cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1866
Views
0
Helpful
8
Replies

ASA 5540 - Failover

ttran
Level 1
Level 1

Last night my firewall failover to secondary suddenly and I am still trying to find the root cause.  Looking at the log and history, I saw the reason of failover because the "Service card in other unit has failed".  Further investigating and the card is SSM according to Cisco web page.  So I think it is the AIP-SSM card.  Still do not know why the card was failed that trigger the failover.  ASA running code 8.0.4.  Right now the secondary is still the active ASA.  We have the Netscaler in the DMZ doing web hosting.  Could it be to much traffic for the ASA and/or AIP-SSM to handle? Anyone has any idea is appreciated.

8 Replies 8

Panos Kampanakis
Cisco Employee
Cisco Employee

There could be multiple reasons a card could fail.

Software defect, hardware issue in the backplane, just a glitch, overload of the card, these are some.

You need to investigate if the card keeps failing or if it was an one off event.

to reset the card do "hw module 1 reset" on the ASA.

I hope it helps.

PK

What output does you get from the module when you do the `show module` command?

vilaxmi
Cisco Employee
Cisco Employee

Hello,

You might want to swap the AIP SSM module in the ASA with a spare KNOWN GOOD module and monitor the performance of card.

Thanks

Vijaya

vilaxmi
Cisco Employee
Cisco Employee

Hello,

You might want to try swapping the AIP SSM module on your ASA with a KNOWN GOOD CARD, and then monitor the performance, as this could be a hardware fault.

Thanks,

Vijaya

Thank you everyone answer this question.  The AIP-SSM20 card is still functioning after the failover.

I was able to ssh to the card and show version to make sure the apps and engine is running.

Show module indicated the card is up state.  This is still in mystery.

This was the first time it happened so not sure what cause it.

I checked the ASA 5540 specs and the firewall throughput is 650Mbps and the firewall and IPS thoughput is 500Mbps with AIP-SSM20.

So I am not clear which thoughput is applied to firewall:

1. Without AIP-SSM card firewall thoughput is 650M?

2. With AIP-SSM card firewall thoughput is 500M?

If item 2 is true then my firewall thoughput is 500M instead of 650M?

The configuration for the SSM to ASA is inline mode.  Trace back to the history and approximately 10 to 15 minutes before the failover

took place, the Unix admin experience slowness on his servers to internet users accessing the webpage/webcontain.  When the failover

happened approximately 2 minutes after everything is back to normal.  Web traffice before the failover is around 350Mbps.

Throughput depends upon how traffic redirected to AIP module(using class map ), if all then there will be a bottleneck.

What about the IPS alerts, it will definitely give some answer that caused the issue.

Dileep

Thanks Dileep.  My thought is the same since SSM in line will cause some problem with thoughput.

I tried to check the logs on the IPS but did not see anything out of ordinary (I think) since I am not able to show

any actual events back on January 14 just in general of tcp traffic and there is no idication of the attack.  For sure

I was able to see the ASA CPU hits around 75% as normal between 40% to 45% when traffic around 350M.  When

failover happened, there were few spike around 530M and the Secondary is working fine.

I am planning to remove the inspect http from the global policy inspection.  Any idea how the ASA behave when

the inspection http is removed.  Is it a good idea?

PK,

Thank you for answer from the other question and I know you did mention will causing some problem if inspection http is removed, is it going to be a big problem because http will not be inspect by the IPS.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: