Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Failover link in a C65K VSS with ASA-SM


Just experienced a coombined tcp flood/ udp flood attack, which caused both ASAs to go active :-(


01:56:05 ASA-SM1 : %ASA-1-105043: (Primary) Failover interface failed

01:56:09 ASA-SM1 : %ASA-1-105042: (Primary) Failover interface OK

01:56:32 ASA-SM1 : %ASA-1-103001: (Primary) No response from other firewall (reason code = 3).

01:56:47 ASA-SM1 : %ASA-1-103001: (Primary) No response from other firewall (reason code = 4).

The standby ASA said ' failover off' but a reload of the standby fixed the dual active problem:

ASA-SM1# sh failo

Failover Off

Failover unit Secondary

Failover LAN Interface: folink Vlan998 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1


ASA-SM1# sh failo state

                    State          Last Failure Reason      Date/Time

This host  -   Secondary

                     Disabled       None

Other host -   Primary

                    Not Detected   Comm Failure      01:55:59

'Service-policy in' on the uplink interface (was 512/10 before):

embryonic-conn-max 256 per-client-embryonic-max 5


1. possible causes for the com  failure (memory exhaust ?) Any good commands for checking ?

2. The failover link:
In an ASA appliance setup it is recomended to etasblish a dedicated physical failover link between til ASAs - What about ASA-SM in a VSS setup - does it make sense to establish a f.ex physical 1G link for failover, and if yes: won't there be a loop issue with this and the fo vlan on the VSL link ?

3. What is "interface policy 1" in the 'sh failo' command output ?



  • Firewalling