ASA 5520 Failover Messages Every 24 Hours

Unanswered Question
Feb 9th, 2007

We have two ASA 5520's in active/failover and everyday at this same time (11:00CST) the primary devices indicates it has lost communications with mate on all interfaces. It then tests interfaces which pass and then everything runs normally for 24 hours.

Using ASA 5520 VPN Plus license with asa721-19-k8.bin on both devices.

No logging messages on failover device or switches supporting interfaces.

Anyone seen this before?

TIA,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rleivaoc Mon, 02/12/2007 - 23:05

Can you send a "show version" on both ASA? Did you capture any syslogs from the Primary ASA under debug mode when the issue happend? If so, please send me those also.

JAMES LOPEZ Tue, 02/13/2007 - 05:55

No, I have not been able to capture any debugs when this happens. Will try to today.

Here are the "show version" outputs.

Primary:

fvhatp01# sh ver

Cisco Adaptive Security Appliance Software Version 7.2(1)19

Device Manager Version 5.2(1)

Compiled on Wed 20-Sep-06 15:48 by builders

System image file is "disk0:/asa721-19-k8.bin"

Config file at boot was "startup-config"

fvhatp01 up 105 days 16 hours

failover cluster up 107 days 7 hours

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 64MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0 : address is 0015.c6fa.1704, irq 9

1: Ext: GigabitEthernet0/1 : address is 0015.c6fa.1705, irq 9

2: Ext: GigabitEthernet0/2 : address is 0015.c6fa.1706, irq 9

3: Ext: GigabitEthernet0/3 : address is 0015.c6fa.1707, irq 9

4: Ext: Management0/0 : address is 0015.c6fa.1708, irq 11

5: Int: Not licensed : irq 11

6: Int: Not licensed : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 750

WebVPN Peers : 2

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMX1002K...

Running Activation Key: 0xb838ca67 0x2c8d97f0 0x2040c408 0x9a98d818 0x033bdeb9

Configuration register is 0x1

Configuration last modified by enable_15 at 14:45:17.722 CST Sat Feb 10 2007

fvhatp01#

Failover:

fvhatp01# sh ver

Cisco Adaptive Security Appliance Software Version 7.2(1)19

Device Manager Version 5.2(1)

Compiled on Wed 20-Sep-06 15:48 by builders

System image file is "disk0:/asa721-19-k8.bin"

Config file at boot was "startup-config"

fvhatp01 up 105 days 16 hours

failover cluster up 107 days 7 hours

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 64MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0 : address is 0015.fac8.0d40, irq 9

1: Ext: GigabitEthernet0/1 : address is 0015.fac8.0d41, irq 9

2: Ext: GigabitEthernet0/2 : address is 0015.fac8.0d42, irq 9

3: Ext: GigabitEthernet0/3 : address is 0015.fac8.0d43, irq 9

4: Ext: Management0/0 : address is 0015.fac8.0d44, irq 11

5: Int: Not licensed : irq 11

6: Int: Not licensed : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 750

WebVPN Peers : 2

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMX1002K...

Running Activation Key: 0xa301f069 0xe894c902 0xa4510cd8 0x8f4c64f4 0x0c23dfa9

Configuration register is 0x1

Configuration last modified by enable_1 at 14:45:14.263 CST Sat Feb 10 2007

fvhatp01#

TIA,

Hi,

When you perform a "Show Fail" are you showing that one license is the UnR licence and that the other is the FO license? If that is the case, then also confirm that your FO unit isn't in fact the "Active" unit while (possibly, if my hunch is right) your UnRestricted unit is your "Standby" unit.

If that/this is the case, then what is happening is that your FO unit is doing what it is (by license) designed to do, and what it is engineered to do (through firmware) which is to reboot every 24 hours - so as to remind you, the administrator, that you have a FO unit performing in a slightly "crippled" environment.

Just a stab at it.

btw, no, you can not "turn off" the 24-hour reboot cycle on an FO-licensed PIX. I asked.

Josh

JAMES LOPEZ Tue, 02/13/2007 - 10:30

Thanks for the reply and that was my first thought but to my understanding ASA's don't work like that. I don't think there is a FO license with ASA's.

Also, this is the first day it didn't do it (so far). Weird.

Actions

This Discussion