Query regarding webvpn error-recovery

Answered Question
Jun 24th, 2010

hi experts

i have a query that when webvpn error-recovery is enabled , it will not save much in the usual crashinfo  ; however when it is disabled , it defintely saves lot of details in the crashinfo .is that crashinfo meant for webvpn seperately from the usual crashinfo or it is a part of it ? I believe that webvpn crashinfo can be seen by the command"show crashinfo webvpn detail".Is this command an optional of show crashinfo (i.e may be probably it will give only webvpn related info ) .The reason why i am asking is i am unable to understand if a seperate crashinfo file is saved in flash for the webvpn errors if error-recovery disabled ?

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 6 months ago

Well, minidump is more information on the actual webvpn recovery. With crashes, normally we don't know the root cause yet or what triggers it.

As I advised earlier, eventhough if error recovery is enabled, if ASA itself couldn't recover it, it will still crash and produce crashinfo.

Further to your question, minidump and crashinfo are 2 different things. Minidump will provide information on the recovery, and crashinfo will provide pointer to which specific function crash.

Most customer does not like to have the ASA where it is actually at the crash stage. The webvpn error recovery feature is to minimise the ASA to crash if it's possible.

I don't think enabling error-recovery contributes to high CPU/memory utilization. It is actually recommended to enable the feature.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Fri, 06/25/2010 - 06:14

When webvpn error-recovery is enabled, it is meant to recover ASA from failure on webvpn application.

"show crashinfo webvpn detail" should only really be used when TAC engineer requested for the output. It is mainly used to provide further debugging information to the engineering team.

Hope that answers your question.

ankurs2008 Sat, 06/26/2010 - 02:16

hi halijenn ,

that is not my question . i just want to know as to when error-recovery is disabled and there is a failure in webvpn application , ASA crashes and a crashinfo file specifically gets saved in the flash .Does the usual ASA Crashinfo saved in flash will contain the indepth information (or reason) or is there a seperate crashinfo saved in the flash specifical for Webvpn (apart from the usual crashinfo )

Jennifer Halim Sat, 06/26/2010 - 02:43

Sorry, here are the answers to your question:

- When error-recovery is enabled, and there is failure in webvpn application, it will create a minidump file each time one of the recovery event occurs, and those minidump output can be viewed using the "show crashinfo webvpn detailed" command.

- When error-recovery is disabled and there is failure in webvpn  application, it will not create the above advised minidump, and hence, you will not be able to view the webvpn specific recovery event dump using the "show crashinfo webvpn detailed" command.

However, if the ASA crash due to webvpn, the full crashinfo will still be logged, and can be viewed using the "show crashinfo" command.

Hope that answers your question.

ankurs2008 Sat, 06/26/2010 - 03:22

Hi halijenn

thanks for the reply , I didnt know about the thing that minidump file is created , thanks for informing the same . So as per below explanation does that means that on error-recovery disable , no output will be shown with the "show crashinfo webvpn detailed" however a much more detailed explanation will be there in the show crashinfo output . i.e disable error recovery should provide more information on the root cause of the issue.?? Also is the command

"coredump enable " required to be configured in ASA for minidump file to be generated , iam not sure if i asking incorrect question , If not required , what is the role of it (may be its not related to webvpn ) but just curious to know .

Jennifer Halim Sat, 06/26/2010 - 04:22

Yes, you are right. When error-recovery is disabled, no output will be shown with the "show  crashinfo webvpn detailed" however a much more detailed explanation will  be there in the show crashinfo output if and only if the ASA crashed. If ASA did not crash, no output will be shown under "show crashinfo".

Your statement of " i.e disable error recovery should provide more information on the root  cause of the issue" is incorrect. Enabling error recovery will provide more information through the minidump, ie: each recovered webvpn event will be logged as a minidump.

Basically, show crashinfo is the normal crashinfo file when the ASA crashed. Webvpn error-recovery minidump is creating a minidump file for each webvpn event that was recovered. If there are 5 webvpn recovered events, it will create 5 minidump.

"coredump enable" is not required for the webvpn error recovery minidump. Coredump is a new feature in 8.2.1, and it is used to provide even more debugging information than crashinfo. However, pls do not turn on the coredump feature unless you are experiencing a specific issue, and TAC requested it to be enabled. Here is more information on coredump for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c4.html#wp2145302

ankurs2008 Mon, 06/28/2010 - 00:35

hi halijenn,

thanks for the reply ; however i may not totally agree with you as according to me with "error recovery disabled" the ASA will crash when the WebVPN system encounters an error and the crashinfo will contain the full information that we need to find out what caused the problem.If that is not the case then what is the significance of this command in comparison to "error recovery enabled " ?.i mean to say that if we are getting indepth information with "error recovery enabled " then why would one want to get ASA crashed and get comparitively lesser information with error-recovery disabled ? When we are making ASA crash , obviously we are expecting something significant and detailed . I have enquired lot with my Cisco VPN peers and they also said the same . Can you please re-research it again for me though i know that you might be having some strong reason to say so , but just for my satisfaction . i would appreciate your reply . thanks again halijenn!

Jennifer Halim Mon, 06/28/2010 - 00:48

OK, let's try again, and sorry if i have confused you even more.

The main purpose of the webvpn error-recovery is to ensure that the ASA does not go into the state where it actually crashed. Hence, with webvpn error-recovery enabled, it will try to recover the ASA if the webvpn is the cause of the possible crash. When ASA actually recovered from this webvpn error, it will log a minidump. If for example, in a week, there are 5 times when the ASA might crash due to webvpn, however, since the webvpn error-recovery is enabled, it didn't get into the state where the ASA actually crashed, but instead, it got recovered, for each recovery event, it will log a minidump, so you will have 5 minidump for the webvpn recovery event. Without enabling the webvpn error-recovery, ASA will most likely just crash.

If the webvpn error-recovery is enabled, and there is an event that cause the ASA to crash, and the error-recovery feature didn't/couldn't recover it, the ASA will still crash. When the ASA crashes, it will provide the full crashinfo.

So, it's whether you would like the ASA to crash if there is a bug, OR/ you prefer the ASA to recover whenever it can, and crash only when it is absolutely no possibility to recover.

I am not sure if it's clear now, but pls feel free to ask more questions until it's clear.

ankurs2008 Mon, 06/28/2010 - 01:19

hi halijenn

thanks for the reply again ! i am curious to know if minidump files will have more information than the crashinfo file (if ASA crashes and cause is Web VPN) .Even if it so , i am having a intuition that there is something that full crashinfo file will be able to give which the minidump files wont be able to .Also i would like to know if error-recovery enable contributes to high CPU / memory utilization on the firewall ?

Correct Answer
Jennifer Halim Mon, 06/28/2010 - 01:41

Well, minidump is more information on the actual webvpn recovery. With crashes, normally we don't know the root cause yet or what triggers it.

As I advised earlier, eventhough if error recovery is enabled, if ASA itself couldn't recover it, it will still crash and produce crashinfo.

Further to your question, minidump and crashinfo are 2 different things. Minidump will provide information on the recovery, and crashinfo will provide pointer to which specific function crash.

Most customer does not like to have the ASA where it is actually at the crash stage. The webvpn error recovery feature is to minimise the ASA to crash if it's possible.

I don't think enabling error-recovery contributes to high CPU/memory utilization. It is actually recommended to enable the feature.

Actions

This Discussion