Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1537
Views
0
Helpful
5
Replies

ASA Frequent Failover post IPS installation

Go to solution
shriprasad.rai
Level 1
Level 1

‎08-05-2010 06:56 PM - edited ‎03-11-2019 11:21 AM

Hi All,


I have two ASA's configured on Active/ Standby failover mode. I am observing frequent failover (once or twice in a day) of ASA post IPS installation. The below logs were captured when the issue was observed


%ASA-1-104001: (Secondary) Switching to ACTIVE - Service card in other unit has failed.
%ASA-1-103005: (Secondary) Other firewall reporting failure.
%ASA-1-105003: (Secondary) Monitoring on interface inside waiting
%ASA-1-105003: (Secondary) Monitoring on interface Management waiting
%ASA-1-105003: (Secondary) Monitoring on interface outside waiting
%ASA-1-105004: (Secondary) Monitoring on interface outside normal
%ASA-1-105004: (Secondary) Monitoring on interface inside normal
%ASA-1-105004: (Secondary) Monitoring on interface Management normal
%ASA-1-104001: (Primary) Switching to ACTIVE - Service card in other unit has failed.
%ASA-1-105003: (Primary) Monitoring on interface inside waiting


             

# sh failover      

Failover On

Failover unit Primary

Failover LAN Interface: failover GigabitEthernet0/2 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 250 maximum

Version: Ours 8.2(1), Mate 8.2(1)

Last Failover at: 10:30:02 EDT Jul 30 2010

        This host: Primary - Active

                Active time: 19892950 (sec)

                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)

                  Interface inside (X.X.X.X): Normal (Waiting)

                  Interface outside (X.X.X.X): Normal (Waiting)

                  Interface 1 (X.X.X.X): Normal (Not-Monitored)

                  Interface 2 (X.X.X.X): Normal (Not-Monitored)

                  Interface 3 (X.X.X.X): Normal (Not-Monitored)

                  Interface 4(X.X.X.X): Normal (Not-Monitored)

                  Interface 5 (X.X.X.X): Normal (Waiting)

                slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E3) status (Up/Up)

                  IPS, 6.0(6)E3, Up

        Other host: Secondary - Failed

                Active time: 785557 (sec)

                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)

                  Interface inside (X.X.X.X): Normal (Waiting)

                  Interface outside (X.X.X.X): Normal (Waiting)

                  Interface 1 (X.X.X.X): Normal (Not-Monitored)

                  Interface 2 (X.X.X.X): Normal (Not-Monitored)

                  Interface 3 (X.X.X.X): Normal (Not-Monitored)

                  Interface 4 (X.X.X.X): Normal (Not-Monitored)

                  Interface 5 (X.X.X.X): Normal (Waiting)

                slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E3) status (Unresponsive/Up)

                  IPS, 6.0(6)E3, Not Applicable


Stateful Failover Logical Update Statistics

        Link : failover GigabitEthernet0/2 (up)

        Stateful Obj    xmit       xerr       rcv        rerr    

        General         2030603195 0          82242427   4944    

        sys cmd         2756890    0          2756889    0       

        up time         0          0          0          0       

        RPC services    0          0          0          0       

        TCP conn        1847488044 0          59450555   1807    

        UDP conn        179421678  0          19953293   3137    

        ARP tbl         579874     0          42409      0       

        Xlate_Timeout   0          0          0          0       

        VPN IKE upd     98532      0          6954       0       

        VPN IPSEC upd   257947     0          32209      0       

        VPN CTCP upd    0          0          0          0       

        VPN SDI upd     0          0          0          0


The failover status under normal conditions


# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 10:30:02 EDT Jul 30 2010
        This host: Primary - Active
                Active time: 19893087 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface inside (X.X.X.X): Normal
                  Interface outside (X.X.X.X): Normal
                  Interface 1 (X.X.X.X): Normal (Not-Monitored)
                  Interface 2 (X.X.X.X): Normal (Not-Monitored)
                  Interface 3 (X.X.X.X): Normal (Not-Monitored)
                  Interface 4 (X.X.X.X): Normal (Not-Monitored)
                  Interface 5 (X.X.X.X): Normal
                slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E3) status (Up/Up)
                  IPS, 6.0(6)E3, Up
        Other host: Secondary - Standby Ready
                Active time: 785557 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface inside (X.X.X.X): Normal
                  Interface outside (X.X.X.X): Normal
                  Interface 1 (X.X.X.X): Normal (Not-Monitored)
                  Interface 2 (X.X.X.X): Normal (Not-Monitored)
                  Interface 3 (X.X.X.X): Normal (Not-Monitored)
                  Interface 4 (X.X.X.X): Normal (Not-Monitored)
                  Interface 5 (X.X.X.X): Normal
                slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E3) status (Up/Up)
                  IPS, 6.0(6)E3, Up

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎08-05-2010 09:03 PM

Hello,

If the firewall sees that the IPS module is not responding, as per the failover configuration, it will failover to the secondary device. This is normal process. One thing you could do is reseat the card and see if that helps. Also, I noticed that the software on the card is not the latest. You could try upgrading the software and see if that helps.

Regards,

NT

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎08-05-2010 09:03 PM

Hello,

If the firewall sees that the IPS module is not responding, as per the failover configuration, it will failover to the secondary device. This is normal process. One thing you could do is reseat the card and see if that helps. Also, I noticed that the software on the card is not the latest. You could try upgrading the software and see if that helps.

Regards,

NT

0 Helpful

Go to solution
shriprasad.rai
Level 1
Level 1
In response to Nagaraja Thanthry

‎08-05-2010 09:18 PM

Hi Nagaraja,

We are observing intermittent response to the IPS module. Once or twice a day the IPS module is showing the error. The rest of the time it is functioning properly.

Regards

Shri

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to shriprasad.rai

‎08-05-2010 09:32 PM

Hello,

Have you tried to reseat the card? Also, have you considered upgrading the code on the card?

Regards,

NT

0 Helpful

Go to solution
shriprasad.rai
Level 1
Level 1
In response to Nagaraja Thanthry

‎08-07-2010 02:06 AM

Hi Nagaraja,

Will follow your advice. It might take sometime for us to get it done. Thanks!

Regards

Shri

0 Helpful

Go to solution
shriprasad.rai
Level 1
Level 1
In response to shriprasad.rai

‎08-30-2010 02:31 AM

Hi Nagaraja,

Thanks for your inputs. The issue was resolved after reseating the card.

Regards

Shri

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card