Solved: Rebooting the standby ASA

mahesh18 · ‎02-01-2014

Hi Everyone,

If ASA is in active / standby failover.

And for some reason if you need to reboot standby ASA is it good practice just to reboot standby?

If standby is rebooted should it syn all the config over failover link from active ASA?

Regards

Mahesh

Marius Gunnerud · ‎02-01-2014

To reload the standby unit, on the primary unit issue the command failover reload-standby

Once the standby unit is back online a full running config synch will take place from the active ASA to the standby ASA.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Jon Marshall · ‎02-01-2014

Mahesh

This can happen sometimes when the standby firewall does not accept one or more of the commands in the configuration coming from the active firewall.

Have there been any configuration changes made to the active firewall recently ?

Is that all you see in the log or do you see the standby complaining about certain lines in the configuration ?

Jon

View solution in original post

Julio Carvajal · ‎02-01-2014

Hello Mahesh,

Okey but do you see any logs in the console session?

Did you really console in to the box to see all the logs?

console logging 7

It's because I have seen this behavior before and on all the cases I worked I saw a configuration command not properly written

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Marius Gunnerud · ‎02-02-2014

Which ASA model are you using for both of the ASAs?

Is this the first time you are trying to setup Active/Standby failover for these two units? If not is this the first time you are seeing this type of issue?

What ASA version are the ASAs running?

As Julio has mentioned, this is most likely the cause of the standby not accepting one or more of the configurations the Active unit is trying to sync across.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎02-05-2014

What you could try doing is remove the failover configuration from the standby unit, make a copy of the Active ASA config (copy paste into notepad) and then copy the configuration to the standby unit approx. 10 lines at a time and see where the configuration is failing to be accepted. Just remember to add the failover commands last.

Are both ASA's running the same version?

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎02-01-2014

To reload the standby unit, on the primary unit issue the command failover reload-standby

Once the standby unit is back online a full running config synch will take place from the active ASA to the standby ASA.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎02-01-2014

Hi Marius,

We did the reboot of standby ASA and log shows

(Secondary) Beginning configuration replication: Receiving from mate.

******REPLICATION OF CONFIGURATION FROM ACTIVE TO STANDBY UNIT IS INCOMPLETE,
TO PREVENT THE STANDBY UNIT TAKING OVER AS ACTIVE WITH A PARTIAL CONFIGURATION,
THE STANDBY UNIT WILL NOW REBOOT*******

So now ASA is in booting loop and it boots up gives the above message and again reboot.

Can you tell why this is happening?

For now we have turned off standby asa.

Regards

MAhesh

Jon Marshall · ‎02-01-2014

Mahesh

This can happen sometimes when the standby firewall does not accept one or more of the commands in the configuration coming from the active firewall.

Have there been any configuration changes made to the active firewall recently ?

Is that all you see in the log or do you see the standby complaining about certain lines in the configuration ?

Jon

mahesh18 · ‎02-01-2014

Hi John,

Thats all we see in logs from standby ASA.

Its not complaining about any lines in the config.

Standby ASA boots up fine when it is not connected to Active ASA.

As soon as we connect the standby to active ASA it gives above log message and reboot also then active ASA is not

reachable over the network.

Currently standby ASA is powered down.

About recent changes to ASA i am checking on that.

Regards

MAhesh

Julio Carvajal · ‎02-01-2014

Hello Mahesh,

You sure that is the only log you see when the issue arises?? Get a console connection to the firewall and make sure you are logging everything.

The mismatch configuration should be shown to you by the ASA.

As soon as you see the lines posted back to us and we will analize them.

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎02-01-2014

Hi Julio,

After above logs it shows

%ASA-1-105020: (Secondary) Incomplete/slow config replication

***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
*** failover reset
Process shutdown finished
Rebooting.....

Booting system, please wait...

That was happening again and again.

Currently standby ASA is powered off .

There were no errors for config changes in the logs of standby ASA.

Regards

MAhesh

Julio Carvajal · ‎02-01-2014

Hello,

Okey and what about on the Active firewall at the time of the issue?

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎02-01-2014

Hi Julio,

Active ASA had following symptons during that time

1>not assigning DHCP IP to users.

2>

sh run on Active ASA

it gives error

ERROR: Command Ignored, Configuration in progress...

Regards

MAhesh

Julio Carvajal · ‎02-01-2014

Hello Mahesh,

Okey but do you see any logs in the console session?

Did you really console in to the box to see all the logs?

console logging 7

It's because I have seen this behavior before and on all the cases I worked I saw a configuration command not properly written

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Marius Gunnerud · ‎02-02-2014

Which ASA model are you using for both of the ASAs?

Is this the first time you are trying to setup Active/Standby failover for these two units? If not is this the first time you are seeing this type of issue?

What ASA version are the ASAs running?

As Julio has mentioned, this is most likely the cause of the standby not accepting one or more of the configurations the Active unit is trying to sync across.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎02-05-2014

Hi MArius,

Active/standby failover was working fine from last few years.

This issue occur first time.

Model is ASA5520.

Version is 8.0(5)28.

Regards

MAhesh

Marius Gunnerud · ‎02-05-2014

What you could try doing is remove the failover configuration from the standby unit, make a copy of the Active ASA config (copy paste into notepad) and then copy the configuration to the standby unit approx. 10 lines at a time and see where the configuration is failing to be accepted. Just remember to add the failover commands last.

Are both ASA's running the same version?

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎02-06-2014

Hi Marius,

YEs both ASA have same version.

Seems we will add only failover cable from active to standby first and see how it behaves.

Regards

MAhesh

mahesh18 · ‎02-07-2014

Hi Marius,

I added the standby firewall with failovcer cable first and it worked fine.

After that i added all the other cables.

All is good now.