ASA in HA, one interface is Normal (Waiting)

Unanswered Question
Apr 1st, 2010
User Badges:

Hi,


I have a pair of ASA 5540s running 8.0(4) 32.


A particular interface on the secondary node is shown as Normal (Waiting). I cannot ping the primary node via this interface or vice versa.  Each node has the partner node's arp entry for this same interface.  Both nodes can ping local network devices on this interface's network.  The interface itself on the secondary node is shown as Up, 100mb, full duplex. I do see an occassional Interface Reset on this particular interface.


This interface pair are on the same vlan and portfast is enabled.


Thank you in advance for your insight.


P

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 04/01/2010 - 11:22
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

pbrjones1 wrote:


Hi,


I have a pair of ASA 5540s running 8.0(4) 32.


A particular interface on the secondary node is shown as Normal (Waiting). I cannot ping the primary node via this interface or vice versa.  Each node has the partner node's arp entry for this same interface.  Both nodes can ping local network devices on this interface's network.  The interface itself on the secondary node is shown as Up, 100mb, full duplex. I do see an occassional Interface Reset on this particular interface.


This interface pair are on the same vlan and portfast is enabled.


Thank you in advance for your insight.


P


Are the 2 ASAs connected to 2 separate switches and if so are the switches connected via a L2 trunk. If so is that vlan allowed across the trunk ?


Jon

pbrjones1 Thu, 04/01/2010 - 11:52
User Badges:

Hi Jon,


There are a total of 4 switches between this interface port pair.  According to the switch team all switches are correctly communicating the FW interfaces at layer 2.  Note, none of the other HA interface pairs have any problems communicating with one another.  They are all Normal status.  I believe the switch team checked the trunk and did not find any errors.


Thanks,

P

Jon Marshall Thu, 04/01/2010 - 12:03
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

pbrjones1 wrote:


Hi Jon,


There are a total of 4 switches between this interface port pair.  According to the switch team all switches are correctly communicating the FW interfaces at layer 2.  Note, none of the other HA interface pairs have any problems communicating with one another.  They are all Normal status.  I believe the switch team checked the trunk and did not find any errors.


Thanks,

P


Sorry to be asking basic questions - are the subnet masks set the same for the 2 interfaces ?


Jon

pbrjones1 Thu, 04/01/2010 - 12:09
User Badges:

Jon,


No problem at all.


The subnets are the same for the pair of interfaces:  /23.


P

Jon Marshall Thu, 04/01/2010 - 12:17
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Okay, can the standby firewall ping a local device on that vlan that is connected to the switch that the active firewall is on ?


Jon

pbrjones1 Thu, 04/01/2010 - 12:50
User Badges:

Hi


Both Primary and Secondary can ping a variety of ip addresses on the same subnet the problem interface belongs too.  If a ping is not allowed the device at least appears in the arp table after the ping attempt.


P

Jon Marshall Thu, 04/01/2010 - 13:04
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

pbrjones1 wrote:


Hi


Both Primary and Secondary can ping a variety of ip addresses on the same subnet the problem interface belongs too.  If a ping is not allowed the device at least appears in the arp table after the ping attempt.


P


I understand that but if the secondary can ping an IP on the switch attached to the active then we know for a fact there is a working L2 path for that vlan across all the switches.


Apologies if you have already confirmed this.


Jon

pbrjones1 Thu, 04/01/2010 - 13:11
User Badges:

Reaching out to the applicable teams to test this.


Thanks.

P

pbrjones1 Tue, 04/06/2010 - 09:05
User Badges:

Jon


The secondary was able to ping addresses of devices connected to the switch that is also connected to the
primary firewall.


Kusankar,


There is a SSM-4GE card in play.  The firmware of the FW 8.0(4)32 and I see that the bug references 8.2(2). I see the Normal (Waiting) occuring for just one of the interfaces, and this is occuring only on the Secondary node which is currently in standby mode. I do not know if this status remains when the Secondary node is in active mode.


P

pbrjones1 Tue, 04/06/2010 - 12:51
User Badges:

Kusankar,


As an add-on to my prior post.  The one node interface pair involved with this Normal (Waiting) status (showing only the secondary node), cannot ping each other.


I have done captures of the ping tests and can see the pings leaving the applicable interface but the pings never reach the other nodes interface. I have tested this from Secondary to Primary and vice versa.


Thanks,

P

Kureli Sankar Tue, 04/06/2010 - 12:55
User Badges:
  • Cisco Employee,

I recreated a scenario with the SSM-4GE card and filed that defect. I tested it with 7.2.4 8.0.4 as well and saw the same issue.

I am sure you are running into the same defect. I have modified the release note to indicate the codes that showed the behavior.

I guess routed mode shows the same issue as well.


I am still waiting on the defect to be resolved. In the meanwhile you can try the work around that I listed in that bug release notes.



-KS

francisco_1 Tue, 04/06/2010 - 13:00
User Badges:
  • Gold, 750 points or more

might be a new bug.


also ASA links they need to be part of same broadcast domain, you need to make sure the vlan is trunked between switches and make sure spanning-tree portfast is enable on the ports. Make sure is there no stp loop happening!

pbrjones1 Wed, 04/14/2010 - 08:02
User Badges:

Requesting a new switchport be configured for this problem interface.  Will update the results.


Thanks,

P

pbrjones1 Fri, 04/23/2010 - 07:39
User Badges:

Still waiting on coordination between switch team and Cisco engineer regarding possible switch issues.


Creation of a new switchport did not resolve the issue.


P

pbrjones1 Fri, 08/13/2010 - 06:36
User Badges:

Resolution.


There was a route on the FW for the network that the problem interface was connected to.  Once we removed the route for this directly connected network, the applicable interface on the primary and secondary node could communicate just fine.

Actions

This Discussion