Known reasons for ASA 5520 configs to become out of sync in FO pair

Unanswered Question
Feb 15th, 2010
User Badges:

I have a pair of 5520's running OS v. 8.2.(1) in a LAN based active/standby failover configuration.

Over the weekend, some failover testing was performed and we found to our dismay that the ASA configs were not in sync ! We've checked all interface logs and counters, combed through the syslogs for the ASA's and the switches involved but could find no apparent reason for the mismatch other than that the primary/active ASA hasn't been pushing the config changes to the secondary/backup ASA when performed.

Is this a known Problem with the running OS or could there be other factors involved which we have not perceived up until now ?

Many thanks in advance,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Philip Brown Mon, 02/15/2010 - 04:58
User Badges:

Hi Francisco,


there was absolutely no indication that the configs were out of sync, nothing visible from the CLI or ASDM. The sync errors are not only confined to various VPN ACL's but to other VPN parameters as well. If there is a known bug in the running OS then an upgrade should help.

That's something we've had planned for a while but due to .............never got round to it.

Many thanks,


Kureli Sankar Mon, 02/15/2010 - 06:20
User Badges:
  • Cisco Employee,

Pls. make sure you can copy a sample text file to the flash of the standby unit via tftp.

If you can't then there is a problem with flash and you may have to run fsck on flash which may resolve the issue.


Philip Brown Mon, 02/15/2010 - 07:11
User Badges:

Hi Kusankar,

                    I don't have a tftp server I can use in the ASA network due to the ASA's file transfer capabilities for http etc. If the oppertunity arrises, I'll test what you suggested.

Many thanks,



This Discussion