Solved

ASA Failover abnormal behaviour

Posted on 2010-09-08
11
1,607 Views
Last Modified: 2012-06-27
Hi,

    My ASA goes on failover everyday at 5-6ish.

I haven't seen any errors on the interconnection ports. I finally turned off the passive ASA and I still got the same failover this morning. Is that a normal behaviour?

ASA-VV# show fail
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet1/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 100%
Monitored Interfaces 2 of 250 maximum
failover replication http
Version: Ours 8.2(1), Mate Unknown
Last Failover at: 05:36:32 CEDT Sep 8 2010
        This host: Primary - Active
                Active time: 15201 (sec)
                slot 0: ASA5550 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface management (172.10.5.252): Normal (Not-Monitored)
                  Interface VMF_1001-U-INTERNET (178.251.16.40): Normal (Waiting)
                  Interface T2_INTERCO (172.32.4.254): Normal (Waiting)
                slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
        Other host: Secondary - Failed
                Active time: 0 (sec)
                slot 0: empty
                  Interface management (0.0.0.0): Unknown (Not-Monitored)
                  Interface VMF_1001-U-INTERNET (0.0.0.0): Unknown (Waiting)
                  Interface T2_INTERCO (0.0.0.0): Unknown (Waiting)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : Failover GigabitEthernet1/0 (up)
        Stateful Obj    xmit       xerr       rcv        rerr      
        General         0          0          0          0        
        sys cmd         0          0          0          0        
        up time         0          0          0          0        
        RPC services    0          0          0          0        
        TCP conn        0          0          0          0        
        UDP conn        0          0          0          0        
        ARP tbl         0          0          0          0        
        Xlate_Timeout   0          0          0          0        
        VPN IKE upd     0          0          0          0        
        VPN IPSEC upd   0          0          0          0        
        VPN CTCP upd    0          0          0          0        
        VPN SDI upd     0          0          0          0        
        VPN DHCP upd    0          0          0          0        
        SIP Session     0          0          0          0        

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       0       0
        Xmit Q:         0       0       0
ASA-VV#

ASA-VV# show fail his
==========================================================================
From State                 To State                   Reason
==========================================================================
05:35:47 CEDT Sep 8 2010
Not Detected               Negotiation                No Error

05:36:32 CEDT Sep 8 2010
Negotiation                Just Active                No Active unit found

05:36:32 CEDT Sep 8 2010
Just Active                Active Drain               No Active unit found

05:36:32 CEDT Sep 8 2010
Active Drain               Active Applying Config     No Active unit found

05:36:32 CEDT Sep 8 2010
Active Applying Config     Active Config Applied      No Active unit found

05:36:32 CEDT Sep 8 2010
Active Config Applied      Active                     No Active unit found

==========================================================================
ASA-VV#

Thank you
0
Comment
Question by:cheops01
  • 7
  • 4
11 Comments
 

Author Comment

by:cheops01
Comment Utility
This is the fail state which is in a normal state because I turned off the secondary ASA.

ASA-VV# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         None
Other host -   Secondary
               Failed         Comm Failure             05:36:51 CEDT Sep 8 2010

====Configuration State===
====Communication State===

ASA-VV#
0
 
LVL 13

Expert Comment

by:3nerds
Comment Utility
Cheops01,

You are currently monitoring the following ports:

 Interface VMF_1001-U-INTERNET (178.251.16.40): Normal (Waiting)
 Interface T2_INTERCO (172.32.4.254): Normal (Waiting)

The are in a waiting state because the cannot communicate with the secondary device. But unless you remove them from being monitored the can still fail. Something as simple as a short down from your ISP can cause your device to see a failure and flop over the secondary unit. To test further remove the most likely culprit from being monitored ( VMF_1001-U-INTERNET) and let it run if it run correctly then you know that the internet is going up and down.

Regards,

3nerds
0
 

Author Comment

by:cheops01
Comment Utility
I connected this morning through SSH. I canceled the authentication and lost the access to the management. Lost the tunnels as well. I checked then the failover history  and this is the buffer:

From State                 To State                   Reason
==========================================================================
10:06:59 CEDT Sep 9 2010
Not Detected               Negotiation                No Error

10:07:44 CEDT Sep 9 2010
Negotiation                Just Active                No Active unit found

10:07:44 CEDT Sep 9 2010
Just Active                Active Drain               No Active unit found

10:07:44 CEDT Sep 9 2010
Active Drain               Active Applying Config     No Active unit found

10:07:44 CEDT Sep 9 2010
Active Applying Config     Active Config Applied      No Active unit found

10:07:44 CEDT Sep 9 2010
Active Config Applied      Active                     No Active unit found

10:14:05 CEDT Sep 9 2010
Active                     Disabled                   Set by the config command


Then at 10:14, I accessed again and turned off the failover until I can troubleshoot the problem. I don't see any input/output errors nor no up/down links on the ASA intercos.


Thanks
0
 
LVL 13

Expert Comment

by:3nerds
Comment Utility
A config would be helpful.

Regards,

3nerds
0
 

Author Comment

by:cheops01
Comment Utility
Here is the configuration.

Note: I isolated the 5550. I turned off the failover. It keeps rebooting more or less every 4 hours. I changed the ASA with the same configuration yesterday - same mishaps.  I included a jpeg. You will see the red lines indicate a reboot of the platform.



: Saved
: Written by Administrator at 11:47:05.209 CEDT Fri Sep 10 2010
!
ASA Version 8.2(1)
!
hostname ASA-VPN
domain-name default.domain.invalid
enable password czn4HPAhrG7bVPkm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.33.24.252 RemoteHost_Intrum
name 192.168.93.206 RemoteHost_IVRA10
name 192.168.196.103 RemoteHost_IVRA11
name 192.168.196.105 RemoteHost_IVRA12
name 192.168.93.217 RemoteHost_IVRA13
name 192.168.77.15 RemoteHost_TV2
name 192.168.188.29 RemoteHost_IVRA3
name 192.168.189.102 RemoteHost_IVRA4
name 172.16.197.107 RemoteHost_IVRA5
name 192.168.95.66 RemoteHost_IVRA6
name 192.168.93.207 RemoteHost_IVRA7
name 172.16.61.136 RemoteHost_IVRA8
name 192.168.188.30 RemoteHost_IVRA9
name 10.0.0.0 RemoteNet_Interact
name 192.168.1.0 RemoteNet_Lalpack
name 10.29.2.0 RemoteNet_Soreco
name 10.150.26.64 RemoteNet_Paco
name 10.92.254.0 RemoteNet_Tackti
name 10.99.8.44 RemoteHost_IVRA1
name 172.32.2.150 TV2virgin
name 192.168.79.110 test_pc-TV2
name 172.20.229.0 RemoteNet_Sears
name 195.81.2.29 RemoteHost_Intrum1
name 172.20.1.0 Remote_Net_Astor1
name 172.20.3.0 Remote_Net_Astor2
name 192.168.196.104 Remote_Host_CFT
name 172.20.13.0 NAT_RemoteNet_Astor1
name 172.20.14.0 NAT_RemoteNet_Astor2
name 172.22.24.32 RemoteHost_AH_Simpsons1
name 172.22.24.33 RemoteHost_AH_Simpsons2
name 172.20.1.96 NAT_RemoteHost_Simpsonse1
name 172.20.1.97 NAT_RemoteHost_Simpsonse2
name 172.20.1.98 NAT_RemoteHost_Simpsonse3
name 193.12.60.0 AH_IP_ToAstor
name 192.168.85.0 AH_456-OFFICE-SERV
name 192.168.196.96 AH_455-PROD-SERV
name 192.168.198.80 AH_887-SegmentBlue description AH_SegmentBlue
name 192.168.95.28 AH_EUTV2DBB
name 192.168.67.160 AH_EUIVRALAB_09
name 193.12.93.148 AH_FRMOBCOMMANDES
name 192.168.93.243 AH_FRTV2CC3MOB
name 192.168.93.201 AH_FRTV2DB1
name 193.12.60.248 AH_MinisterDev
name 192.168.93.237 AH_RDBMS
name 172.16.33.81 AH_DITO
name 172.16.33.82 AH_EDISON
name 172.16.241.7 AH_EIFFEL
name 172.168.95.32 AH_EUTV2DBD
name 172.16.241.8 AH_KEPLER
name 172.16.60.77 AH_LOGON
name 172.168.188.29 AH_LUAHLUCFRUD
name 172.16.33.80 AH_NOTES
name 172.16.33.0 AH_AZUKNotes1
name 172.16.241.0 AH_AZUKNotes2
name 193.12.60.77 AH_AZUKNotes3
name 10.99.8.0 AH_FTPTRANSIT
name 192.168.189.96 AH_167-IVR
name 172.16.16.0 AH_SCANNING_IVR_MAINTENANCE
!
interface GigabitEthernet0/0
 description DATA
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 speed 100
 duplex full
 nameif MGMAH
 security-level 100
 ip address 172.30.99.100 255.255.255.248
 management-only
!
interface Management0/0
 speed 100
 duplex full
 nameif MGMT
 security-level 100
 ip address 172.30.5.252 255.255.255.0
!
interface GigabitEthernet1/0
 description LAN/STATE Failover Interface
!
interface GigabitEthernet1/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 no nameif
 no security-level
 no ip address
!
interface Redundant1
 member-interface GigabitEthernet0/0
 member-interface GigabitEthernet0/1
 nameif AHR_1001-U-INTERNET
 security-level 0
 allow-ssc-mgmt
 ip address 178.251.16.40 255.255.255.192
 ospf cost 10
 ospf authentication-key AHR#OsPf
 ospf authentication
!
interface RedundanAH
 member-interface GigabitEthernet1/2
 member-interface GigabitEthernet1/3
 no nameif
 security-level 90
 allow-ssc-mgmt
 no ip address
!
interface RedundanAH.2100
 vlan 2100
 nameif AH_INTERCO
 security-level 90
