cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10449
Views
0
Helpful
9
Replies

ASA 5540 Error Messages - %ASA-1-105005: (Secondary) Lost Failover communications with mate

shailesh.h
Level 1
Level 1
13/04/2010 12:36Local7.Notice172.16.17.216260: Apr 13 12:36:00 GMT: %SYS-5-CONFIG_I: Configured from console by minxadmin on vty1 (172.16.17.210)
13/04/2010 13:36Local4.Alert172.16.16.239Apr 13 2010 13:36:25: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface mgnt
13/04/2010 13:36Local4.Alert172.16.16.239Apr 13 2010 13:36:25: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface desktop
13/04/2010 13:36Local4.Alert172.16.16.239Apr 13 2010 13:36:25: %ASA-1-105008: (Secondary) Testing Interface mgnt
13/04/2010 13:36Local4.Alert172.16.16.239Apr 13 2010 13:36:25: %ASA-1-105008: (Secondary) Testing Interface desktop
13/04/2010 13:36Local4.Alert172.16.16.239Apr 13 2010 13:36:25: %ASA-1-105009: (Secondary) Testing on interface desktop Passed
13/04/2010 13:36Local4.Alert172.16.16.239Apr 13 2010 13:36:27: %ASA-1-105009: (Secondary) Testing on interface mgnt Passed
13/04/2010 14:06Local4.Alert172.16.16.239Apr 13 2010 14:06:15: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface dmz1
13/04/2010 14:06Local4.Alert172.16.16.239Apr 13 2010 14:06:15: %ASA-1-105008: (Secondary) Testing Interface dmz1
13/04/2010 14:06Local4.Alert172.16.16.239Apr 13 2010 14:06:15: %ASA-1-105009: (Secondary) Testing on interface dmz1 Passed
13/04/2010 14:36Local4.Alert172.16.16.239Apr 13 2010 14:36:14: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface dmz1
13/04/2010 14:36Local4.Alert172.16.16.239Apr 13 2010 14:36:14: %ASA-1-105008: (Secondary) Testing Interface dmz1
13/04/2010 14:36Local4.Alert172.16.16.239Apr 13 2010 14:36:14: %ASA-1-105009: (Secondary) Testing on interface dmz1 Passed
13/04/2010 14:36Local4.Alert172.16.16.239Apr 13 2010 14:36:19: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface mgnt
13/04/2010 14:36Local4.Alert172.16.16.239Apr 13 2010 14:36:19: %ASA-1-105008: (Secondary) Testing Interface mgnt
13/04/2010 14:36Local4.Alert172.16.16.239Apr 13 2010 14:36:21: %ASA-1-105009: (Secondary) Testing on interface mgnt Passed
13/04/2010 15:06Local4.Alert172.16.16.239Apr 13 2010 15:06:29: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface mgnt
13/04/2010 15:06Local4.Alert172.16.16.239Apr 13 2010 15:06:29: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface dmz1
13/04/2010 15:06Local4.Alert172.16.16.239Apr 13 2010 15:06:29: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface desktop
13/04/2010 15:06Local4.Alert172.16.16.239Apr 13 2010 15:06:29: %ASA-1-105008: (Secondary) Testing Interface mgnt
13/04/2010 15:06Local4.Alert172.16.16.239Apr 13 2010 15:06:29: %ASA-1-105008: (Secondary) Testing Interface dmz1
13/04/2010 15:06Local4.Alert172.16.16.239Apr 13 2010 15:06:29: %ASA-1-105008: (Secondary) Testing Interface desktop
13/04/2010 15:06Local4.Alert172.16.16.239Apr 13 2010 15:06:29: %ASA-1-105009: (Secondary) Testing on interface dmz1 Passed
13/04/2010 15:06Local4.Alert172.16.16.239Apr 13 2010 15:06:31: %ASA-1-105009: (Secondary) Testing on interface desktop Passed
13/04/2010 15:06Local4.Alert172.16.16.239Apr 13 2010 15:06:31: %ASA-1-105009: (Secondary) Testing on interface mgnt Passed
13/04/2010 15:36Local4.Alert172.16.16.239Apr 13 2010 15:36:24: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface desktop
13/04/2010 15:36Local4.Alert172.16.16.239Apr 13 2010 15:36:24: %ASA-1-105008: (Secondary) Testing Interface desktop
13/04/2010 15:36Local4.Alert172.16.16.239Apr 13 2010 15:36:25: %ASA-1-105009: (Secondary) Testing on interface desktop Passed

I observed in the syslog message that after every 1/2 hour I am getting above error.. No operational impact.

The failover configuration is as mentioned below

failover
failover lan unit primary
failover lan interface FAIL Management0/0
failover polltime unit msec 500 holdtime 7
failover link FAIL Management0/0
failover interface ip FAIL 1.1.1.1 255.255.255.252 standby 1.1.1.2
monitor-interface natgrid
monitor-interface noc
monitor-interface xoserv

Output of show failover is

FW01/act# sh failover 
Failover On
Failover unit Primary
Failover LAN Interface: FAIL Management0/0 (up)
Unit Poll frequency 500 milliseconds, holdtime 7 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 8 of 250 maximum
Version: Ours 7.2(2)18, Mate 7.2(2)18
Last Failover at: 00:05:23 GMT/BDT Apr 11 2010
        This host: Primary - Active
                Active time: 693746 (sec)
    <All interfaces are normal>
        Other host: Secondary - Standby Ready
                Active time: 54 (sec)
           <All interfaces are normal>
                 slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)

Stateful Failover Logical Update Statistics
        Link : FAIL Management0/0 (up)
        Stateful Obj    xmit       xerr       rcv        rerr     
        General         32403730   0          13672467   124      
        sys cmd         131877     0          131411     0        
        up time         0          0          0          0        
        RPC services    0          0          0          0        
        TCP conn        15423799   0          6449684    38       
        UDP conn        16426913   0          6909463    86       
        ARP tbl         420368     0          181480     0        
        Xlate_Timeout   0          0          0          0        
        VPN IKE upd     156        0          115        0        
        VPN IPSEC upd   617        0          314        0        
        VPN CTCP upd    0          0          0          0        
        VPN SDI upd     0          0          0          0        
        VPN DHCP upd    0          0          0          0       

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       25      15493640
        Xmit Q:         0       7       36296735

1 Accepted Solution

Accepted Solutions

Here is the URL for your reference (pls check out the "Failover Interface Speed for Stateful Links " section):

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1051759

View solution in original post

9 Replies 9

Jennifer Halim
Cisco Employee
Cisco Employee

What are your other ASA interfaces?

Failover interface needs to be the highest speed interface. If your other interfaces are gig-ethernet, you should be using gig-ethernet as your failover interface. I believe management interface is only 10/100.

Hi,

can you post the output of the below command

#sh failover status

I am suspecting, failover communication is gone between your primary and secondary firewall.

Thanks

Karuppu

I also suspecting the same but why only after 1/2 hour is question..  I arrange few more output for analysis sharing with this post..

Hi Halijenn,

Yes, we are using management interface 10/100 for failover whereas all other interfaces are gi interfaces.

Is there any reference or link supporting your statement that 'Failover interface needs to be the highest speed interface'

With regards,

Shailesh

Here is the URL for your reference (pls check out the "Failover Interface Speed for Stateful Links " section):

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1051759

This document i already have but could not see relevant error and suggestion not to use management port

for failover.

With regards,

Shailesh

Quote from the document:

"If you use the failover link as the Stateful  Failover link, you should use the fastest Ethernet interface available."

