Hi,We verified the switch

pemasirid · ‎10-26-2014

Hi,

We have pair of 5585-X running 9.1.x with multi-contexts and IPS SSP60 modules on both ASA. Currently only two contexts are created and both are in failover group 1. While doing failover tests we noticed that once the secondary ASA is active and IPS is reboot there are considerable number of packets loss (around 25-30 packets with 2-3 minutes time) and services behind DC including voice get disconnected at this time.

However it does not happen so in following situation except some 3-4 packets loss

- when primary ASA is active reboot the IPS

- when complete primary ASA (box) is reload while its on active

- when complete secodary ASA (box) is reload while its on active

Both IPS configuration is having the same config, except that we could noticed some iplogs were there in IPS2 (secondary ASA IPS) but not in primary ASA IPS (IPS1) as follow:

xxx-DC-IPS2# iplog-status brief
Log ID VS IP Address1 Status Event ID Start Date
6 vs0 10.10.42.50 completed 6822861942520 2014/10/24
7 vs0 10.10.10.165 completed 6822861942520 2014/10/24
8 vs0 10.10.42.50 completed 6822861942520 2014/10/24
9 vs0 10.10.36.63 completed 6822861942525 2014/10/24
10 vs0 10.10.36.63 completed 6822861942525 2014/10/24
11 vs0 10.10.42.50 completed 6822861942539 2014/10/24
12 vs0 10.10.10.165 completed 6822861942539 2014/10/24
13 vs0 10.10.42.50 completed 6822861942539 2014/10/24
14 vs0 10.10.36.63 completed 6822861942544 2014/10/24
15 vs0 10.10.36.63 completed 6822861942544 2014/10/24
16 vs0 10.10.42.50 completed 6822861942561 2014/10/24

xxx-DC-IPS1# iplog-status
No IP logs available
xxx-DC-IPS1#

Can someone advise what could be the issue to get more packet loss only when IPS2 is reboot (once secondary ASA is active)..?

Thanks in advance.

Vibhor Amrodia · ‎10-27-2014

Hi,

I think when the Secondary is Active and you reload the IPS on it , the fail-over should happen and the traffic should transition from the Primary Unit.

Did you verify the Switch port configuration as port fast ? Try to give some more information on the Setup and exactly where do you see these packets being dropped.

Thanks and Regards,

Vibhor Amrodia

pemasirid · ‎10-27-2014

Hi Vibhor,

Yes, once the secondary is active and when reload the IPS on it, it will fail over to primary (become active). our issues lies there, it took around 2-3 minutes to pass traffic through primary and there were some 20-25 packets loss till then which is really a considerable amount.

This is a IPS module on ASA5585X and had no physical port connectivity, however other connections to firewall are verified and correct.

Therewere no time to troubleshoot more as we had to revert back since some service disruptions (specially voice).

Is there any troubleshooting method at this time, or is this a normal behavior.?

thanks

Vibhor Amrodia · ‎10-27-2014

Hi,

So , you are using the IPS in Inline Mode ? Also , is it fail-open ?

Thanks and Regards,

Vibhor Amrodia

pemasirid · ‎10-27-2014

Hi Bibhor,

Thanks for your reply. IPS module is kept as promiscuous temporary to monitor the traffic and later it will be changed to inline and its is fail-open.

Regards,

Vibhor Amrodia · ‎10-27-2014

Hi,

If it is in Promiscuous mode , i don't think IPS should be causing these delays.

I would check the Switch and the type of traffic which is showing the issue.

Thanks and Regards,

Vibhor Amrodia

pemasirid · ‎10-27-2014

Hi,

We verified the switch config and has no issue. This happens only when the secondary box IPS is reload, however when we force failover active to primary from the secondary box or when secondary is completely reboot this delay or packet loss not seen.???

regards,

ASA Active/Active failover with IPS module in multi-context senario