ASA 5520s failing over when they shouldn't

Unanswered Question
Oct 10th, 2008
User Badges:

Twice in the past two weeks my ASA 5520s in an Active/Standby setup have failed over when it appears there should have been no reason to.


I think this is is 3 or 4 times total they've done it since I implemented them. After the first false failover maybe about 6 months ago I increase all the poll and holdtime timeouts.


Here is a snippet from "show failover":


Failover On

Failover unit Primary

Failover LAN Interface: ASA-failover GigabitEthernet0/3 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 15 seconds, holdtime 75 seconds

Interface Policy 1

Monitored Interfaces 3 of 250 maximum

failover replication http

Version: Ours 7.2(3), Mate 7.2(3)



My settings seems pretty lax and hopefully I am translating them right.


The secondary unit will poll the primary unit every 15 seconds and if no response is received in 45 seconds (3 tries) it will failover.


The secondary unit will poll the primary unit's interfaces every 15 seconds and if just one of them doesn't respond within 75 seconds (5 tries), then it fails over.


I know these may seem lax for some of your standards but if the internet goes out here for a minute it's no big deal.


The problem I have is that when they do failover maybe about 2 or 3 of the 35 site to site VPN tunnels we have up won't make the transition properly. The only fix I've found is to issue the "failover active" command on the primary ASA to make it the active one again.


The failover connection is via a crossover cable on Gi 0/3 on both devices so I don't think it could be something related to the switch that interfaces Gi 0/0-0/2 run to would it?


My only other guess is just to upgrade the software to version 8.


Thanks for any help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Matthew Warrick Fri, 10/10/2008 - 05:24
User Badges:

I'd upgrade to 7.2(4) at least since (3) is vulnerable to some security issues IIRC.


Jumping to 8.0(4) will really just trade one set of issues with another unless you have a specific reason to run it.


FWIW, I have about 40 PIX/ASAs that I maintain and they all randomly fail over from time to time for seemingly no particular reason.

robertson.michael Sat, 10/11/2008 - 08:02
User Badges:
  • Silver, 250 points or more

Hi Jim,


Take a look at the output of 'show failover history' and any syslogs you have from the time of the failover. These should give you an idea of why the failover occurred and a place to start troubleshooting the issue.


-Mike

Actions

This Discussion