Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3764
Views
0
Helpful
1
Replies

Standby ASA 'Failed'

johnlloyd_13
Level 9
Level 9

‎02-23-2018 05:51 AM - edited ‎02-21-2020 07:24 AM

hi,

i'm trying to troubleshoot an active/standby FW pair but not sure if there's nothing really wrong with it or if standby will pre-empt as active (don't want to do this yet).

i already rebooted the standby FW but it still shows as 'failed'

is it because there's a failed monitor link? i see them as up/up particularly g0/5.1032 sub-interface.

i still have to check if cables were correctly patched by the contractor and switch VLANs are also correct.

 

ACTIVE# sh int ip b
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         12.16.23.6   YES CONFIG up                    up  
GigabitEthernet0/1         10.117.0.2      YES CONFIG up                    up  
GigabitEthernet0/2         10.129.1.1      YES CONFIG up                    up  
GigabitEthernet0/3         12.16.23.3   YES CONFIG up                    up  
GigabitEthernet0/4         12.16.23.4    YES CONFIG up                    up  
GigabitEthernet0/5         unassigned      YES unset  up                    up  
GigabitEthernet0/5.1031    10.230.1.66     YES CONFIG up                    up  
GigabitEthernet0/5.1032    192.168.231.97  YES CONFIG up                    up  
GigabitEthernet0/6         unassigned      YES unset  administratively down down
GigabitEthernet0/7         1.1.1.1         YES unset  up                    up  
Internal-Control0/0        127.0.1.1       YES unset  up                    up  
Internal-Data0/0           unassigned      YES unset  up                    up  
Internal-Data0/1           unassigned      YES unset  up                    up  
Internal-Data0/2           unassigned      YES unset  up                    up  
Management0/0              172.20.136.254  YES CONFIG up                    up  


ACTIVE# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FailOver GigabitEthernet0/7 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 8 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(4)5, Mate 9.4(4)5
Last Failover at: 10:54:15 CST Jan 30 2018
    This host: Primary - Active
        Active time: 2060527 (sec)
        slot 0: ASA5525 hw/sw rev (1.0/9.4(4)5) status (Up Sys)
          Interface outside (12.166.23.26): Normal (Monitored)
          Interface inside (10.117.0.2): Normal (Monitored)
          Interface mgnt (10.129.1.1): Normal (Monitored)
          Interface web_dmz (12.16.23.3): Normal (Monitored)
          Interface vpn-dmz (12.16.23.4): Normal (Monitored)
          Interface Access (10.230.1.66): Unknown (Waiting)
          Interface home (192.168.231.97): Normal (Waiting)
          Interface management (172.20.136.254): Normal (Monitored)
        slot 1: SFR5525 hw/sw rev (N/A/6.0.0-1005) status (Up/Up)
          ASA FirePOWER, 6.0.0-1005, Up
    Other host: Secondary - Failed
                Active time: 0 (sec)
        slot 0: ASA5525 hw/sw rev (1.0/9.4(4)5) status (Up Sys)
          Interface outside (12.166.203.27): Normal (Monitored)
          Interface inside (10.117.0.3): Normal (Monitored)
          Interface mgnt (10.129.1.3): Normal (Monitored)
          Interface web_dmz (12.166.203.34): Normal (Monitored)
          Interface vpn-dmz (12.166.203.5): Normal (Monitored)
          Interface SGM_Access (10.230.1.67): Unknown (Waiting)
          Interface home (192.168.231.98): Failed (Waiting)     <<< WHAT DOES THIS MEAN?
          Interface management (172.20.136.253): Normal (Monitored)
        slot 1: SFR5525 hw/sw rev (N/A/6.0.0-1005) status (Up/Up)
          ASA FirePOWER, 6.0.0-1005, Up

