Will ASA-SSM-20 reload affect ASA failover?

Unanswered Question
Mar 10th, 2008
User Badges:
  • Bronze, 100 points or more

I have 2 ASA 5520s with an ASA-SSM-20 installed in each. The ASA-SSM-20 in the primary ASA is not working correctly:


Error: Cannot communicate with mainApp (getVersion). Please contact your system administrator.

Would you like to run cidDump?[no]:


I would like to reload the module, but I don't know if that will cause the whole ASA to failover. The ASAs are running 7.2(3).


Any thoughts?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
brettmilborrow Mon, 03/10/2008 - 16:41
User Badges:

Hi,


The ASA failover monitors the internal interface between the ASA and the SSM, therefore if you reboot the SSM, the firewall will failover to the other firewalls.


Hope that helps!

rwchenow Tue, 03/11/2008 - 13:03
User Badges:

Hello-


I ran into this an hour ago. Setting up the AIP-SSM module on the Primary, it called for a reboot. Soon I had several folks at my desk because some users in the field had their sessions dropped.


Syslog on Primary shows we'd switch to the Failover ASA:

1 Mar 11 2008 15:01:23 104002 (Primary) Switching to STNDBY - Other unit wants me Standby. Secondary unit switch reason: Service card in other unit has failed.


Is there a way to remove the IPS module from failover monitoring? It does not show up in the list of monitored interface choices.


I can't take the risk of disconnecting users if I have to make an IPS change and reboot the AIP-SSM module.


Thanks,


-Roy-

brettmilborrow Tue, 03/11/2008 - 17:15
User Badges:

Roy,


Are you not doing stateful failover on your firewall pair?


This configuration option allow for the synchronizing of session information, which means that in the event of a failover your client sessions through the firewall are not lost!


Have a look here for more info:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef


rwchenow Wed, 03/12/2008 - 07:56
User Badges:


Thanks Brett.


We are using stateful failover. Not all sessions get dropped, just enough Telnet and application interface links that we start getting calls and people show up at my door. This is on a new ASA5520 that normally runs <5% CPU utilization. I just checked the failover link is set to 1000FULL so there should not be any delay updated state information.


Am I missing something in the config?



Portcullis# sho run failover

failover

failover lan unit primary

failover lan interface heartbeat GigabitEthernet0/2

failover polltime unit 3 holdtime 9

failover replication http

failover link heartbeat GigabitEthernet0/2

failover interface ip heartbeat 172.31.0.201 255.255.255.0 standby 172.31.0.202

Portcullis# sho run interface g0/2

!

interface GigabitEthernet0/2

description LAN/STATE Failover Interface

speed 1000

duplex full

Portcullis#


-Roy-

brettmilborrow Wed, 03/12/2008 - 08:28
User Badges:

Hi Roy,


You are missing a command!


failover link state GigabitEthernet0/2



rwchenow Wed, 03/12/2008 - 08:49
User Badges:


But I do have


failover link heartbeat GigabitEthernet0/2


'state' in your previous message is the interface name.

From the docs:

failover link if_name phy_if


Our interface was named 'heartbeat' by a long forgotten consultant.


-Roy-

brettmilborrow Wed, 03/12/2008 - 08:58
User Badges:

You are absolutely correct!


You have stateful failover configured correctly, strange though as you should not have ANY dropped sessions at all!


Do you have an IPS module in your ASA, or an inline IPS in the path?

rwchenow Wed, 03/12/2008 - 11:31
User Badges:


Brett-


I have matching AIP-SSM-20 modules in the Primary and Secondary ASA units.


-Roy-

abinjola Thu, 03/13/2008 - 09:55
User Badges:
  • Cisco Employee,

AIP-SSM-20 modules modules don't sync their configs or connections at the time of failover


Moreover reloading the SSM module will not cause failover of ASA


rwchenow Thu, 03/13/2008 - 11:30
User Badges:


I would like to believe the SSM didn't cause the failover, but the syslog message in my initial message seems to say otherwise.


Syslog on Primary shows we'd switch to the Failover ASA:

1 Mar 11 2008 15:01:23 104002 (Primary) Switching to STNDBY - Other unit wants me Standby. Secondary unit switch reason: Service card in other unit has failed.


-Roy-


brettmilborrow Thu, 03/13/2008 - 12:35
User Badges:

abinjola,


You are correct about the state information and config sync between the modules.


However I disagree that the rebooting of a module will not cause a failover. I have seen this occur personally on numerous occasions.



abinjola Thu, 03/13/2008 - 15:59
User Badges:
  • Cisco Employee,

if you disable the backplace for failover monitoring the reload of SSM would not effect the ASA failoer


Requester, what exactly are you looking for ..?

rwchenow Fri, 03/14/2008 - 05:42
User Badges:

Abinjola-


How do you disable the backplane from failover monitoring? It does show up as being monitoring by 'show failover', but I don't see how to remove it from being monitoring like the selected interfaces.


-Roy-

rwchenow Fri, 03/14/2008 - 06:29
User Badges:

Abinjola-


How do you disable the backplane from failover monitoring? It does show up as being monitoring by 'show failover', but I don't see how to remove it from being monitoring like the selected interfaces.


-Roy-

rwchenow Fri, 03/14/2008 - 12:42
User Badges:

Thanks to all for your responses. I finally asked TAC and found the following:


-----------

[Failover on SSM reboot] is by design. There is a bug filed as an Enhancement request:

CSCse47023 ASA: Failover occurs when SSM module is updated. The request is to allow this to be a configurable option so that failover will not occur if the AIP-SSM is rebooted.


There are currently 2 workarounds:


1. Disable failover on the ASA prior to the SSM upgrade. Or, 2. temporarily disable IPS policy on ASA by removing "ips" command under policy-map, and re-enable it after SSM upgrade.


I prefer option #2 rather than disabling failover on the ASA.


-----------


-Roy-

Actions

This Discussion