04-01-2010 11:07 AM - edited 03-11-2019 10:28 AM
Hi,
I have a pair of ASA 5540s running 8.0(4) 32.
A particular interface on the secondary node is shown as Normal (Waiting). I cannot ping the primary node via this interface or vice versa. Each node has the partner node's arp entry for this same interface. Both nodes can ping local network devices on this interface's network. The interface itself on the secondary node is shown as Up, 100mb, full duplex. I do see an occassional Interface Reset on this particular interface.
This interface pair are on the same vlan and portfast is enabled.
Thank you in advance for your insight.
P
04-01-2010 11:22 AM
pbrjones1 wrote:
Hi,
I have a pair of ASA 5540s running 8.0(4) 32.
A particular interface on the secondary node is shown as Normal (Waiting). I cannot ping the primary node via this interface or vice versa. Each node has the partner node's arp entry for this same interface. Both nodes can ping local network devices on this interface's network. The interface itself on the secondary node is shown as Up, 100mb, full duplex. I do see an occassional Interface Reset on this particular interface.
This interface pair are on the same vlan and portfast is enabled.
Thank you in advance for your insight.
P
Are the 2 ASAs connected to 2 separate switches and if so are the switches connected via a L2 trunk. If so is that vlan allowed across the trunk ?
Jon
04-01-2010 11:52 AM
Hi Jon,
There are a total of 4 switches between this interface port pair. According to the switch team all switches are correctly communicating the FW interfaces at layer 2. Note, none of the other HA interface pairs have any problems communicating with one another. They are all Normal status. I believe the switch team checked the trunk and did not find any errors.
Thanks,
P
04-01-2010 12:03 PM
pbrjones1 wrote:
Hi Jon,
There are a total of 4 switches between this interface port pair. According to the switch team all switches are correctly communicating the FW interfaces at layer 2. Note, none of the other HA interface pairs have any problems communicating with one another. They are all Normal status. I believe the switch team checked the trunk and did not find any errors.
Thanks,
P
Sorry to be asking basic questions - are the subnet masks set the same for the 2 interfaces ?
Jon
04-01-2010 12:09 PM
Jon,
No problem at all.
The subnets are the same for the pair of interfaces: /23.
P
04-01-2010 12:17 PM
Okay, can the standby firewall ping a local device on that vlan that is connected to the switch that the active firewall is on ?
Jon
04-01-2010 12:50 PM
Hi
Both Primary and Secondary can ping a variety of ip addresses on the same subnet the problem interface belongs too. If a ping is not allowed the device at least appears in the arp table after the ping attempt.
P
04-01-2010 01:04 PM
pbrjones1 wrote:
Hi
Both Primary and Secondary can ping a variety of ip addresses on the same subnet the problem interface belongs too. If a ping is not allowed the device at least appears in the arp table after the ping attempt.
P
I understand that but if the secondary can ping an IP on the switch attached to the active then we know for a fact there is a working L2 path for that vlan across all the switches.
Apologies if you have already confirmed this.
Jon
04-01-2010 01:11 PM
Reaching out to the applicable teams to test this.
Thanks.
P
04-03-2010 03:12 PM
Is this in routed or transparent mode? I have not tested it in routed mode.
http://tools.cisco.com/Support/BugToolKit/
you can go to the above link login with your CCO ID and then key in this defect ID
CSCte79575 ASA: TFW sh fail output shows Normal(waiting) when Sec unit is act
-KS
04-06-2010 09:05 AM
Jon
The secondary was able to ping addresses of devices connected to the switch that is also connected to the
primary firewall.
Kusankar,
There is a SSM-4GE card in play. The firmware of the FW 8.0(4)32 and I see that the bug references 8.2(2). I see the Normal (Waiting) occuring for just one of the interfaces, and this is occuring only on the Secondary node which is currently in standby mode. I do not know if this status remains when the Secondary node is in active mode.
P
04-06-2010 12:51 PM
Kusankar,
As an add-on to my prior post. The one node interface pair involved with this Normal (Waiting) status (showing only the secondary node), cannot ping each other.
I have done captures of the ping tests and can see the pings leaving the applicable interface but the pings never reach the other nodes interface. I have tested this from Secondary to Primary and vice versa.
Thanks,
P
04-06-2010 12:55 PM
I recreated a scenario with the SSM-4GE card and filed that defect. I tested it with 7.2.4 8.0.4 as well and saw the same issue.
I am sure you are running into the same defect. I have modified the release note to indicate the codes that showed the behavior.
I guess routed mode shows the same issue as well.
I am still waiting on the defect to be resolved. In the meanwhile you can try the work around that I listed in that bug release notes.
-KS
04-06-2010 01:00 PM
might be a new bug.
also ASA links they need to be part of same broadcast domain, you need to make sure the vlan is trunked between switches and make sure spanning-tree portfast is enable on the ports. Make sure is there no stp loop happening!
04-14-2010 08:02 AM
Requesting a new switchport be configured for this problem interface. Will update the results.
Thanks,
P
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide