cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
919
Views
0
Helpful
3
Replies

ASA Failover down

Beaurr
Level 1
Level 1

Hello,

For 3 weeks, we have our ASA (configured in failover active / standby) which stops working. When it happens, we have to restart them electrically.
After which, it works for 2 or 3 days, and it starts again. The ASAs are unreachable

When this happens, the LED turns green on the 2 asa.

#sh failover

Failover On
Failover unit Primary
Failover LAN Interface: bckfail GigabitEthernet1/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.9(1)2, Mate 9.9(1)2
Serial Number: Ours JAD20430GX7, Mate JAD23410L0K
Last Failover at: 09:46:42 CEDT Jun 15 2020
This host: Primary - Active
Active time: 1223049 (sec)
slot 1: ASA5516 hw/sw rev (1.1/9.9(1)2) status (Up Sys)
Interface Outside (62.193.38.42): Normal (Monitored)
Interface Inside (10.39.6.5): Normal (Monitored)
Interface Backup (0.0.0.0): Link Down (Shutdown)
slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)
ASA FirePOWER, 5.4.1-211, Up, (Monitored)
slot 2: SFR5516 hw/sw rev (N/A/5.4.1-211) status (Up/Up)
ASA FirePOWER, 5.4.1-211, Up, (Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 1: ASA5516 hw/sw rev (3.3/9.9(1)2) status (Up Sys)
Interface Outside (62.193.38.46): Normal (Monitored)
Interface Inside (10.39.6.50): Normal (Monitored)
Interface Backup (0.0.0.0): Link Down (Shutdown)
slot 2: SFR5516 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 2: SFR5516 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)

Stateful Failover Logical Update Statistics
Link : bckfail GigabitEthernet1/8 (up)
Stateful Obj xmit xerr rcv rerr
General 3231089 0 324537 61
sys cmd 176108 0 176108 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 1182611 0 32737 4
UDP conn 966717 0 61786 29
ARP tbl 897498 0 53269 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 5750 0 461 0
VPN IKEv1 P2 582 0 25 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 133 0 6 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 314 0 0 28
Router ID 0 0 0 0
User-Identity 1378 0 145 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 601400
Xmit Q: 0 2048 8974000


#sh failover state

State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Standby Ready Comm Failure 08:13:08 CEDT Jun 29 2020

====Configuration State===
Sync Done
====Communication State===
Mac set

 

 

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Have you checked console access when the units are unresponsive? Also, check "show failover history" if you can get the output before doing a power cycle.

Hello,

 

the unit crashes approximately between 2 a.m. and 2:30 a.m.

when i get to work at 8am i have to restart them quickly.

This night, the problem occures. But it was a little bit different. The standby ASA become primary, but the primary fail. 

 

when I try to connect to the console port access  directly on the faulty ASA, The system is inaccessible.

 

So the connection continues to work but with only one asa

 

 

when i do a #sh failover history

 

02:28:40 CEDT Jul 1 2020
Not Detected Negotiation No Error

02:28:46 CEDT Jul 1 2020
Negotiation Cold Standby Detected an Active mate

02:28:47 CEDT Jul 1 2020
Cold Standby Sync Config Detected an Active mate

02:29:07 CEDT Jul 1 2020
Sync Config Sync File System Detected an Active mate

02:29:07 CEDT Jul 1 2020
Sync File System Bulk Sync Detected an Active mate

02:29:21 CEDT Jul 1 2020
Bulk Sync Standby Ready Detected an Active mate

02:36:16 CEDT Jul 1 2020
Standby Ready Just Active HELLO not heard from mate

02:36:16 CEDT Jul 1 2020
Just Active Active Drain HELLO not heard from mate

02:36:16 CEDT Jul 1 2020
Active Drain Active Applying Config HELLO not heard from mate

02:36:16 CEDT Jul 1 2020
Active Applying Config Active Config Applied HELLO not heard from mate

02:36:16 CEDT Jul 1 2020
Active Config Applied Active HELLO not heard from mate

==========================================================================

Problem were resolved with a firmware update.
we don't have a cisco contract allowing us to download software update
we had to see with our resellers to get it
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: