Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Will ASA-SSM-20 reload affect ASA failover?

I have 2 ASA 5520s with an ASA-SSM-20 installed in each. The ASA-SSM-20 in the primary ASA is not working correctly:

Error: Cannot communicate with mainApp (getVersion). Please contact your system administrator.

Would you like to run cidDump?[no]:

I would like to reload the module, but I don't know if that will cause the whole ASA to failover. The ASAs are running 7.2(3).

Any thoughts?

16 REPLIES
New Member

Re: Will ASA-SSM-20 reload affect ASA failover?

Hi,

The ASA failover monitors the internal interface between the ASA and the SSM, therefore if you reboot the SSM, the firewall will failover to the other firewalls.

Hope that helps!

New Member

Re: Will ASA-SSM-20 reload affect ASA failover?

Hello-

I ran into this an hour ago. Setting up the AIP-SSM module on the Primary, it called for a reboot. Soon I had several folks at my desk because some users in the field had their sessions dropped.

Syslog on Primary shows we'd switch to the Failover ASA:

1 Mar 11 2008 15:01:23 104002 (Primary) Switching to STNDBY - Other unit wants me Standby. Secondary unit switch reason: Service card in other unit has failed.

Is there a way to remove the IPS module from failover monitoring? It does not show up in the list of monitored interface choices.

I can't take the risk of disconnecting users if I have to make an IPS change and reboot the AIP-SSM module.

Thanks,

-Roy-

New Member

Re: Will ASA-SSM-20 reload affect ASA failover?

Roy,

Are you not doing stateful failover on your firewall pair?

This configuration option allow for the synchronizing of session information, which means that in the event of a failover your client sessions through the firewall are not lost!

Have a look here for more info:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef

New Member

Re: Will ASA-SSM-20 reload affect ASA failover?

Thanks Brett.

We are using stateful failover. Not all sessions get dropped, just enough Telnet and application interface links that we start getting calls and people show up at my door. This is on a new ASA5520 that normally runs <5% CPU utilization. I just checked the failover link is set to 1000FULL so there should not be any delay updated state information.

Am I missing something in the config?

Portcullis# sho run failover

failover

failover lan unit primary

failover lan interface heartbeat GigabitEthernet0/2

failover polltime unit 3 holdtime 9

failover replication http

failover link heartbeat GigabitEthernet0/2

failover interface ip heartbeat 172.31.0.201 255.255.255.0 standby 172.31.0.202

Portcullis# sho run interface g0/2

!

interface GigabitEthernet0/2

description LAN/STATE Failover Interface

speed 1000

duplex full

Portcullis#

-Roy-

New Member

Re: Will ASA-SSM-20 reload affect ASA failover?

Hi Roy,

You are missing a command!

failover link state GigabitEthernet0/2

New Member

Re: Will ASA-SSM-20 reload affect ASA failover?

But I do have

failover link heartbeat GigabitEthernet0/2

'state' in your previous message is the interface name.

From the docs:

failover link if_name phy_if

Our interface was named 'heartbeat' by a long forgotten consultant.

-Roy-

New Member

Re: Will ASA-SSM-20 reload affect ASA failover?

You are absolutely correct!

You have stateful failover configured correctly, strange though as you should not have ANY dropped sessions at all!

Do you have an IPS module in your ASA, or an inline IPS in the path?

New Member

Re: Will ASA-SSM-20 reload affect ASA failover?

Brett-

I have matching AIP-SSM-20 modules in the Primary and Secondary ASA units.

-Roy-

Cisco Employee

Re: Will ASA-SSM-20 reload affect ASA failover?

AIP-SSM-20 modules modules don't sync their configs or connections at the time of failover

Moreover reloading the SSM module will not cause failover of ASA

New Member

Re: Will ASA-SSM-20 reload affect ASA failover?

I would like to believe the SSM didn't cause the failover, but the syslog message in my initial message seems to say otherwise.

Syslog on Primary shows we'd switch to the Failover ASA:

1 Mar 11 2008 15:01:23 104002 (Primary) Switching to STNDBY - Other unit wants me Standby. Secondary unit switch reason: Service card in other unit has failed.

-Roy-

New Member

Re: Will ASA-SSM-20 reload affect ASA failover?

abinjola,

You are correct about the state information and config sync between the modules.

However I disagree that the rebooting of a module will not cause a failover. I have seen this occur personally on numerous occasions.

Cisco Employee

Re: Will ASA-SSM-20 reload affect ASA failover?

if you disable the backplace for failover monitoring the reload of SSM would not effect the ASA failoer

Requester, what exactly are you looking for ..?

New Member

Re: Will ASA-SSM-20 reload affect ASA failover?

Try this one too

My advice is to disable the AIP-SSM-20 for a time being and check, or open it in fail-open mode.

Becoz syslog has shown the link state sync message.

there might be the problem with AIP-SSM

New Member

Re: Will ASA-SSM-20 reload affect ASA failover?

Abinjola-

How do you disable the backplane from failover monitoring? It does show up as being monitoring by 'show failover', but I don't see how to remove it from being monitoring like the selected interfaces.

-Roy-

New Member

Re: Will ASA-SSM-20 reload affect ASA failover?

Abinjola-

How do you disable the backplane from failover monitoring? It does show up as being monitoring by 'show failover', but I don't see how to remove it from being monitoring like the selected interfaces.

-Roy-

New Member

Re: Will ASA-SSM-20 reload affect ASA failover?

Thanks to all for your responses. I finally asked TAC and found the following:

-----------

[Failover on SSM reboot] is by design. There is a bug filed as an Enhancement request:

CSCse47023 ASA: Failover occurs when SSM module is updated. The request is to allow this to be a configurable option so that failover will not occur if the AIP-SSM is rebooted.

There are currently 2 workarounds:

1. Disable failover on the ASA prior to the SSM upgrade. Or, 2. temporarily disable IPS policy on ASA by removing "ips" command under policy-map, and re-enable it after SSM upgrade.

I prefer option #2 rather than disabling failover on the ASA.

-----------

-Roy-

884
Views
0
Helpful
16
Replies