Amber light - ASA Interface

Unanswered Question
Mar 14th, 2007

I have two ASA5540's in HA an Active/Standby mode. When I first started configuring the firewalls I had them connected to a Cat2950. The lights on the interfaces were Green/Green. Yesterday we moved them to there final resting place, I have them connecting to a Cat6k. Now the interfaces are showing Green/Amber. Why?? When I do a "show int" I see no errors on the ASA or Cat6k. I am also using the same cables I was using when I had the ASA connected to the Cat2950, so I know the cables are good.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
vitripat Wed, 03/14/2007 - 10:18

Could you please provide the output of "show int" command?



jkeddington_2 Wed, 03/14/2007 - 10:25

Yes - Here is the output from the ASA:

Interface GigabitEthernet0/1 "inside", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps

Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)

MAC address 0018.195b.e98b, MTU 1500

IP address x.x.18.251, subnet mask

18511 packets input, 2198179 bytes, 0 no buffer

Received 2336 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

17587 packets output, 2756204 bytes, 0 underruns

0 output errors, 0 collisions

0 late collisions, 0 deferred

input queue (curr/max blocks): hardware (0/0) software (0/0)

output queue (curr/max blocks): hardware (0/5) software (0/0)

Traffic Statistics for "inside":

18376 packets input, 1852509 bytes

17467 packets output, 2419064 bytes

1597 packets dropped

1 minute input rate 0 pkts/sec, 31 bytes/sec

1 minute output rate 0 pkts/sec, 327 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 35 bytes/sec

5 minute output rate 0 pkts/sec, 329 bytes/sec

5 minute drop rate, 0 pkts/sec

suschoud Wed, 03/14/2007 - 10:27

the amber light suggest the different speed and duplex settings on the " firewall and cat's interface ".

please make sure that they have same speed and duplex can configure the speed and duplex manually on the firewall and cat6 or you can simply select " auto " for auto negotiation.



cisco tac

suschoud Wed, 03/14/2007 - 10:30

1597 packets dropped ...

seems to be bad cable.



jkeddington_2 Wed, 03/14/2007 - 10:37

Here is the show int from the Cat6k -

GigabitEthernet1/1 is up, line protocol is up (connected)

Hardware is C6k 1000Mb 802.3, address )

MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 1000Mb/s

input flow-control is off, output flow-control is off

Clock mode is auto

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output 00:00:52, output hang never

Last clearing of "show interface" counters 4w2d

Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 1000 bits/sec, 1 packets/sec

22422 packets input, 5288318 bytes, 0 no buffer

Received 50 broadcasts (1 multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 0 multicast, 0 pause input

0 input packets with dribble condition detected

120698 packets output, 12227112 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 PAUSE output

0 output buffer failures, 0 output buffers swapped out

As you can see I have set each side set to be 1000/Full. What really confuses me is I do not have this issue when connecting to a low end swith like a Cat2950 but I do when I connect to a high end swith like the Cat6k. I get the amber light no matter how I configure the ports.

abinjola Wed, 03/14/2007 - 10:30

TAC have thoroughly tested this issue and we have the following result:

in 7.2 versions the active led is no longer showing the activity of the

device but it's current failover state, meaning the current active

device's LED is green and the standby's LED will be amber. So it

isn't showing any problems.

is the active Devices's LED as amber ?

Check this :-

jkeddington_2 Wed, 03/14/2007 - 11:05

Yes both ASA's SFP Link LED are amber. I say that because the link you sent me identifies that status light as the SFP Link LED. The switch I am connecting too for failover only supports 100/Full and my inside / outside are running at 1000/Full. Could that be the reason?

I should also point out I have seen this exact issue at two other sites. And at both sites I am connecting to a Cat6k, just like I am here.

suschoud Wed, 03/14/2007 - 11:38

yup...i think this is the problem.please set firewall on 100mbps/full duplex and that should resolve this.



Cisco TAC

abinjola Wed, 03/14/2007 - 12:02

at 1000 Mbps you would see Amber change it to 100 Mbps and it will turn green

Is the colour of light only the issue bothering you ?

What problems are you experiencing other than the colour thing..and this would help us to narrow down the issue

jkeddington_2 Thu, 03/15/2007 - 08:40

Ahh, ok. That makes sense. I was told by Cisco TAC that the amber light meant I had an issue with a cable or something. I am experiencing no issues. I didn't realize the amber light meant I was connected at 1000 mbps. Thank you for this answer.

mazloumi.arash Mon, 08/08/2011 - 20:45

have the same problem too,

we have 2 ASA 5540 (Active/Standby) and one catalyst 3750 that the ASAs connected to it, in the normal situation everything is good, but when the Active ASA fails and the secondary become Active the switchport that connected to Secondary ASA become Amber/Green and the and the speed going to slow with 30% packet lost,

I also checked the connectivity and change the switchport but no success.

appreciate any help

varrao Mon, 08/08/2011 - 21:46

Hi Arash,

You might need to check the duplex and speed setting as well, between the secondary ASA and the switch it is connected to.



This Discussion