ACTIVE# sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         Ifc Failure              10:47:46 CST Jan 30 2018
                              outside: No Link       <<< WHAT DOES THIS MEAN?
                              inside: No Link
                              mgnt: No Link
                              web_dmz: No Link
                              vpn-dmz: No Link
                              Access: No Link
                              home: No Link
Other host -   Secondary
               Failed         Ifc Failure              07:26:23 CST Feb 23 2018
                              home: Failed

====Configuration State===
        Sync Done
====Communication State===
        Mac set


ACTIVE# sh failover hist
==========================================================================
From State                 To State                   Reason
==========================================================================
03:54:05 CST Dec 1 2017
Not Detected               Negotiation                No Error

03:54:10 CST Dec 1 2017
Negotiation                Just Active                No Active unit found

03:54:10 CST Dec 1 2017
Just Active                Active Drain               No Active unit found

03:54:10 CST Dec 1 2017
Active Drain               Active Applying Config     No Active unit found

03:54:10 CST Dec 1 2017
Active Applying Config     Active Config Applied      No Active unit found

03:54:10 CST Dec 1 2017
Active Config Applied      Active                     No Active unit found

10:47:46 CST Jan 30 2018
Active                     Failed                     Interface check

10:47:49 CST Jan 30 2018
                           
Failed                     Standby Ready              Interface check

10:54:15 CST Jan 30 2018
Standby Ready              Just Active                Other unit wants me Active

10:54:15 CST Jan 30 2018
Just Active                Active Drain               Other unit wants me Active

10:54:15 CST Jan 30 2018
Active Drain               Active Applying Config     Other unit wants me Active

10:54:15 CST Jan 30 2018
Active Applying Config     Active Config Applied      Other unit wants me Active

10:54:15 CST Jan 30 2018
Active Config Applied      Active                     Other unit wants me Active

==========================================================================


ACTIVE# ping 1.1.1.2      <<< I CAN SEE ARP
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ACTIVE# sh run all monitor-interface
monitor-interface outside
monitor-interface inside
monitor-interface mgnt
monitor-interface web_dmz
monitor-interface vpn-dmz
monitor-interface SGM_Access
monitor-interface itek_home
monitor-interface management
monitor-interface service-module

 

ACTIVE# wr
Building configuration...
Cryptochecksum: 4c0d9d13 69bec131 f8786c23 b8d86828

44840 bytes copied in 1.140 secs (44840 bytes/sec)
[OK]
ACTIVE# wr sta
Building configuration...
[OK]
ACTIVE# Beginning configuration replication: Sending to mate.

ACTIVE# End Configuration Replication to mate      <<< DON'T SEE ANY ERROR/STNDBY CONFIG DOESN'T SYNC

 

----

 

STDBY# sh int ip b
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         12.16.23.7   YES CONFIG up                    up  
GigabitEthernet0/1         10.117.0.3      YES CONFIG up                    up  
GigabitEthernet0/2         10.129.1.3      YES CONFIG up                    up  
GigabitEthernet0/3         12.16.23.4   YES CONFIG up                    up  
GigabitEthernet0/4         12.16.23.5    YES CONFIG up                    up  
GigabitEthernet0/5         unassigned      YES unset  up                    up  
GigabitEthernet0/5.1031    10.230.1.67     YES CONFIG up                    up  
GigabitEthernet0/5.1032    192.168.231.98  YES CONFIG up                    up  
GigabitEthernet0/6         unassigned      YES unset  administratively down down
GigabitEthernet0/7         1.1.1.2         YES unset  up                    up  
Internal-Control0/0        127.0.1.1       YES unset  up                    up  
Internal-Data0/0           unassigned      YES unset  up                    up  
Internal-Data0/1           unassigned      YES unset  up                    up  
Internal-Data0/2           unassigned      YES unset  up                    up  
Management0/0              172.20.136.253  YES CONFIG up                    up  

 

