Known reasons for ASA 5520 configs to become out of sync in FO pair

Philip Brown · ‎02-15-2010

I have a pair of 5520's running OS v. 8.2.(1) in a LAN based active/standby failover configuration.

Over the weekend, some failover testing was performed and we found to our dismay that the ASA configs were not in sync ! We've checked all interface logs and counters, combed through the syslogs for the ASA's and the switches involved but could find no apparent reason for the mismatch other than that the primary/active ASA hasn't been pushing the config changes to the secondary/backup ASA when performed.

Is this a known Problem with the running OS or could there be other factors involved which we have not perceived up until now ?

Many thanks in advance,

Phil

francisco_1 · ‎02-15-2010

see this http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsx29202

Philip Brown · ‎02-15-2010

Hi Francisco,

there was absolutely no indication that the configs were out of sync, nothing visible from the CLI or ASDM. The sync errors are not only confined to various VPN ACL's but to other VPN parameters as well. If there is a known bug in the running OS then an upgrade should help.

That's something we've had planned for a while but due to .............never got round to it.

Many thanks,

Phil

Kureli Sankar · ‎02-15-2010

Pls. make sure you can copy a sample text file to the flash of the standby unit via tftp.

If you can't then there is a problem with flash and you may have to run fsck on flash which may resolve the issue.

-KS

Philip Brown · ‎02-15-2010

Hi Kusankar,

I don't have a tftp server I can use in the ASA network due to the ASA's file transfer capabilities for http etc. If the oppertunity arrises, I'll test what you suggested.

Many thanks,

Phil