The management interface is not the fastest ethernet interface available on your ASA, hence, it should not be used. You should be using one of the gigabit ethernet interface for stateful failover link.

excuse me!

my platform are ASA-5585X works with failover pair in A/S

I configure the failover link and stateful link with the same GE interface

but I encountered this problem too

since this happen, everything works fine

but what can I do to find what the root cause with this problem?

thanks

here is my log message:

Apr 12 2012 19:27:15: %ASA-1-105003: (Secondary) Monitoring on interface MGT_252 waiting

Apr 12 2012 19:27:15: %ASA-1-105003: (Secondary) Monitoring on interface MGT_22 waiting

Apr 12 2012 19:27:25: %ASA-1-105004: (Secondary) Monitoring on interface MGT_22 normal

Apr 12 2012 19:27:25: %ASA-1-105008: (Secondary) Testing Interface MGT_252

Apr 12 2012 19:27:25: %ASA-1-105009: (Secondary) Testing on interface MGT_252 Passed

Apr 12 2012 19:27:40: %ASA-1-105008: (Secondary) Testing Interface MGT_252

Apr 12 2012 19:27:40: %ASA-1-105009: (Secondary) Testing on interface MGT_252 Passed

Apr 12 2012 19:27:53: %ASA-1-105008: (Secondary) Testing Interface MGT_252

Apr 12 2012 19:27:55: %ASA-1-105009: (Secondary) Testing on interface MGT_252 Passed

Apr 12 2012 19:27:58: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface MGT_999

Apr 12 2012 19:27:58: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface MGT_254

Apr 12 2012 19:27:58: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface MGT_222

Apr 12 2012 19:27:58: %ASA-1-105008: (Secondary) Testing Interface MGT_999

Apr 12 2012 19:27:58: %ASA-1-105008: (Secondary) Testing Interface MGT_254

Apr 12 2012 19:27:58: %ASA-1-105008: (Secondary) Testing Interface MGT_222

Apr 12 2012 19:27:59: %ASA-1-105009: (Secondary) Testing on interface MGT_222 Passed

Apr 12 2012 19:28:00: %ASA-1-105009: (Secondary) Testing on interface MGT_999 Passed

Apr 12 2012 19:28:02: %ASA-1-105009: (Secondary) Testing on interface MGT_254 Failed

Apr 12 2012 19:28:06: %ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=52,op=23,my=Failed,peer=Active.

Apr 12 2012 19:28:06: %ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_FAILED, my state Failed, peer state Active.

Apr 12 2012 19:28:06: %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=405,op=20,my=Failed,peer=Active.

Apr 12 2012 19:28:06: %ASA-6-720027: (VPN-Secondary) HA status callback: My state Failed.

Apr 12 2012 19:28:06: %ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_MY_STATE, my state Failed, peer state Active.

Apr 12 2012 19:29:18: %ASA-1-104004: (Secondary) Switching to OK.

Apr 12 2012 19:29:18: %ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=104,op=23,my=Standby Ready,peer=Active.

Apr 12 2012 19:29:18: %ASA-6-720040: (VPN-Secondary) VPN failover client is transitioning to standby state

Apr 12 2012 19:29:18: %ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_STANDBY_READY, my state Standby Ready, peer state Active.

Apr 12 2012 19:29:18: %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=405,op=80,my=Standby Ready,peer=Active.

Apr 12 2012 19:29:18: %ASA-6-720027: (VPN-Secondary) HA status callback: My state Standby Ready.

Apr 12 2012 19:29:18: %ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_MY_STATE, my state Standby Ready, peer state Active.

Apr 12 2012 19:29:28: %ASA-1-105003: (Secondary) Monitoring on interface MGT_254 waiting

Apr 12 2012 19:29:33: %ASA-1-105004: (Secondary) Monitoring on interface MGT_252 normal

Apr 12 2012 19:29:33: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface MGT_222

Apr 12 2012 19:29:33: %ASA-1-105008: (Secondary) Testing Interface MGT_222

Apr 12 2012 19:29:33: %ASA-1-105009: (Secondary) Testing on interface MGT_222 Passed

Apr 12 2012 19:29:38: %ASA-1-105004: (Secondary) Monitoring on interface MGT_254 normal

anyone could help me please

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: