Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Failover trouble

We have a Pair of ASA-5585 System configured as an Active/Standby pair.

Every hour the system fails to to the current standby node. This has been an ongoing issue.

here is a sample of that we are seeing at the time of the failover on the log.

Mar 21 2014 10:12:58: %ASA-1-103001: (Secondary) No response from other firewall (reason code = 4).
Mar 21 2014 10:12:58: %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=20,my=Standby Ready,peer=Failed.
Mar 21 2014 10:12:58: %ASA-6-720028: (VPN-Secondary) HA status callback: Peer state Failed.
Mar 21 2014 10:12:58: %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=401,op=0,my=Standby Ready,peer=Failed.
Mar 21 2014 10:12:58: %ASA-6-720024: (VPN-Secondary) HA status callback: Control channel is down.
Mar 21 2014 10:12:58: %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=402,op=0,my=Standby Ready,peer=Failed.
Mar 21 2014 10:12:58: %ASA-6-720025: (VPN-Secondary) HA status callback: Data channel is down.
Mar 21 2014 10:12:58: %ASA-6-315011: SSH session from 153.90.168.22 on interface management for user "admin" disconnected by SSH server, reason: "Terminated by operator" (0x35) 
Mar 21 2014 10:12:58: %ASA-6-315011: SSH session from 153.90.168.22 on interface management for user "admin" disconnected by SSH server, reason: "Terminated by operator" (0x35) 
Mar 21 2014 10:12:58: %ASA-5-611103: User logged out: Uname: admin
Mar 21 2014 10:12:58: %ASA-5-611103: User logged out: Uname: admin
Mar 21 2014 10:12:58: %ASA-1-104001: (Secondary) Switching to ACTIVE - HELLO not heard from mate.
Mar 21 2014 10:12:58: %ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=200,op=4,my=Just Active,peer=Failed.
Mar 21 2014 10:12:58: %ASA-7-720048: (VPN-Secondary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_active_fast.
Mar 21 2014 10:12:58: %ASA-7-720049: (VPN-Secondary) FSM action trace end: state=, last event=, return=0, func=vpnfo_fsm_active_fast.
Mar 21 2014 10:12:58: %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=401,op=0,my=Active Drain,peer=Failed.
Mar 21 2014 10:12:58: %ASA-6-720024: (VPN-Secondary) HA status callback: Control channel is down.
Mar 21 2014 10:12:58: %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=402,op=0,my=Active Drain,peer=Failed.
Mar 21 2014 10:12:58: %ASA-6-720025: (VPN-Secondary) HA status callback: Data channel is down.
Mar 21 2014 10:12:58: %ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=201,op=4,my=Active Drain,peer=Failed.
Mar 21 2014 10:12:58: %ASA-7-720048: (VPN-Secondary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_active_drain.
Mar 21 2014 10:12:58: %ASA-7-720049: (VPN-Secondary) FSM action trace end: state=, last event=, return=0, func=vpnfo_fsm_active_drain.
Mar 21 2014 10:12:58: %ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=202,op=4,my=Active Applying Config,peer=Failed.
Mar 21 2014 10:12:58: %ASA-7-720048: (VPN-Secondary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_active_pre_config.
Mar 21 2014 10:12:58: %ASA-7-720049: (VPN-Secondary) FSM action trace end: state=, last event=, return=0, func=vpnfo_fsm_active_pre_config.
Mar 21 2014 10:12:58: %ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=203,op=4,my=Active Config Applied,peer=Failed.
Mar 21 2014 10:12:58: %ASA-7-720048: (VPN-Secondary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_active_post_config.
Mar 21 2014 10:12:58: %ASA-7-720049: (VPN-Secondary) FSM action trace end: state=, last event=, return=0, func=vpnfo_fsm_active_post_config.
Mar 21 2014 10:12:58: %ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=204,op=4,my=Active,peer=Failed.
Mar 21 2014 10:12:58: %ASA-7-720048: (VPN-Secondary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_active.
Mar 21 2014 10:12:58: %ASA-6-720039: (VPN-Secondary) VPN failover client is transitioning to active state
Mar 21 2014 10:12:58: %ASA-7-720049: (VPN-Secondary) FSM action trace end: state=, last event=, return=0, func=vpnfo_fsm_active.
Mar 21 2014 10:12:58: %ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=405,op=130,my=Active,peer=Failed.
Mar 21 2014 10:12:58: %ASA-6-720027: (VPN-Secondary) HA status callback: My state Active.

  • Firewalling
2 REPLIES

Can you post your failover

Can you post your failover config from both devices? How are the ASA failover interfaces cabled?

New Member

Here is the fail-over config

Here is the fail-over config on the active ASA
the links for management on the systems are through a pair of 2960 switches that are port channeled together and is separate data centers.
also both ASAs are connected to a pair of Nexus 7k core switches to make up the core of our network.

"failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/0
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover key *****
failover replication http
failover link state GigabitEthernet0/1
failover interface ip failover 169.254.255.1 255.255.255.252 standby 169.254.255.2
failover interface ip state 169.254.255.5 255.255.255.252 standby 169.254.255.6"

 

this is the config from the Standby node.

"failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/0
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover key *****
failover replication http
failover link state GigabitEthernet0/1
failover interface ip failover 169.254.255.1 255.255.255.252 standby 169.254.255.2
failover interface ip state 169.254.255.5 255.255.255.252 standby 169.254.255.6"

 

thank you

245
Views
0
Helpful
2
Replies
This widget could not be displayed.