 ip address 172.32.1.254 255.255.255.0
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group network Partner_Sears
 network-object RemoteNet_Sears 255.255.255.0
object-group network Partner_INTERACT
 network-object RemoteNet_Interact 255.255.255.0
object-group network Partner_INTRUM
 network-object host RemoteHost_Intrum
object-group network Partner_Lalpack
 network-object RemoteNet_Lalpack 255.255.255.0
object-group network Partner_SORECO
 network-object RemoteNet_Soreco 255.255.255.0
object-group network Partner_Paco
 network-object RemoteNet_Paco 255.255.255.224
object-group network Partner_Tackti
 network-object RemoteNet_Tackti 255.255.255.0
object-group network Partner_TV2AB
 network-object host RemoteHost_IVRA5
 network-object host RemoteHost_IVRA8
 network-object host RemoteHost_IVRA3
 network-object host RemoteHost_IVRA9
 network-object host RemoteHost_IVRA4
 network-object host RemoteHost_IVRA11
 network-object host RemoteHost_IVRA12
 network-object host RemoteHost_TV2
 network-object AH_456-OFFICE-SERV 255.255.255.0
 network-object host RemoteHost_IVRA10
 network-object host RemoteHost_IVRA7
 network-object host RemoteHost_IVRA13
 network-object host RemoteHost_IVRA6
 network-object host RemoteHost_IVRA1
 network-object host AH_EIFFEL
 network-object host AH_KEPLER
 network-object host AH_NOTES
 network-object host AH_DITO
 network-object host AH_EDISON
 network-object host AH_LOGON
 network-object host AH_LUAHLUCFRUD
 network-object host AH_EUTV2DBD
 network-object 172.32.1.0 255.255.255.0
 network-object host AH_EUIVRALAB_09
 network-object host AH_FRTV2DB1
 network-object host AH_RDBMS
 network-object host AH_FRTV2CC3MOB
 network-object host AH_EUTV2DBB
 network-object AH_IP_ToAstor 255.255.255.0
 network-object host AH_MinisterDev
 network-object host AH_FRMOBCOMMANDES
 network-object AH_SCANNING_IVR_MAINTENANCE 255.255.255.128
 network-object 10.143.52.0 255.255.255.0
 network-object 10.30.60.0 255.255.255.0
 network-object AH_FTPTRANSIT 255.255.255.0
 network-object AH_AZUKNotes2 255.255.255.0
 network-object AH_AZUKNotes1 255.255.255.0
 network-object host AH_AZUKNotes3
object-group service DM_INLINE_SERVICE_1
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_1
 network-object host RemoteHost_IVRA8
 network-object host RemoteHost_IVRA9
 network-object host RemoteHost_TV2
 network-object AH_456-OFFICE-SERV 255.255.255.0
object-group service DM_INLINE_SERVICE_2
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_3
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_2
 network-object host RemoteHost_IVRA8
 network-object host RemoteHost_IVRA9
 network-object host RemoteHost_TV2
 network-object host RemoteHost_IVRA10
 network-object host RemoteHost_IVRA13
 network-object host RemoteHost_IVRA1
 network-object host RemoteHost_IVRA3
 network-object host RemoteHost_IVRA6
 network-object AH_IP_ToAstor 255.255.255.0
 network-object 172.16.32.0 255.255.240.0
 network-object 172.19.16.0 255.255.252.0
 network-object 172.19.92.0 255.255.252.0
 network-object 172.16.196.0 255.255.252.0
 network-object 192.168.92.0 255.255.252.0
 network-object RemoteNet_Paco 255.255.255.224
 network-object AH_AZUKNotes2 255.255.255.0
 network-object AH_AZUKNotes1 255.255.255.0
 network-object host AH_AZUKNotes3
 network-object AH_FTPTRANSIT 255.255.255.0
 network-object 192.168.67.0 255.255.255.0
 network-object 172.16.224.0 255.255.255.0
 network-object 172.24.251.0 255.255.255.0
 network-object host RemoteHost_IVRA5
 network-object host RemoteHost_IVRA7
 network-object AH_SCANNING_IVR_MAINTENANCE 255.255.255.128
 network-object 10.143.52.0 255.255.255.0
 network-object 192.168.102.0 255.255.255.0
 network-object 192.168.196.128 255.255.255.128
 network-object 192.168.197.64 255.255.255.224
 network-object 192.168.101.0 255.255.255.0
 network-object 172.16.219.0 255.255.255.0
 network-object 10.30.60.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
 network-object host RemoteHost_Intrum
 network-object RemoteNet_Sears 255.255.255.0
 network-object RemoteNet_Soreco 255.255.255.0
 network-object host RemoteHost_Intrum1
 group-object Partner_Lalpack
 network-object Remote_Net_Astor1 255.255.255.0
 network-object Remote_Net_Astor2 255.255.255.0
 network-object RemoteNet_Tackti 255.255.255.0
 network-object host RemoteHost_AH_Simpsons1
 network-object host RemoteHost_AH_Simpsons2
 network-object AH_456-OFFICE-SERV 255.255.255.0
 network-object AH_455-PROD-SERV 255.255.255.224
 network-object AH_887-SegmentBlue 255.255.255.240
 network-object AH_167-IVR 255.255.255.240
 group-object Partner_INTERACT
 network-object RemoteNet_Paco 255.255.255.224
object-group service intrum_1570 tcp
 port-object eq 1570
object-group service intrum_3389 tcp
 port-object eq 3389
object-group service DM_INLINE_SERVICE_4
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_5
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_4
 network-object host RemoteHost_IVRA10
 network-object host RemoteHost_IVRA13
object-group network DM_INLINE_NETWORK_5
 network-object host RemoteHost_IVRA10
 network-object host RemoteHost_IVRA13
object-group service DM_INLINE_SERVICE_6
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_7
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_10
 service-object ip
 service-object icmp
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_11
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_8
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_9
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_11
 network-object NAT_RemoteNet_Astor1 255.255.255.0
 network-object NAT_RemoteNet_Astor2 255.255.255.0
 network-object Remote_Net_Astor1 255.255.255.0
 network-object Remote_Net_Astor2 255.255.255.0
object-group network DM_INLINE_NETWORK_12
 network-object Remote_Net_Astor1 255.255.255.0
 network-object Remote_Net_Astor2 255.255.255.0
 network-object NAT_RemoteNet_Astor1 255.255.255.0
 network-object NAT_RemoteNet_Astor2 255.255.255.0
object-group service DM_INLINE_SERVICE_12
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_13
 service-object ip
 service-object icmp echo-reply
 service-object icmp echo
object-group service DM_INLINE_SERVICE_15
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_16
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group network Partner_SimpsonsE
 network-object host NAT_RemoteHost_Simpsonse1
 network-object host NAT_RemoteHost_Simpsonse2
 network-object host NAT_RemoteHost_Simpsonse3
object-group network DM_INLINE_NETWORK_6
 network-object host RemoteHost_AH_Simpsons1
 network-object host RemoteHost_AH_Simpsons2
object-group network DM_INLINE_NETWORK_7
 network-object host RemoteHost_AH_Simpsons1
 network-object host RemoteHost_AH_Simpsons2
object-group network DM_INLINE_NETWORK_8
 network-object host RemoteHost_AH_Simpsons1
 network-object host RemoteHost_AH_Simpsons2
object-group network DM_INLINE_NETWORK_9
 network-object AH_455-PROD-SERV 255.255.255.224
 network-object AH_456-OFFICE-SERV 255.255.255.0
 network-object AH_887-SegmentBlue 255.255.255.240
 network-object AH_167-IVR 255.255.255.240
object-group network DM_INLINE_NETWORK_10
 network-object AH_455-PROD-SERV 255.255.255.224
 network-object AH_456-OFFICE-SERV 255.255.255.0
object-group network DM_INLINE_NETWORK_13
 network-object AH_455-PROD-SERV 255.255.255.224
 network-object AH_456-OFFICE-SERV 255.255.255.0
 network-object AH_887-SegmentBlue 255.255.255.240
 network-object AH_167-IVR 255.255.255.240
object-group service DM_INLINE_SERVICE_14
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_17
