I have two ASA5540's in HA an Active/Standby mode. When I first started configuring the firewalls I had them connected to a Cat2950. The lights on the interfaces were Green/Green. Yesterday we moved them to there final resting place, I have them connecting to a Cat6k. Now the interfaces are showing Green/Amber. Why?? When I do a "show int" I see no errors on the ASA or Cat6k. I am also using the same cables I was using when I had the ASA connected to the Cat2950, so I know the cables are good.
Yes - Here is the output from the ASA:
Interface GigabitEthernet0/1 "inside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps
Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
MAC address 0018.195b.e98b, MTU 1500
IP address x.x.18.251, subnet mask 255.255.255.224
18511 packets input, 2198179 bytes, 0 no buffer
Received 2336 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
17587 packets output, 2756204 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
input queue (curr/max blocks): hardware (0/0) software (0/0)
output queue (curr/max blocks): hardware (0/5) software (0/0)
Traffic Statistics for "inside":
18376 packets input, 1852509 bytes
17467 packets output, 2419064 bytes
1597 packets dropped
1 minute input rate 0 pkts/sec, 31 bytes/sec
1 minute output rate 0 pkts/sec, 327 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 35 bytes/sec
5 minute output rate 0 pkts/sec, 329 bytes/sec
5 minute drop rate, 0 pkts/sec
the amber light suggest the different speed and duplex settings on the " firewall and cat's interface ".
please make sure that they have same speed and duplex settings.you can configure the speed and duplex manually on the firewall and cat6 or you can simply select " auto " for auto negotiation.
Here is the show int from the Cat6k -
GigabitEthernet1/1 is up, line protocol is up (connected)
Hardware is C6k 1000Mb 802.3, address )
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
input flow-control is off, output flow-control is off
Clock mode is auto
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:52, output hang never
Last clearing of "show interface" counters 4w2d
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 1 packets/sec
22422 packets input, 5288318 bytes, 0 no buffer
Received 50 broadcasts (1 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
120698 packets output, 12227112 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
As you can see I have set each side set to be 1000/Full. What really confuses me is I do not have this issue when connecting to a low end swith like a Cat2950 but I do when I connect to a high end swith like the Cat6k. I get the amber light no matter how I configure the ports.
TAC have thoroughly tested this issue and we have the following result:
in 7.2 versions the active led is no longer showing the activity of the
device but it's current failover state, meaning the current active
device's LED is green and the standby's LED will be amber. So it
isn't showing any problems.
is the active Devices's LED as amber ?
Check this :-
Yes both ASA's SFP Link LED are amber. I say that because the link you sent me identifies that status light as the SFP Link LED. The switch I am connecting too for failover only supports 100/Full and my inside / outside are running at 1000/Full. Could that be the reason?
I should also point out I have seen this exact issue at two other sites. And at both sites I am connecting to a Cat6k, just like I am here.
yup...i think this is the problem.please set firewall on 100mbps/full duplex and that should resolve this.
at 1000 Mbps you would see Amber light...you change it to 100 Mbps and it will turn green
Is the colour of light only the issue bothering you ?
What problems are you experiencing other than the colour thing..and this would help us to narrow down the issue
Ahh, ok. That makes sense. I was told by Cisco TAC that the amber light meant I had an issue with a cable or something. I am experiencing no issues. I didn't realize the amber light meant I was connected at 1000 mbps. Thank you for this answer.
have the same problem too,
we have 2 ASA 5540 (Active/Standby) and one catalyst 3750 that the ASAs connected to it, in the normal situation everything is good, but when the Active ASA fails and the secondary become Active the switchport that connected to Secondary ASA become Amber/Green and the and the speed going to slow with 30% packet lost,
I also checked the connectivity and change the switchport but no success.
appreciate any help
You might need to check the duplex and speed setting as well, between the secondary ASA and the switch it is connected to.