08-05-2010 06:56 PM - edited 03-11-2019 11:21 AM
Hi All,
I have two ASA's configured on Active/ Standby failover mode. I am observing frequent failover (once or twice in a day) of ASA post IPS installation. The below logs were captured when the issue was observed
%ASA-1-104001: (Secondary) Switching to ACTIVE - Service card in other unit has failed.
%ASA-1-103005: (Secondary) Other firewall reporting failure.
%ASA-1-105003: (Secondary) Monitoring on interface inside waiting
%ASA-1-105003: (Secondary) Monitoring on interface Management waiting
%ASA-1-105003: (Secondary) Monitoring on interface outside waiting
%ASA-1-105004: (Secondary) Monitoring on interface outside normal
%ASA-1-105004: (Secondary) Monitoring on interface inside normal
%ASA-1-105004: (Secondary) Monitoring on interface Management normal
%ASA-1-104001: (Primary) Switching to ACTIVE - Service card in other unit has failed.
%ASA-1-105003: (Primary) Monitoring on interface inside waiting
# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 10:30:02 EDT Jul 30 2010
This host: Primary - Active
Active time: 19892950 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface inside (X.X.X.X): Normal (Waiting)
Interface outside (X.X.X.X): Normal (Waiting)
Interface 1 (X.X.X.X): Normal (Not-Monitored)
Interface 2 (X.X.X.X): Normal (Not-Monitored)
Interface 3 (X.X.X.X): Normal (Not-Monitored)
Interface 4(X.X.X.X): Normal (Not-Monitored)
Interface 5 (X.X.X.X): Normal (Waiting)
slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E3) status (Up/Up)
IPS, 6.0(6)E3, Up
Other host: Secondary - Failed
Active time: 785557 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface inside (X.X.X.X): Normal (Waiting)
Interface outside (X.X.X.X): Normal (Waiting)
Interface 1 (X.X.X.X): Normal (Not-Monitored)
Interface 2 (X.X.X.X): Normal (Not-Monitored)
Interface 3 (X.X.X.X): Normal (Not-Monitored)
Interface 4 (X.X.X.X): Normal (Not-Monitored)
Interface 5 (X.X.X.X): Normal (Waiting)
slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E3) status (Unresponsive/Up)
IPS, 6.0(6)E3, Not Applicable
Stateful Failover Logical Update Statistics
Link : failover GigabitEthernet0/2 (up)
Stateful Obj xmit xerr rcv rerr
General 2030603195 0 82242427 4944
sys cmd 2756890 0 2756889 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 1847488044 0 59450555 1807
UDP conn 179421678 0 19953293 3137
ARP tbl 579874 0 42409 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 98532 0 6954 0
VPN IPSEC upd 257947 0 32209 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
The failover status under normal conditions
# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 10:30:02 EDT Jul 30 2010
This host: Primary - Active
Active time: 19893087 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface inside (X.X.X.X): Normal
Interface outside (X.X.X.X): Normal
Interface 1 (X.X.X.X): Normal (Not-Monitored)
Interface 2 (X.X.X.X): Normal (Not-Monitored)
Interface 3 (X.X.X.X): Normal (Not-Monitored)
Interface 4 (X.X.X.X): Normal (Not-Monitored)
Interface 5 (X.X.X.X): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E3) status (Up/Up)
IPS, 6.0(6)E3, Up
Other host: Secondary - Standby Ready
Active time: 785557 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface inside (X.X.X.X): Normal
Interface outside (X.X.X.X): Normal
Interface 1 (X.X.X.X): Normal (Not-Monitored)
Interface 2 (X.X.X.X): Normal (Not-Monitored)
Interface 3 (X.X.X.X): Normal (Not-Monitored)
Interface 4 (X.X.X.X): Normal (Not-Monitored)
Interface 5 (X.X.X.X): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E3) status (Up/Up)
IPS, 6.0(6)E3, Up
Solved! Go to Solution.
08-05-2010 09:03 PM
Hello,
If the firewall sees that the IPS module is not responding, as per the failover configuration, it will failover to the secondary device. This is normal process. One thing you could do is reseat the card and see if that helps. Also, I noticed that the software on the card is not the latest. You could try upgrading the software and see if that helps.
Regards,
NT
08-05-2010 09:03 PM
Hello,
If the firewall sees that the IPS module is not responding, as per the failover configuration, it will failover to the secondary device. This is normal process. One thing you could do is reseat the card and see if that helps. Also, I noticed that the software on the card is not the latest. You could try upgrading the software and see if that helps.
Regards,
NT
08-05-2010 09:18 PM
Hi Nagaraja,
We are observing intermittent response to the IPS module. Once or twice a day the IPS module is showing the error. The rest of the time it is functioning properly.
Regards
Shri
08-05-2010 09:32 PM
Hello,
Have you tried to reseat the card? Also, have you considered upgrading the code on the card?
Regards,
NT
08-07-2010 02:06 AM
Hi Nagaraja,
Will follow your advice. It might take sometime for us to get it done. Thanks!
Regards
Shri
08-30-2010 02:31 AM
Hi Nagaraja,
Thanks for your inputs. The issue was resolved after reseating the card.
Regards
Shri
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide