11-26-2018

i tried to move the cable from the existing switch port 11 to port 12 with the same config, but the link never came back up.

is there something wrong with switch port or ASA port?

balaji.bandi · ‎11-26-2018

At this stage we can not say what is wrong, can you check connecting port 11 your laptop and see how it working ?

As you mentioned before switch rebooted all working, after rebooting stop working, have you compared any changes in the config, if you have old backup config.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

robinandjiang · ‎11-26-2018

actually all the two ASA ports are connected to that uplink stack switch (inside, dmz and failover link). only this port is down, i was not able ping 10.10.1.3 from the firewall itself and other remote devices.

balaji.bandi · ‎11-26-2018

can you check connecting port 11 your laptop and see how it working ? and port come up as normal ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

robinandjiang · ‎11-27-2018

port 11 is ok, because i can ping 10.10.1.3 from our secondary ASA but not the primary one.
and i found by the "show int ip br command", the port mathod is not the same,
Primary ASA
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/2 10.10.1.2 YES manual up up

Secondary ASA
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/2 10.10.1.3 YES CONFIG up up

The Secondary ASA rebooted once before because of the power outage, so the method changed from menu to config, not sure if it is the reason for this issue, i will reboot the primary ASA to see the result.

Sheraz.Salim · ‎11-27-2018

can you give us the both the firewall problematic and its switch port information

give command

show interface gig0/1 on both side switch and the firewall where (gig0/1 is your firewall and switchport no).

please do not forget to rate.