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_15
 network-object AH_AZUKNotes2 255.255.255.0
 network-object AH_AZUKNotes1 255.255.255.0
 network-object host AH_AZUKNotes3
 network-object AH_FTPTRANSIT 255.255.255.0
 network-object host 172.16.197.19
 network-object host 172.16.32.14
 network-object host 172.16.224.36
 network-object 192.168.93.0 255.255.255.0
 network-object host AH_EUIVRALAB_09
 network-object host 193.12.60.104
 network-object 10.30.60.0 255.255.255.0
object-group network DM_INLINE_NETWORK_14
 network-object host RemoteHost_IVRA5
 network-object host RemoteHost_IVRA8
 network-object host RemoteHost_IVRA3
 network-object host RemoteHost_IVRA4
 network-object host RemoteHost_IVRA7
 network-object host RemoteHost_IVRA6
object-group service DM_INLINE_SERVICE_18
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_19
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_16
 network-object host RemoteHost_IVRA5
 network-object host RemoteHost_IVRA8
 network-object host RemoteHost_IVRA3
 network-object host RemoteHost_IVRA4
 network-object host RemoteHost_IVRA7
 network-object host RemoteHost_IVRA6
object-group service DM_INLINE_SERVICE_20
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_17
 network-object 10.30.60.0 255.255.255.0
 network-object host RemoteHost_IVRA5
 network-object host 172.16.224.53
 network-object host 172.16.60.10
 network-object host 172.16.60.11
 network-object RemoteNet_Paco 255.255.255.224
object-group network DM_INLINE_NETWORK_18
 network-object host RemoteHost_IVRA5
 network-object host 172.16.224.53
 network-object host 172.16.60.10
 network-object host 172.16.60.11
 network-object 10.143.52.0 255.255.255.0
object-group service DM_INLINE_SERVICE_21
 service-object ip
 service-object icmp echo
object-group service DM_INLINE_SERVICE_22
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_23
 service-object ip
 service-object icmp echo
 service-object icmp echo-reply
access-list AHR_1001-U-INTERNET_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_2
access-list AH_INTERCO_nat0_outbound extended permit ip RemoteNet_Sears 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list AH_INTERCO_nat0_outbound extended permit ip object-group Partner_INTERACT object-group DM_INLINE_NETWORK_16
access-list AH_INTERCO_nat0_outbound extended permit ip host RemoteHost_Intrum1 object-group DM_INLINE_NETWORK_5
access-list AH_INTERCO_nat0_outbound extended permit ip RemoteNet_Soreco 255.255.255.0 host RemoteHost_IVRA10
access-list AH_INTERCO_nat0_outbound extended permit ip object-group Partner_Tackti object-group Partner_TV2AB
access-list AH_INTERCO_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_6 host RemoteHost_IVRA6
access-list AH_INTERCO_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_10 object-group Partner_TV2AB
access-list AH_INTERCO_nat0_outbound extended permit ip host AH_167-IVR object-group Partner_TV2AB
access-list AH_INTERCO_nat0_outbound extended permit ip RemoteNet_Paco 255.255.255.224 10.143.52.0 255.255.255.0
access-list TEST_INTER_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list TEST_INTER_nat0_outbound extended permit ip host TV2virgin host test_pc-TV2
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_2 RemoteNet_Sears 255.255.255.0 object-group Partner_TV2AB
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_5 host RemoteHost_Intrum1 object-group DM_INLINE_NETWORK_4
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_6 RemoteNet_Soreco 255.255.255.0 host RemoteHost_IVRA10
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_10 object-group Partner_Tackti object-group Partner_TV2AB
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_11 object-group Partner_Lalpack object-group Partner_TV2AB
