ASA5520 Active/Standby Failover

gdandas · ‎06-12-2007

The Standby ASA5520 started logging the following message sequence for each interface:

(1)%ASA-1-105005: (Primary) Lost Failover communications with mate on interface ________

(2)%ASA-1-105008: (Primary) Testing Interface ________

(3)%ASA-1-105009: (Primary) Testing on interface ________ Passed

This is repeated over and over.

The ASAs appear to be operating OK in spite of the messages.

Report Inappropriate Content · ‎06-19-2007

. This message is displayed if this unit of the failover pair can no longer communicate with the other unit of the pair. (Primary) can also be listed as (Secondary) for the secondary unit.

Recommended Action Verify that the network connected to the specified interface is functioning correctly.

This message reports the result (either Passed or Failed) of a previous interface test. If the result is Failed, you should check the network cable connection to both failover units, that the network itself is functioning correctly, and verify the status of the standby unit.

Refer this link:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/failover.htm

gdandas · ‎06-19-2007

Pengke11, Thanks for replying.

Observations:

(1)There is a direct connection between the Management0/0 Interfaces of the two ASA5520 units.

(2)This connection is used for both Failover and the Stateful Failover links.

(3)The cable does NOT appear to be a crossover cable.

(4)The Management0/0 interface is set to Full-duplex and 100 mbps. The other interfaces are Full Duplex and 1000 mbps.

(5)When the units are rebooted, the error goes away, but they eventually return.

(6) Except for the error messages that the standby unit is issuing, everything seems to be running OK.

Should the direct connection between the ASAs be using a crossover cable?

oricacomms · ‎06-24-2007

Yes the connections should be using a x-over. They are not auto midix so this will fail.

Interesting that your using the management interface as the failover link. In most cases we have used one of the gi interface. This may cause some trouble??

gdandas · ‎06-25-2007

I replaced the cable with a x-over. Errors still occuring.

I guess the guy who set up the ASAs ran out of Gig interfaces, so he used the Mgt interface. What is it normally used for?

I may try to free up one of the Gig interfaces and use it for fail-over.

Thanks.

JORGE RODRIGUEZ · ‎06-25-2007

hi,

I am curious to know if this problem suddendly developed or has it been as such for a while.

From what I have read on ASA's and 7.x code I have not encounter any text indicating the management interface being bound to be only management. Well, there is a sea of information and I may be wrong . I would carefully review requirements/guidelines in failover implementations

and both ASA's failover configurations , look into avery possible angle , lisencing etc.., at least you have ruled out

the physical.

Failover link, primary an secondary units configuration

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/failover.html#wp1055300

Configuring LAN-Base Active/Standby Failover

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/failover.html#wp1051745

HTH

Jorge

Jorge Rodriguez

gdandas · ‎06-25-2007

It just started a few weeks ago, all of a sudden. It started not long after I upgraded the ASA from 7.1(1) to 7.2(2).

philiechang · ‎08-04-2008

Hi,

Do you still have this issue? My ASA 5520 just started with these messages over the weekend and my cables seems to be ok. I'm on version 7.2.2, perhaps a bug?

gdandas · ‎08-04-2008

No. As I recall, Cisco sent me a replacement ASA5520 to resolve this issue.

philiechang · ‎08-04-2008

Ok, thanks. I'm leaning towards that direction as well, since I have 2 interfaces on my ASA with this issue.