You're welcome.The logs you

bhorvitz · ‎05-01-2015

I'm running into an odd thing here that I can't find any reference at all to in a search. I am setting up anyconnect on an active/standby pair of ASA 5510 running 8.3(2). Everything works great and I've got the MacOS package installed. The odd thing is that when I try to enter the "svc image" command for the Win package, it causes the firewalls to failover every time. I'm working with the 3.1 package and have tried both 3.1.07021 and 3.1.08009. I've got plenty of flash space since these packages are sitting by themselves on a 2g card. I thought that maybe the CPU was getting pegged installing the package, causing it to miss a failover poll so I increased the poll time to 15 seconds and still no go. The failover occurs instantly when I enter the config command. Interestingly, the win 2.5 client installs just fine but I need to be able to use it with win 8.1 so I need the 3.1 client.

Would certainly appreciate any insight that someone might have.

Thanks,

Brian

Marvin Rhoads · ‎05-02-2015

Have you verified that both appliances have the Windows pkg file on their disks?

bhorvitz · ‎05-02-2015

Yes, they both have the same pkg in the same place. Interestingly, if the failover occurs and then I try to add the pkg on the secondary, it has the same behaviour and fails right back. It also seems unlikely that there's any file corruption since it happens with both versions that I've tried.

Marvin Rhoads · ‎05-02-2015

Is the xml profile used by the tunnel-group also on both units?

If you run "show failover history" what doe the output indicate as the reason for failover?

Any chance of upgrading to a more current and stable image? 8.3(2) is pretty old by now (almost 5 years) and I'd at least try to upgrade to 8.4(7) or even 9.1(6). Those are the current recommended releases for the older 5500 series platforms and may help in the event that you might be hitting a bug.

bhorvitz · ‎05-02-2015

I actually don't have an xml profile defined at all.

The failover log looks like this. There's more, but these seem to be the relevant bits from when I attempt to activate the pkg.

15:21:39 EDT May 1 2015
Standby Ready              Just Active                HELLO not heard from mate

15:21:39 EDT May 1 2015
Just Active                Active Drain               HELLO not heard from mate

15:21:39 EDT May 1 2015
Active Drain               Active Applying Config     HELLO not heard from mate

15:21:39 EDT May 1 2015
Active Applying Config     Active Config Applied      HELLO not heard from mate

15:21:39 EDT May 1 2015
Active Config Applied      Active                     HELLO not heard from mate

As for an upgrade, I realize it might be necessary but this is a tough controlled environment where there are only quarterly maintenance windows and a long RFC process. I'd have to point to a known bug of some sort to push an upgrade through. Unfortunately, I can't just try to see if it works.

Thanks for taking the time on this.

Marvin Rhoads · ‎05-04-2015

You're welcome.

The logs you posted simply indicate no hello is being received. The changes you're making shouldn't cause that to happen.

I did find a closely related bug:

https://tools.cisco.com/bugsearch/bug/CSCth16235

It indicates it only affects adding the OS X AnyConnect file but it's otherwise very similar. You might open a TAC case if you want a full search to include unpublished bugs.

ASA fails over upon anyconnect image activation