ASA Frequent Failover post IPS installation

Answered Question
Aug 5th, 2010
User Badges:

Hi All,


I have two ASA's configured on Active/ Standby failover mode. I am observing frequent failover (once or twice in a day) of ASA post IPS installation. The below logs were captured when the issue was observed


%ASA-1-104001: (Secondary) Switching to ACTIVE - Service card in other unit has failed.
%ASA-1-103005: (Secondary) Other firewall reporting failure.
%ASA-1-105003: (Secondary) Monitoring on interface inside waiting
%ASA-1-105003: (Secondary) Monitoring on interface Management waiting
%ASA-1-105003: (Secondary) Monitoring on interface outside waiting
%ASA-1-105004: (Secondary) Monitoring on interface outside normal
%ASA-1-105004: (Secondary) Monitoring on interface inside normal
%ASA-1-105004: (Secondary) Monitoring on interface Management normal
%ASA-1-104001: (Primary) Switching to ACTIVE - Service card in other unit has failed.
%ASA-1-105003: (Primary) Monitoring on interface inside waiting


             

# sh failover      

Failover On

Failover unit Primary

Failover LAN Interface: failover GigabitEthernet0/2 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 250 maximum

Version: Ours 8.2(1), Mate 8.2(1)

Last Failover at: 10:30:02 EDT Jul 30 2010

        This host: Primary - Active

                Active time: 19892950 (sec)

                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)

                  Interface inside (X.X.X.X): Normal (Waiting)

                  Interface outside (X.X.X.X): Normal (Waiting)

                  Interface 1 (X.X.X.X): Normal (Not-Monitored)

                  Interface 2 (X.X.X.X): Normal (Not-Monitored)

                  Interface 3 (X.X.X.X): Normal (Not-Monitored)

                  Interface 4(X.X.X.X): Normal (Not-Monitored)

                  Interface 5 (X.X.X.X): Normal (Waiting)

                slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E3) status (Up/Up)

                  IPS, 6.0(6)E3, Up

        Other host: Secondary - Failed

                Active time: 785557 (sec)

                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)

                  Interface inside (X.X.X.X): Normal (Waiting)

                  Interface outside (X.X.X.X): Normal (Waiting)

                  Interface 1 (X.X.X.X): Normal (Not-Monitored)

                  Interface 2 (X.X.X.X): Normal (Not-Monitored)

                  Interface 3 (X.X.X.X): Normal (Not-Monitored)

                  Interface 4 (X.X.X.X): Normal (Not-Monitored)

                  Interface 5 (X.X.X.X): Normal (Waiting)

                slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E3) status (Unresponsive/Up)

                  IPS, 6.0(6)E3, Not Applicable


Stateful Failover Logical Update Statistics

        Link : failover GigabitEthernet0/2 (up)

        Stateful Obj    xmit       xerr       rcv        rerr    

        General         2030603195 0          82242427   4944    

        sys cmd         2756890    0          2756889    0       

        up time         0          0          0          0       

        RPC services    0          0          0          0       

        TCP conn        1847488044 0          59450555   1807    

        UDP conn        179421678  0          19953293   3137    

        ARP tbl         579874     0          42409      0       

        Xlate_Timeout   0          0          0          0       

        VPN IKE upd     98532      0          6954       0       

        VPN IPSEC upd   257947     0          32209      0       

        VPN CTCP upd    0          0          0          0       

        VPN SDI upd     0          0          0          0



The failover status under normal conditions


# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 10:30:02 EDT Jul 30 2010
        This host: Primary - Active
                Active time: 19893087 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface inside (X.X.X.X): Normal
                  Interface outside (X.X.X.X): Normal
                  Interface 1 (X.X.X.X): Normal (Not-Monitored)
                  Interface 2 (X.X.X.X): Normal (Not-Monitored)
                  Interface 3 (X.X.X.X): Normal (Not-Monitored)
                  Interface 4 (X.X.X.X): Normal (Not-Monitored)
                  Interface 5 (X.X.X.X): Normal
                slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E3) status (Up/Up)
                  IPS, 6.0(6)E3, Up
        Other host: Secondary - Standby Ready
                Active time: 785557 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface inside (X.X.X.X): Normal
                  Interface outside (X.X.X.X): Normal
                  Interface 1 (X.X.X.X): Normal (Not-Monitored)
                  Interface 2 (X.X.X.X): Normal (Not-Monitored)
                  Interface 3 (X.X.X.X): Normal (Not-Monitored)
                  Interface 4 (X.X.X.X): Normal (Not-Monitored)
                  Interface 5 (X.X.X.X): Normal
                slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E3) status (Up/Up)
                  IPS, 6.0(6)E3, Up

Correct Answer by Nagaraja Thanthry about 6 years 9 months ago

Hello,


If the firewall sees that the IPS module is not responding, as per the failover configuration, it will failover to the secondary device. This is normal process. One thing you could do is reseat the card and see if that helps. Also, I noticed that the software on the card is not the latest. You could try upgrading the software and see if that helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Thu, 08/05/2010 - 21:03
User Badges:
  • Cisco Employee,

Hello,


If the firewall sees that the IPS module is not responding, as per the failover configuration, it will failover to the secondary device. This is normal process. One thing you could do is reseat the card and see if that helps. Also, I noticed that the software on the card is not the latest. You could try upgrading the software and see if that helps.


Regards,


NT

shriprasad.rai Thu, 08/05/2010 - 21:18
User Badges:

Hi Nagaraja,


We are observing intermittent response to the IPS module. Once or twice a day the IPS module is showing the error. The rest of the time it is functioning properly.


Regards

Shri

Nagaraja Thanthry Thu, 08/05/2010 - 21:32
User Badges:
  • Cisco Employee,

Hello,


Have you tried to reseat the card? Also, have you considered upgrading the code on the card?


Regards,


NT

shriprasad.rai Sat, 08/07/2010 - 02:06
User Badges:

Hi Nagaraja,


Will follow your advice. It might take sometime for us to get it done. Thanks!


Regards

Shri

shriprasad.rai Mon, 08/30/2010 - 02:31
User Badges:

Hi Nagaraja,


Thanks for your inputs. The issue was resolved after reseating the card.


Regards

Shri

Actions

This Discussion