Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1567
Views
0
Helpful
3
Replies

ASA 5510 - active/passive setup - active starts/persists dropping VPN/SSH connections until reload

justin.au
Level 1
Level 1

‎03-01-2012 03:15 AM - edited ‎03-11-2019 03:37 PM

Hey guys,

We have 2 Cisco 5510's setup in active/passive firewall mode with both firewalls running ASA version 8.2(2)

I've reviewed the syslogs and from one incident this morning the active/primary started giving 211001: Memory allocation Error, which soon after we noticed that the VPN clients couldn't connect (appeared like an incorrect password) and the SSH client could connect, although this has has been happening for the last two weeks and sometimes the connection gets dropped after entering the correct password. The ADSM https address was also non-responsive as if the unit stopped listening.

We've logged into the standby unit and forced the failover which solved our problems and was relatively seamless.

After switching over we continually get errors in the syslog of 210005: LU allocate connection failed for rougly 2 hours from the former active unit which is now standby. We're able to use ASDM but when we try to save running config to flash we again get 210005: LU allocate connection failed from the standby unit until we reload it.

I've seem that this message can occur and has been rectified twice by bug fixes CSCte80027 / CSCsb98925 in new versions of the ASA, but unfortunately since our hardware provider has stuffed up our support contract with Cisco we're unable to see what the symptoms of these bugs are.

I would really appreciate if someone could tell me some information related to this, or the bug fixes, I have checked the available memory and it seems ok, so does the memory, cpu, and threats.

Regards,

Justin

Labels:
0 Helpful
3 Replies 3

mvsheik123
Level 7
Level 7

‎03-01-2012 04:32 AM

Hello,

You are correct about the bug info. Below are the fixed versions (downgrade/upgrade- excluding 8.3 and up)..

8.2(2.6) 

8.0(5.11)

8.2(4)

8.2(2.160)

8.2(2.99)

hth

MS

0 Helpful

justin.au
Level 1
Level 1
In response to mvsheik123

‎03-01-2012 07:07 AM

Hi Meysheik123,

I would like to confirm this know, and I'm not sure of the upgrade path, do I have to wait to get the binary for the new ASA after our supplier organises our support contract. Is it ok to load the ROM on to the backup and failover to it so we can do the primary?

This is a live ISP system so I don't want to play around with it, I'm fine with performing the upgrade but we've been running this ASA version for 18+ months and we just want to ensure we're hearding in the correct direction.

Regards,

Justin.

0 Helpful

mvsheik123
Level 7
Level 7
In response to justin.au

‎03-01-2012 10:24 AM

Hi Justin,

If you have a version readily available without this bug you can proceed upgrade/downgrade.Personally, I prefer to goto any fixed version above the current version (upgrade). I recently did an upgrade on the Active/Standby pair- and it went smooth with no service disruption. It always better to have maintenanace window. Refer to the below link for Zerodown time upgrade...

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b20f35.shtml#zerotime

hth

MS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card