02-09-2007 09:36 AM - edited 03-11-2019 02:31 AM
We have two ASA 5520's in active/failover and everyday at this same time (11:00CST) the primary devices indicates it has lost communications with mate on all interfaces. It then tests interfaces which pass and then everything runs normally for 24 hours.
Using ASA 5520 VPN Plus license with asa721-19-k8.bin on both devices.
No logging messages on failover device or switches supporting interfaces.
Anyone seen this before?
TIA,
02-12-2007 11:05 PM
Can you send a "show version" on both ASA? Did you capture any syslogs from the Primary ASA under debug mode when the issue happend? If so, please send me those also.
02-13-2007 05:55 AM
No, I have not been able to capture any debugs when this happens. Will try to today.
Here are the "show version" outputs.
Primary:
fvhatp01# sh ver
Cisco Adaptive Security Appliance Software Version 7.2(1)19
Device Manager Version 5.2(1)
Compiled on Wed 20-Sep-06 15:48 by builders
System image file is "disk0:/asa721-19-k8.bin"
Config file at boot was "startup-config"
fvhatp01 up 105 days 16 hours
failover cluster up 107 days 7 hours
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 64MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 0015.c6fa.1704, irq 9
1: Ext: GigabitEthernet0/1 : address is 0015.c6fa.1705, irq 9
2: Ext: GigabitEthernet0/2 : address is 0015.c6fa.1706, irq 9
3: Ext: GigabitEthernet0/3 : address is 0015.c6fa.1707, irq 9
4: Ext: Management0/0 : address is 0015.c6fa.1708, irq 11
5: Int: Not licensed : irq 11
6: Int: Not licensed : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1002K...
Running Activation Key: 0xb838ca67 0x2c8d97f0 0x2040c408 0x9a98d818 0x033bdeb9
Configuration register is 0x1
Configuration last modified by enable_15 at 14:45:17.722 CST Sat Feb 10 2007
fvhatp01#
Failover:
fvhatp01# sh ver
Cisco Adaptive Security Appliance Software Version 7.2(1)19
Device Manager Version 5.2(1)
Compiled on Wed 20-Sep-06 15:48 by builders
System image file is "disk0:/asa721-19-k8.bin"
Config file at boot was "startup-config"
fvhatp01 up 105 days 16 hours
failover cluster up 107 days 7 hours
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 64MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 0015.fac8.0d40, irq 9
1: Ext: GigabitEthernet0/1 : address is 0015.fac8.0d41, irq 9
2: Ext: GigabitEthernet0/2 : address is 0015.fac8.0d42, irq 9
3: Ext: GigabitEthernet0/3 : address is 0015.fac8.0d43, irq 9
4: Ext: Management0/0 : address is 0015.fac8.0d44, irq 11
5: Int: Not licensed : irq 11
6: Int: Not licensed : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1002K...
Running Activation Key: 0xa301f069 0xe894c902 0xa4510cd8 0x8f4c64f4 0x0c23dfa9
Configuration register is 0x1
Configuration last modified by enable_1 at 14:45:14.263 CST Sat Feb 10 2007
fvhatp01#
TIA,
02-13-2007 10:23 AM
Hi,
When you perform a "Show Fail" are you showing that one license is the UnR licence and that the other is the FO license? If that is the case, then also confirm that your FO unit isn't in fact the "Active" unit while (possibly, if my hunch is right) your UnRestricted unit is your "Standby" unit.
If that/this is the case, then what is happening is that your FO unit is doing what it is (by license) designed to do, and what it is engineered to do (through firmware) which is to reboot every 24 hours - so as to remind you, the administrator, that you have a FO unit performing in a slightly "crippled" environment.
Just a stab at it.
btw, no, you can not "turn off" the 24-hour reboot cycle on an FO-licensed PIX. I asked.
Josh
02-13-2007 10:30 AM
Thanks for the reply and that was my first thought but to my understanding ASA's don't work like that. I don't think there is a FO license with ASA's.
Also, this is the first day it didn't do it (so far). Weird.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: