Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA in HA, one interface is Normal (Waiting)

Hi,

I have a pair of ASA 5540s running 8.0(4) 32.

A particular interface on the secondary node is shown as Normal (Waiting). I cannot ping the primary node via this interface or vice versa.  Each node has the partner node's arp entry for this same interface.  Both nodes can ping local network devices on this interface's network.  The interface itself on the secondary node is shown as Up, 100mb, full duplex. I do see an occassional Interface Reset on this particular interface.

This interface pair are on the same vlan and portfast is enabled.

Thank you in advance for your insight.

P

16 REPLIES
Hall of Fame Super Blue

Re: ASA in HA, one interface is Normal (Waiting)

pbrjones1 wrote:

Hi,

I have a pair of ASA 5540s running 8.0(4) 32.

A particular interface on the secondary node is shown as Normal (Waiting). I cannot ping the primary node via this interface or vice versa.  Each node has the partner node's arp entry for this same interface.  Both nodes can ping local network devices on this interface's network.  The interface itself on the secondary node is shown as Up, 100mb, full duplex. I do see an occassional Interface Reset on this particular interface.

This interface pair are on the same vlan and portfast is enabled.

Thank you in advance for your insight.

P

Are the 2 ASAs connected to 2 separate switches and if so are the switches connected via a L2 trunk. If so is that vlan allowed across the trunk ?

Jon

New Member

Re: ASA in HA, one interface is Normal (Waiting)

Hi Jon,

There are a total of 4 switches between this interface port pair.  According to the switch team all switches are correctly communicating the FW interfaces at layer 2.  Note, none of the other HA interface pairs have any problems communicating with one another.  They are all Normal status.  I believe the switch team checked the trunk and did not find any errors.

Thanks,

P

Hall of Fame Super Blue

Re: ASA in HA, one interface is Normal (Waiting)

pbrjones1 wrote:

Hi Jon,

There are a total of 4 switches between this interface port pair.  According to the switch team all switches are correctly communicating the FW interfaces at layer 2.  Note, none of the other HA interface pairs have any problems communicating with one another.  They are all Normal status.  I believe the switch team checked the trunk and did not find any errors.

Thanks,

P

Sorry to be asking basic questions - are the subnet masks set the same for the 2 interfaces ?

Jon

New Member

Re: ASA in HA, one interface is Normal (Waiting)

Jon,

No problem at all.

The subnets are the same for the pair of interfaces:  /23.

P

Hall of Fame Super Blue

Re: ASA in HA, one interface is Normal (Waiting)

Okay, can the standby firewall ping a local device on that vlan that is connected to the switch that the active firewall is on ?

Jon

New Member

Re: ASA in HA, one interface is Normal (Waiting)

Hi

Both Primary and Secondary can ping a variety of ip addresses on the same subnet the problem interface belongs too.  If a ping is not allowed the device at least appears in the arp table after the ping attempt.

P

Hall of Fame Super Blue

Re: ASA in HA, one interface is Normal (Waiting)

pbrjones1 wrote:

Hi

Both Primary and Secondary can ping a variety of ip addresses on the same subnet the problem interface belongs too.  If a ping is not allowed the device at least appears in the arp table after the ping attempt.

P

I understand that but if the secondary can ping an IP on the switch attached to the active then we know for a fact there is a working L2 path for that vlan across all the switches.

Apologies if you have already confirmed this.

Jon

New Member

Re: ASA in HA, one interface is Normal (Waiting)

Reaching out to the applicable teams to test this.

Thanks.

P

Cisco Employee

Re: ASA in HA, one interface is Normal (Waiting)

Is this in routed or transparent mode? I have not tested it in routed mode.

http://tools.cisco.com/Support/BugToolKit/

you can go to the above link login with your CCO ID and then key in this defect ID

CSCte79575 ASA: TFW sh fail output shows Normal(waiting) when Sec unit is act

-KS

New Member

Re: ASA in HA, one interface is Normal (Waiting)

Jon

The secondary was able to ping addresses of devices connected to the switch that is also connected to the
primary firewall.

Kusankar,

There is a SSM-4GE card in play.  The firmware of the FW 8.0(4)32 and I see that the bug references 8.2(2). I see the Normal (Waiting) occuring for just one of the interfaces, and this is occuring only on the Secondary node which is currently in standby mode. I do not know if this status remains when the Secondary node is in active mode.

P

New Member

Re: ASA in HA, one interface is Normal (Waiting)

Kusankar,

As an add-on to my prior post.  The one node interface pair involved with this Normal (Waiting) status (showing only the secondary node), cannot ping each other.

I have done captures of the ping tests and can see the pings leaving the applicable interface but the pings never reach the other nodes interface. I have tested this from Secondary to Primary and vice versa.

Thanks,

P

Cisco Employee

Re: ASA in HA, one interface is Normal (Waiting)

I recreated a scenario with the SSM-4GE card and filed that defect. I tested it with 7.2.4 8.0.4 as well and saw the same issue.

I am sure you are running into the same defect. I have modified the release note to indicate the codes that showed the behavior.

I guess routed mode shows the same issue as well.

I am still waiting on the defect to be resolved. In the meanwhile you can try the work around that I listed in that bug release notes.

-KS

Re: ASA in HA, one interface is Normal (Waiting)

might be a new bug.

also ASA links they need to be part of same broadcast domain, you need to make sure the vlan is trunked between switches and make sure spanning-tree portfast is enable on the ports. Make sure is there no stp loop happening!

New Member

Re: ASA in HA, one interface is Normal (Waiting)

Requesting a new switchport be configured for this problem interface.  Will update the results.

Thanks,

P

New Member

Re: ASA in HA, one interface is Normal (Waiting)

Still waiting on coordination between switch team and Cisco engineer regarding possible switch issues.

Creation of a new switchport did not resolve the issue.

P

New Member

Re: ASA in HA, one interface is Normal (Waiting)

Resolution.

There was a route on the FW for the network that the problem interface was connected to.  Once we removed the route for this directly connected network, the applicable interface on the primary and secondary node could communicate just fine.

1050
Views
0
Helpful
16
Replies