cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2266
Views
0
Helpful
16
Replies

Will ASA-SSM-20 reload affect ASA failover?

admin_2
Level 3
Level 3

I have 2 ASA 5520s with an ASA-SSM-20 installed in each. The ASA-SSM-20 in the primary ASA is not working correctly:

Error: Cannot communicate with mainApp (getVersion). Please contact your system administrator.

Would you like to run cidDump?[no]:

I would like to reload the module, but I don't know if that will cause the whole ASA to failover. The ASAs are running 7.2(3).

Any thoughts?

16 Replies 16

brettmilborrow
Level 1
Level 1

Hi,

The ASA failover monitors the internal interface between the ASA and the SSM, therefore if you reboot the SSM, the firewall will failover to the other firewalls.

Hope that helps!

Hello-

I ran into this an hour ago. Setting up the AIP-SSM module on the Primary, it called for a reboot. Soon I had several folks at my desk because some users in the field had their sessions dropped.

Syslog on Primary shows we'd switch to the Failover ASA:

1 Mar 11 2008 15:01:23 104002 (Primary) Switching to STNDBY - Other unit wants me Standby. Secondary unit switch reason: Service card in other unit has failed.

Is there a way to remove the IPS module from failover monitoring? It does not show up in the list of monitored interface choices.

I can't take the risk of disconnecting users if I have to make an IPS change and reboot the AIP-SSM module.

Thanks,

-Roy-

Roy,

Are you not doing stateful failover on your firewall pair?

This configuration option allow for the synchronizing of session information, which means that in the event of a failover your client sessions through the firewall are not lost!

Have a look here for more info:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef

Thanks Brett.

We are using stateful failover. Not all sessions get dropped, just enough Telnet and application interface links that we start getting calls and people show up at my door. This is on a new ASA5520 that normally runs <5% CPU utilization. I just checked the failover link is set to 1000FULL so there should not be any delay updated state information.

Am I missing something in the config?

Portcullis# sho run failover

failover

failover lan unit primary

failover lan interface heartbeat GigabitEthernet0/2

failover polltime unit 3 holdtime 9

failover replication http

failover link heartbeat GigabitEthernet0/2

failover interface ip heartbeat 172.31.0.201 255.255.255.0 standby 172.31.0.202

Portcullis# sho run interface g0/2

!

interface GigabitEthernet0/2

description LAN/STATE Failover Interface

speed 1000

duplex full

Portcullis#

-Roy-

Hi Roy,

You are missing a command!

failover link state GigabitEthernet0/2

But I do have

failover link heartbeat GigabitEthernet0/2

'state' in your previous message is the interface name.

From the docs:

failover link if_name phy_if

Our interface was named 'heartbeat' by a long forgotten consultant.

-Roy-

You are absolutely correct!

You have stateful failover configured correctly, strange though as you should not have ANY dropped sessions at all!

Do you have an IPS module in your ASA, or an inline IPS in the path?

Brett-

I have matching AIP-SSM-20 modules in the Primary and Secondary ASA units.

-Roy-

AIP-SSM-20 modules modules don't sync their configs or connections at the time of failover

Moreover reloading the SSM module will not cause failover of ASA

I would like to believe the SSM didn't cause the failover, but the syslog message in my initial message seems to say otherwise.

Syslog on Primary shows we'd switch to the Failover ASA:

1 Mar 11 2008 15:01:23 104002 (Primary) Switching to STNDBY - Other unit wants me Standby. Secondary unit switch reason: Service card in other unit has failed.

-Roy-

abinjola,

You are correct about the state information and config sync between the modules.

However I disagree that the rebooting of a module will not cause a failover. I have seen this occur personally on numerous occasions.

if you disable the backplace for failover monitoring the reload of SSM would not effect the ASA failoer

Requester, what exactly are you looking for ..?

Try this one too

My advice is to disable the AIP-SSM-20 for a time being and check, or open it in fail-open mode.

Becoz syslog has shown the link state sync message.

there might be the problem with AIP-SSM

Abinjola-

How do you disable the backplane from failover monitoring? It does show up as being monitoring by 'show failover', but I don't see how to remove it from being monitoring like the selected interfaces.

-Roy-

Review Cisco Networking for a $25 gift card