Solved: ASA Failover Uptime Issue

Srinivasan Nagarajan · ‎09-08-2017

Hi All

Good day. We're using 2*5525 ASA's and made into cluster for failover and currently secondary is now Active firewall while Primary is in standby mode (Active/standby). The Active time in primary is XXXX Sec while in secondary is 0Sec which seems to be strange.

This host: Secondary - Active

Active time: 1303441 (sec)

Other host: Primary - Standby Ready
Active time: 0 (sec)

I guess, the Active time should keep updating for both the primary and secondary ASA's. Can someone please advise is this normal behaviour.

Thanks,

Sri

Richard Burts · ‎09-14-2017

The output that you posted shows only 3 events (June 8 at 20:11, June 24 at 11:59, and Aug 25 at 11:06). This hardly qualifies as frequent failover.

I agree with others who have responded saying that this seems more like normal behavior than like a problem. I have seen multiple situations where both of the ASAs will show non zero results in active seconds. As far as I have been able to track these they result when one ASA was primary, it failed over and the other ASA became primary, at least for a while. I note that in your results the number of active seconds was different for the ASAs in the failover pair. If both ASAs were incrementing the active seconds then I would expect the output to be the same for both ASAs. If you really want to test this then I suggest that you get the output from both ASAs, wait 10 minutes, then get the output again. If both ASAs are incrementing then both ASAs should report results that are larger by 600. I suspect that you will find that one ASA is 600 larger and the other ASA is reporting the same number of active seconds.

HTH

Rick

HTH

Rick

View solution in original post

Flavio Miranda · ‎09-09-2017

Hello,

This is pretty much correct.

Active time: 1303441 (sec)

Other host: Primary - Standby Ready
Active time: 0 (sec)

Active time only increment in Active Firewall as we dont have a "standby time". Take a look on this real output:

LAB_ASA(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.0(5), Mate 7.2(2)
Last Failover at: 13:21:42 UTC May 4 2007
This host: Primary - Active
Active time: 616 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.0(5)) status (Up Sys)
slot 1: empty
Interface Outside (123.123.123.123): Link Down (Waiting)
Interface DMZ1 (192.168.1.1): Link Down (Waiting)
Interface DMZ2 (192.168.2.1): Link Down (Waiting)
Interface Inside (172.16.1.1): Link Down (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.2(2)) status (Up Sys)
slot 1: empty
Interface Outside (123.123.123.124): Link Down (Waiting)
Interface DMZ1 (192.168.1.254): Link Down (Waiting)
Interface DMZ2 (192.168.2.254): Link Down (Waiting)
Interface Inside (172.16.1.254): Link Down (Waiting)

Srinivasan Nagarajan · ‎09-09-2017

Hi, Thanks for your reply. We've configured same kind of configuration for another customer, where Active Time is keep incrementing for both the firewalls (Active/Standby) model config.

Firewall/act/pri# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: LAN-Failover Redundant4 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.6(2), Mate 9.6(2)
This host: Primary - Active
Active time: 3129148 (sec)

Other host: Secondary - Standby Ready
Active time: 5587451 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.6(2)) status (Up Sys)

From the above output , we see that Active Time is keep incrementing for both the firewalls which is not happening for the firewalls mentioned earlier. Please advise.

Thanks

Sri

Flavio Miranda · ‎09-09-2017

We can agree here that this is not expected. This can be a bug. Have you tried force failover and see if one of this timers stop counting?

Srinivasan Nagarajan · ‎09-09-2017

Hi, We did Force failover 2 weeks back for the firewalls (Active time :XXXX for primary and 0Sec for secondary) not for this one where Active time keeps incrementing which made us to look into it. Below are the logs for your reference.

Firewall/act/sec# sh failover history

==========================================================================
From State To State Reason
==========================================================================
20:11:34 WST Jun 8 2017
Just Active Active Drain Other unit wants me Active

20:11:34 WST Jun 8 2017
Active Drain Active Applying Config Other unit wants me Active

20:11:34 WST Jun 8 2017
Active Applying Config Active Config Applied Other unit wants me Active

20:11:34 WST Jun 8 2017
Active Config Applied Active Other unit wants me Active

20:32:50 WST Jun 8 2017
Active Standby Ready Other unit wants me Standby

11:59:08 WST Jun 24 2017
Standby Ready Just Active HELLO not heard from mate

11:59:08 WST Jun 24 2017
Just Active Active Drain HELLO not heard from mate

11:59:08 WST Jun 24 2017
Active Drain Active Applying Config HELLO not heard from mate

11:59:08 WST Jun 24 2017
Active Applying Config Active Config Applied HELLO not heard from mate

11:59:08 WST Jun 24 2017
Active Config Applied Active HELLO not heard from mate

12:05:31 WST Jun 24 2017
Active Cold Standby Failover state check

12:05:32 WST Jun 24 2017
Cold Standby Sync Config Failover state check

12:05:40 WST Jun 24 2017
Sync Config Sync File System Failover state check

12:05:40 WST Jun 24 2017
Sync File System Bulk Sync Failover state check

12:05:53 WST Jun 24 2017
Bulk Sync Standby Ready Failover state check

11:06:54 WST Aug 25 2017
Standby Ready Just Active HELLO not heard from mate

11:06:54 WST Aug 25 2017
Just Active Active Drain HELLO not heard from mate

11:06:54 WST Aug 25 2017
Active Drain Active Applying Config HELLO not heard from mate

11:06:54 WST Aug 25 2017
Active Applying Config Active Config Applied HELLO not heard from mate

11:06:54 WST Aug 25 2017
Active Config Applied Active HELLO not heard from mate

==========================================================================

Firewall/act/sec# sh failover state

State Last Failure Reason Date/Time
This host - Secondary
Active None
Other host - Primary
Standby Ready Comm Failure 11:06:54 WST Aug 25 2017

====Configuration State===
Sync Done
Sync Done - STANDBY
====Communication State===
Mac set

Karsten Iwen · ‎09-09-2017

Look at your logs for failover events. Your ASAs seem to keep failing over again and again. Long time ago I observed a similar behavior with misconfigured speed/duplex-settings on one of the outside swithes.

Srinivasan Nagarajan · ‎09-09-2017

Hi, Thanks for your reply. Not sure how to confirm whether ASA keeps failing. Could you please advise me. Also, i'll check the Speed/Duplex settings for the switches as well.

FYI-We did Force failover 2 weeks back for the firewalls (Active time :XXXX for primary and 0Sec for secondary) not for one where Active time keeps incrementing which made us to look into it. Below are the logs for your reference.