10-26-2014 03:16 AM - edited 03-11-2019 09:59 PM
Hi,
We have pair of 5585-X running 9.1.x with multi-contexts and IPS SSP60 modules on both ASA. Currently only two contexts are created and both are in failover group 1. While doing failover tests we noticed that once the secondary ASA is active and IPS is reboot there are considerable number of packets loss (around 25-30 packets with 2-3 minutes time) and services behind DC including voice get disconnected at this time.
However it does not happen so in following situation except some 3-4 packets loss
- when primary ASA is active reboot the IPS
- when complete primary ASA (box) is reload while its on active
- when complete secodary ASA (box) is reload while its on active
Both IPS configuration is having the same config, except that we could noticed some iplogs were there in IPS2 (secondary ASA IPS) but not in primary ASA IPS (IPS1) as follow:
xxx-DC-IPS2# iplog-status brief
Log ID VS IP Address1 Status Event ID Start Date
6 vs0 10.10.42.50 completed 6822861942520 2014/10/24
7 vs0 10.10.10.165 completed 6822861942520 2014/10/24
8 vs0 10.10.42.50 completed 6822861942520 2014/10/24
9 vs0 10.10.36.63 completed 6822861942525 2014/10/24
10 vs0 10.10.36.63 completed 6822861942525 2014/10/24
11 vs0 10.10.42.50 completed 6822861942539 2014/10/24
12 vs0 10.10.10.165 completed 6822861942539 2014/10/24
13 vs0 10.10.42.50 completed 6822861942539 2014/10/24
14 vs0 10.10.36.63 completed 6822861942544 2014/10/24
15 vs0 10.10.36.63 completed 6822861942544 2014/10/24
16 vs0 10.10.42.50 completed 6822861942561 2014/10/24
xxx-DC-IPS1# iplog-status
No IP logs available
xxx-DC-IPS1#
Can someone advise what could be the issue to get more packet loss only when IPS2 is reboot (once secondary ASA is active)..?
Thanks in advance.
10-27-2014 05:33 AM
Hi,
I think when the Secondary is Active and you reload the IPS on it , the fail-over should happen and the traffic should transition from the Primary Unit.
Did you verify the Switch port configuration as port fast ? Try to give some more information on the Setup and exactly where do you see these packets being dropped.
Thanks and Regards,
Vibhor Amrodia
10-27-2014 06:48 AM
Hi Vibhor,
Yes, once the secondary is active and when reload the IPS on it, it will fail over to primary (become active). our issues lies there, it took around 2-3 minutes to pass traffic through primary and there were some 20-25 packets loss till then which is really a considerable amount.
This is a IPS module on ASA5585X and had no physical port connectivity, however other connections to firewall are verified and correct.
Therewere no time to troubleshoot more as we had to revert back since some service disruptions (specially voice).
Is there any troubleshooting method at this time, or is this a normal behavior.?
thanks
10-27-2014 05:30 PM
Hi,
So , you are using the IPS in Inline Mode ? Also , is it fail-open ?
Thanks and Regards,
Vibhor Amrodia
10-27-2014 10:10 PM
Hi Bibhor,
Thanks for your reply. IPS module is kept as promiscuous temporary to monitor the traffic and later it will be changed to inline and its is fail-open.
Regards,
10-27-2014 10:25 PM
Hi,
If it is in Promiscuous mode , i don't think IPS should be causing these delays.
I would check the Switch and the type of traffic which is showing the issue.
Thanks and Regards,
Vibhor Amrodia
10-27-2014 11:29 PM
Hi,
We verified the switch config and has no issue. This happens only when the secondary box IPS is reload, however when we force failover active to primary from the secondary box or when secondary is completely reboot this delay or packet loss not seen.???
regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide