I have a client with 2xASA5525x and they would not reload upon reload command (tried doing it via ssh, console and ASDM). Both ASAs are having the same issue and same output from the file check command (see below).
Anybody experienced that?
Cisco Adaptive Security Appliance Software Version 9.7(1)4 Firepower Extensible Operating System Version 2.1(1.66) Device Manager Version 7.8(2)151
Compiled on Fri 31-Mar-17 07:26 PDT by builders System image file is "disk0:/asa971-4-smp-k8.bin" Config file at boot was "startup-config"
FW01 up 5 days 4 hours failover cluster up 5 days 4 hours
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores) ASA: 4192 MB RAM, 1 CPU (1 core) Internal ATA Compact Flash, 8192MB BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
We are suspecting a potential flash problem as when we run the file check command we get this:
# fsck disk0: umount: /mnt/disk0: target is busy. (In some cases useful info about processes that use the device is found by lsof(8) or fuser(1)) dosfsck 2.11, 12 Mar 2005, FAT32, LFN There are differences between boot sector and its backup. Differences: (offset:original/backup) 65:01/00 Not automatically fixing this. /dev/sda1: 104 files, 232470/2011280 clusters mount: /dev/sda1 is already mounted or /mnt/disk0 busy /dev/sda1 is already mounted on /mnt/disk0
fsck of disk0: complete
Anybody that can help with this?
... View more
I am in a bit of a puzzle, more like Catch 22.
I have a very simple ISE 2.1 deployment, two VM servers on same host, same subnet (no firewall in between), running as Primary A/M and Secondary A/M personas on the two nodes. After recent reload of the servers the Secondary Node is having sync issues with primary, it is still processing traffic OK as we have not changed the configuration but is giving our sync issue alerts and also the Primary Node cannot manually sync, error is:
<Unable to sync node ise-corp-x-x. . Please check if the primary and this node are reachable from each other.>
Also when trying to list the certificates on the Secondary Node i get the following error:
<Error loading certificates. Node not reachable at this time. Try again later.>
I did some reading and on this same portal it is stated that problems with sync can be due to time issues/ntp, DNS or certificates. I have ruled our the first two, both ISE nodes have proper clock and ntp setup, and DNS setup is OK and works properly.
However I have noticed that the certificate on the problematic secondary node (a self-signed certificate) had expired 2 weeks ago. That is visible from within the secondary node GUI, BUT with that version of ISE i cannot re-issue it from secondary GUI nor change anything. I am supposed to reissue it from the primary node but when trying to do it the process fails as Primary cannot talk to the secondary (the sync problem, despite having all good and green under the deployment menu) and cannot even list the secondary server certificates as mentioned above. I believe that the server certificates are used in that sync communication between the two (probably to do the encryption) and when one expired that broke it (after restart), problem is i cannot reissue the certificate due the certificate being expired and having no proper communication between the devices. Cisco documentation is very general and does not cover that case and customer is just in the process of renewal of its support (takes time for them) so any advice is appreciated!
Was thinking of promoting secondary to primary and then re-issuing the certificate but that is a bit risky.
... View more