Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
298
Views
0
Helpful
2
Replies

ASA 5520s failing over when they shouldn't

jimgrumbles
Level 1
Level 1

‎10-10-2008 04:51 AM - edited ‎03-11-2019 06:55 AM

Twice in the past two weeks my ASA 5520s in an Active/Standby setup have failed over when it appears there should have been no reason to.

I think this is is 3 or 4 times total they've done it since I implemented them. After the first false failover maybe about 6 months ago I increase all the poll and holdtime timeouts.

Here is a snippet from "show failover":

Failover On

Failover unit Primary

Failover LAN Interface: ASA-failover GigabitEthernet0/3 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 15 seconds, holdtime 75 seconds

Interface Policy 1

Monitored Interfaces 3 of 250 maximum

failover replication http

Version: Ours 7.2(3), Mate 7.2(3)

My settings seems pretty lax and hopefully I am translating them right.

The secondary unit will poll the primary unit every 15 seconds and if no response is received in 45 seconds (3 tries) it will failover.

The secondary unit will poll the primary unit's interfaces every 15 seconds and if just one of them doesn't respond within 75 seconds (5 tries), then it fails over.

I know these may seem lax for some of your standards but if the internet goes out here for a minute it's no big deal.

The problem I have is that when they do failover maybe about 2 or 3 of the 35 site to site VPN tunnels we have up won't make the transition properly. The only fix I've found is to issue the "failover active" command on the primary ASA to make it the active one again.

The failover connection is via a crossover cable on Gi 0/3 on both devices so I don't think it could be something related to the switch that interfaces Gi 0/0-0/2 run to would it?

My only other guess is just to upgrade the software to version 8.

Thanks for any help.

Labels:
0 Helpful
2 Replies 2

Matthew Warrick
Level 1
Level 1

‎10-10-2008 05:24 AM

I'd upgrade to 7.2(4) at least since (3) is vulnerable to some security issues IIRC.

Jumping to 8.0(4) will really just trade one set of issues with another unless you have a specific reason to run it.

FWIW, I have about 40 PIX/ASAs that I maintain and they all randomly fail over from time to time for seemingly no particular reason.

0 Helpful

robertson.michael
Level 3
Level 3

‎10-11-2008 08:02 AM

Hi Jim,

Take a look at the output of 'show failover history' and any syslogs you have from the time of the failover. These should give you an idea of why the failover occurred and a place to start troubleshooting the issue.

-Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card