01-15-2010 08:46 AM - edited 03-11-2019 09:58 AM
Last night my firewall failover to secondary suddenly and I am still trying to find the root cause. Looking at the log and history, I saw the reason of failover because the "Service card in other unit has failed". Further investigating and the card is SSM according to Cisco web page. So I think it is the AIP-SSM card. Still do not know why the card was failed that trigger the failover. ASA running code 8.0.4. Right now the secondary is still the active ASA. We have the Netscaler in the DMZ doing web hosting. Could it be to much traffic for the ASA and/or AIP-SSM to handle? Anyone has any idea is appreciated.
01-15-2010 02:47 PM
There could be multiple reasons a card could fail.
Software defect, hardware issue in the backplane, just a glitch, overload of the card, these are some.
You need to investigate if the card keeps failing or if it was an one off event.
to reset the card do "hw module 1 reset" on the ASA.
I hope it helps.
PK
01-16-2010 02:14 AM
What output does you get from the module when you do the `show module` command?
01-17-2010 05:24 PM
Hello,
You might want to swap the AIP SSM module in the ASA with a spare KNOWN GOOD module and monitor the performance of card.
Thanks
Vijaya
01-17-2010 05:29 PM
Hello,
You might want to try swapping the AIP SSM module on your ASA with a KNOWN GOOD CARD, and then monitor the performance, as this could be a hardware fault.
Thanks,
Vijaya
01-18-2010 09:26 AM
Thank you everyone answer this question. The AIP-SSM20 card is still functioning after the failover.
I was able to ssh to the card and show version to make sure the apps and engine is running.
Show module indicated the card is up state. This is still in mystery.
This was the first time it happened so not sure what cause it.
01-19-2010 06:16 AM
I checked the ASA 5540 specs and the firewall throughput is 650Mbps and the firewall and IPS thoughput is 500Mbps with AIP-SSM20.
So I am not clear which thoughput is applied to firewall:
1. Without AIP-SSM card firewall thoughput is 650M?
2. With AIP-SSM card firewall thoughput is 500M?
If item 2 is true then my firewall thoughput is 500M instead of 650M?
The configuration for the SSM to ASA is inline mode. Trace back to the history and approximately 10 to 15 minutes before the failover
took place, the Unix admin experience slowness on his servers to internet users accessing the webpage/webcontain. When the failover
happened approximately 2 minutes after everything is back to normal. Web traffice before the failover is around 350Mbps.
01-19-2010 09:40 PM
Throughput depends upon how traffic redirected to AIP module(using class map ), if all then there will be a bottleneck.
What about the IPS alerts, it will definitely give some answer that caused the issue.
Dileep
01-20-2010 07:40 AM
Thanks Dileep. My thought is the same since SSM in line will cause some problem with thoughput.
I tried to check the logs on the IPS but did not see anything out of ordinary (I think) since I am not able to show
any actual events back on January 14 just in general of tcp traffic and there is no idication of the attack. For sure
I was able to see the ASA CPU hits around 75% as normal between 40% to 45% when traffic around 350M. When
failover happened, there were few spike around 530M and the Secondary is working fine.
I am planning to remove the inspect http from the global policy inspection. Any idea how the ASA behave when
the inspection http is removed. Is it a good idea?
PK,
Thank you for answer from the other question and I know you did mention will causing some problem if inspection http is removed, is it going to be a big problem because http will not be inspect by the IPS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide