Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1312
Views
0
Helpful
4
Replies

ASA 5520 Failover Messages Every 24 Hours

JAMES LOPEZ
Level 1
Level 1

‎02-09-2007 09:36 AM - edited ‎03-11-2019 02:31 AM

We have two ASA 5520's in active/failover and everyday at this same time (11:00CST) the primary devices indicates it has lost communications with mate on all interfaces. It then tests interfaces which pass and then everything runs normally for 24 hours.

Using ASA 5520 VPN Plus license with asa721-19-k8.bin on both devices.

No logging messages on failover device or switches supporting interfaces.

Anyone seen this before?

TIA,

Labels:
0 Helpful
4 Replies 4

rleivaoc
Cisco Employee
Cisco Employee

‎02-12-2007 11:05 PM

Can you send a "show version" on both ASA? Did you capture any syslogs from the Primary ASA under debug mode when the issue happend? If so, please send me those also.

0 Helpful

JAMES LOPEZ
Level 1
Level 1
In response to rleivaoc

‎02-13-2007 05:55 AM

No, I have not been able to capture any debugs when this happens. Will try to today.

Here are the "show version" outputs.

Primary:

fvhatp01# sh ver

Cisco Adaptive Security Appliance Software Version 7.2(1)19

Device Manager Version 5.2(1)

Compiled on Wed 20-Sep-06 15:48 by builders

System image file is "disk0:/asa721-19-k8.bin"

Config file at boot was "startup-config"

fvhatp01 up 105 days 16 hours

failover cluster up 107 days 7 hours

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 64MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0 : address is 0015.c6fa.1704, irq 9

1: Ext: GigabitEthernet0/1 : address is 0015.c6fa.1705, irq 9

2: Ext: GigabitEthernet0/2 : address is 0015.c6fa.1706, irq 9

3: Ext: GigabitEthernet0/3 : address is 0015.c6fa.1707, irq 9

4: Ext: Management0/0 : address is 0015.c6fa.1708, irq 11

5: Int: Not licensed : irq 11

6: Int: Not licensed : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 750

WebVPN Peers : 2

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMX1002K...

Running Activation Key: 0xb838ca67 0x2c8d97f0 0x2040c408 0x9a98d818 0x033bdeb9

Configuration register is 0x1

Configuration last modified by enable_15 at 14:45:17.722 CST Sat Feb 10 2007

fvhatp01#

Failover:

fvhatp01# sh ver

Cisco Adaptive Security Appliance Software Version 7.2(1)19

Device Manager Version 5.2(1)

Compiled on Wed 20-Sep-06 15:48 by builders

System image file is "disk0:/asa721-19-k8.bin"

Config file at boot was "startup-config"

fvhatp01 up 105 days 16 hours

failover cluster up 107 days 7 hours

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 64MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0 : address is 0015.fac8.0d40, irq 9

1: Ext: GigabitEthernet0/1 : address is 0015.fac8.0d41, irq 9

2: Ext: GigabitEthernet0/2 : address is 0015.fac8.0d42, irq 9

3: Ext: GigabitEthernet0/3 : address is 0015.fac8.0d43, irq 9

4: Ext: Management0/0 : address is 0015.fac8.0d44, irq 11

5: Int: Not licensed : irq 11

6: Int: Not licensed : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 750

WebVPN Peers : 2

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMX1002K...

Running Activation Key: 0xa301f069 0xe894c902 0xa4510cd8 0x8f4c64f4 0x0c23dfa9

Configuration register is 0x1

Configuration last modified by enable_1 at 14:45:14.263 CST Sat Feb 10 2007

fvhatp01#

TIA,

0 Helpful

jdughi
Level 1
Level 1
In response to JAMES LOPEZ

‎02-13-2007 10:23 AM

Hi,

When you perform a "Show Fail" are you showing that one license is the UnR licence and that the other is the FO license? If that is the case, then also confirm that your FO unit isn't in fact the "Active" unit while (possibly, if my hunch is right) your UnRestricted unit is your "Standby" unit.

If that/this is the case, then what is happening is that your FO unit is doing what it is (by license) designed to do, and what it is engineered to do (through firmware) which is to reboot every 24 hours - so as to remind you, the administrator, that you have a FO unit performing in a slightly "crippled" environment.

Just a stab at it.

btw, no, you can not "turn off" the 24-hour reboot cycle on an FO-licensed PIX. I asked.

Josh

0 Helpful

JAMES LOPEZ
Level 1
Level 1
In response to jdughi

‎02-13-2007 10:30 AM

Thanks for the reply and that was my first thought but to my understanding ASA's don't work like that. I don't think there is a FO license with ASA's.

Also, this is the first day it didn't do it (so far). Weird.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card