STBDBY# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: FailOver GigabitEthernet0/7 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 8 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(4)5, Mate 9.4(4)5
Last Failover at: 07:14:19 CST Feb 23 2018
        This host: Secondary - Failed
                Active time: 0 (sec)
                slot 0: ASA5525 hw/sw rev (1.0/9.4(4)5) status (Up Sys)
                  Interface outside (12.16.23.27): Normal (Monitored)
                  Interface inside (10.117.0.3): Normal (Monitored)
                  Interface mgnt (10.129.1.3): Normal (Monitored)
                  Interface web_dmz (12.16.23.4): Normal (Monitored)
                  Interface vpn-dmz (12.16.23.5): Normal (Monitored)
                  Interface Access (10.230.1.67): Unknown (Waiting)
                  Interface home (192.168.231.98): Failed (Waiting)
                  Interface management (172.20.136.253): Normal (Monitored)
                slot 1: SFR5525 hw/sw rev (N/A/6.0.0-1005) status (Up/Up)
                  ASA FirePOWER, 6.0.0-1005, Up
        Other host: Primary - Active
                Active time: 2061153 (sec)
                slot 0: ASA5525 hw/sw rev (1.0/9.4(4)5) status (Up Sys)
                  Interface outside (12.16.23.6): Normal (Monitored)
                  Interface inside (10.117.0.2): Normal (Monitored)
                  Interface mgnt (10.129.1.1): Normal (Monitored)
                  Interface web_dmz (12.16.23.3): Normal (Monitored)
                  Interface vpn-dmz (12.16.23.4): Normal (Monitored)
                  Interface SGM_Access (10.230.1.66): Unknown (Waiting)
                  Interface itek_home (192.168.231.97): Normal (Waiting)
                  Interface management (172.20.136.254): Normal (Monitored)
                slot 1: SFR5525 hw/sw rev (N/A/6.0.0-1005) status (Up/Up)
                  ASA FirePOWER, 6.0.0-1005, Up


STDBY# sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Secondary
               Standby Ready  Ifc Failure              07:15:44 CST Feb 23 2018
Other host -   Primary
               Active         None

====Configuration State===
        Sync Done - STANDBY
====Communication State===
        Mac set


CORP-LAF-FW01# sh failover history
==========================================================================
From State                 To State                   Reason
==========================================================================
07:14:38 CST Feb 23 2018
Not Detected               Negotiation                No Error

07:14:42 CST Feb 23 2018
Negotiation                Cold Standby               Detected an Active mate

07:14:43 CST Feb 23 2018
Cold Standby               Sync Config                Detected an Active mate

07:15:03 CST Feb 23 2018
Sync Config                Sync File System           Detected an Active mate

07:15:03 CST Feb 23 2018
Sync File System           Bulk Sync                  Detected an Active mate

07:15:18 CST Feb 23 2018
Bulk Sync                  Standby Ready              Detected an Active mate

07:15:44 CST Feb 23 2018
Standby Ready              Failed                     Interface check

07:25:27 CST Feb 23 2018
Failed                     Cold Standby               Configuration mismatch due to wr standby in active

07:25:28 CST Feb 23 2018
Cold Standby               Sync Config                Configuration mismatch due to wr standby in active

07:25:47 CST Feb 23 2018
Sync Config                Sync File System           Configuration mismatch due to wr standby in active

07:25:47 CST Feb 23 2018
Sync File System           Bulk Sync                  Configuration mismatch due to wr standby in active

07:25:58 CST Feb 23 2018
Bulk Sync                  Standby Ready              Configuration mismatch due to wr standby in active

==========================================================================


STDBY# sh run all monitor-interface
monitor-interface outside
monitor-interface inside
monitor-interface mgnt
monitor-interface web_dmz
monitor-interface vpn-dmz
monitor-interface Access
monitor-interface home
monitor-interface management
no monitor-interface service-module

 

Labels:
0 Helpful
1 Reply 1

Andriy Sidko
Level 1
Level 1

‎02-23-2018 08:06 AM

Hi John.

Try to execute "wr stan" from active unit followed by "failo exc mat re noc"

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card