ASA5510 - Frequent loss on various interfaces [asa821-11-k8.bin]
I've a test pair of ASA 5510 firewalls that run across sites in an active standby configuration both running asa821-11-k8.bin.
However I've noticed that at random times every few days the following messages appear in the log of the primary unit suggesting it has lost its IP connection on that particular interface to the secondary unit and it returns within the same second.
Of the various interfaces on this device it does appear to only affect two of them as shown below.
The interface traffic levels are fine and the layer two path is consistant and stable with no corresponding log entries present on the secondary unit.
Jan 14 2010 08:52:21 : %ASA-1-105005: (Primary) Lost Failover communications with mate on interface Test Jan 14 2010 08:52:21 : %ASA-1-105008: (Primary) Testing Interface Test Jan 14 2010 08:52:21 : %ASA-1-105009: (Primary) Testing on interface Test Passed
Jan 15 2010 05:20:32 : %ASA-1-105005: (Primary) Lost Failover communications with mate on interface Inside Jan 15 2010 05:20:32 : %ASA-1-105008: (Primary) Testing Interface Inside Jan 15 2010 05:20:32 : %ASA-1-105009: (Primary) Testing on interface Inside Passed
Traffic flows appear not to be disrupted but has anyone else experienced this and if so what was the resolution to remove these messages?
Re: ASA5510 - Frequent loss on various interfaces [asa821-11-k8.
Could you please paste show failover and show interface output here ?
In a failover pair, there are some standard tests, which is done to check the failover pair health. By default , Interface health check for both active and standby units is enabled and that is the reason you get such logs in your firewall. As long, as the ifc pass the test ( they are passing traffic normally) there is nothing to worry about.
show int E0/1 Interface Ethernet0/1 "", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec Full-Duplex(Full-duplex), 100 Mbps(100 Mbps) Input flow control is unsupported, output flow control is unsupported Available but not configured via nameif MAC address 001d.7066.859b, MTU not set IP address unassigned 116509693 packets input, 91809388395 bytes, 0 no buffer Received 15523894 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 107126525 packets output, 53659297026 bytes, 0 underruns 0 pause output, 0 resume output 0 output errors, 0 collisions, 3 interface resets 0 late collisions, 0 deferred 1 input reset drops, 0 output reset drops, 0 tx hangs input queue (blocks free curr/low): hardware (255/236) output queue (blocks free curr/low): hardware (255/105)
show int e0/1.512 Interface Ethernet0/1.512 "xx", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec VLAN identifier 512 Description: xx MAC address 001d.7066.859b, MTU 1500 IP address 10.123.221.1, subnet mask 255.255.255.0 Traffic Statistics for "xx": 59467758 packets input, 46681561868 bytes 43694808 packets output, 24148878068 bytes 12169985 packets dropped
show int e0/1.647 Interface Ethernet0/1.647 "yy", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec VLAN identifier 647 Description: yy MAC address 001d.7066.859b, MTU 1500 IP address 10.111.222.1, subnet mask 255.255.255.0 Traffic Statistics for "yy": 24885558 packets input, 20957775471 bytes 31997238 packets output, 9210514868 bytes 1731 packets dropped
====================================================== sh failover ====================================================== Failover On Failover unit Primary Failover LAN Interface: Stateful Ethernet0/3 (up) Unit Poll frequency 10 seconds, holdtime 30 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 110 maximum Version: Ours 8.2(1)11, Mate 8.2(1)11 Last Failover at: 15:15:56 UTC Nov 16 2009 This host: Primary - Active Active time: 7017525 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.2(1)11) status (Up Sys) Interface 11(18.104.22.168): Normal Interface xx ( 10.123.221.1): Normal Interface yy (10.111.222.1): Normal Interface 22 (22.214.171.124): Normal (Not-Monitored) slot 1: empty Other host: Secondary - Standby Ready Active time: 144528 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.2(1)11) status (Up Sys) Interface 11 (126.96.36.199): Normal Interface xx( 10.123.221.2): Normal Interface yy (10.111.222.2): Normal Interface 22 (188.8.131.52): Normal (Not-Monitored) slot 1: empty
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...