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_12 object-group DM_INLINE_NETWORK_11 AH_IP_ToAstor 255.255.255.0
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_15 object-group DM_INLINE_NETWORK_7 host RemoteHost_IVRA6
access-list AH_INTERCO_access_in remark AH_Ouverture sur 3 LocalNets
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_17 object-group DM_INLINE_NETWORK_9 any
access-list AH_INTERCO_access_in remark AH_Ouverture sur RemoteNet
access-list AH_INTERCO_access_in extended permit ip any RemoteNet_Paco 255.255.255.224
access-list AH_INTERCO_access_in remark AH_Ouverture sur RemoteNet
access-list AH_INTERCO_access_in extended permit ip any object-group DM_INLINE_NETWORK_15
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_18 object-group Partner_INTERACT object-group DM_INLINE_NETWORK_14
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_22 RemoteNet_Paco 255.255.255.224 object-group DM_INLINE_NETWORK_18
access-list AHR_1001-U-INTERNET_access_in extended permit object-group DM_INLINE_SERVICE_3 object-group Partner_TV2AB RemoteNet_Sears 255.255.255.0
access-list AHR_1001-U-INTERNET_access_in extended permit object-group DM_INLINE_SERVICE_4 object-group Partner_TV2AB host RemoteHost_Intrum1
access-list AHR_1001-U-INTERNET_access_in extended permit object-group DM_INLINE_SERVICE_7 object-group Partner_TV2AB RemoteNet_Soreco 255.255.255.0
access-list AHR_1001-U-INTERNET_access_in extended permit object-group DM_INLINE_SERVICE_8 object-group Partner_TV2AB object-group Partner_Tackti
access-list AHR_1001-U-INTERNET_access_in extended permit object-group DM_INLINE_SERVICE_9 object-group Partner_TV2AB object-group Partner_Lalpack
access-list AHR_1001-U-INTERNET_access_in extended permit object-group DM_INLINE_SERVICE_23 object-group Partner_TV2AB 172.31.0.0 255.255.0.0
access-list AHR_1001-U-INTERNET_access_in extended permit object-group DM_INLINE_SERVICE_19 object-group Partner_TV2AB object-group Partner_INTERACT
access-list AHR_1001-U-INTERNET_access_in extended permit object-group DM_INLINE_SERVICE_13 AH_IP_ToAstor 255.255.255.0 object-group DM_INLINE_NETWORK_12
access-list AHR_1001-U-INTERNET_access_in extended permit object-group DM_INLINE_SERVICE_16 host RemoteHost_IVRA6 object-group DM_INLINE_NETWORK_8
access-list AHR_1001-U-INTERNET_access_in extended permit object-group DM_INLINE_SERVICE_14 any object-group DM_INLINE_NETWORK_13
access-list AHR_1001-U-INTERNET_access_in extended permit object-group DM_INLINE_SERVICE_20 object-group Partner_TV2AB AH_167-IVR 255.255.255.240
access-list AHR_1001-U-INTERNET_access_in extended permit ip object-group DM_INLINE_NETWORK_17 10.143.52.0 255.255.255.0
access-list AHR_1001-U-INTERNET_access_in extended permit object-group DM_INLINE_SERVICE_21 10.143.52.0 255.255.255.0 RemoteNet_Paco 255.255.255.224
access-list AH_INTERCO_nat_static extended permit ip NAT_RemoteNet_Astor1 255.255.255.0 object-group Partner_TV2AB
access-list NDM extended permit ip 172.31.0.0 255.255.0.0 host 172.32.1.254
pager lines 24
logging enable
logging standby
logging trap debugging
logging asdm informational
logging host MGMT 172.31.12.22
mtu MGMAH 1500
mtu MGMT 1500
mtu AHR_1001-U-INTERNET 1500
mtu AH_INTERCO 1500
no failover
failover lan unit primary
failover lan interface Failover GigabitEthernet1/0
failover interface-policy 100%
failover key *****
failover replication http
failover link Failover GigabitEthernet1/0
failover interface ip Failover 172.30.93.3 255.255.255.0 standby 172.30.93.4
no monitor-interface AHR_1001-U-INTERNET
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (AHR_1001-U-INTERNET) 2 192.168.85.100 netmask 255.0.0.0
global (AH_INTERCO) 1 172.30.110.2 netmask 255.255.255.255
nat (AH_INTERCO) 0 access-list AH_INTERCO_nat0_outbound
static (AH_INTERCO,AHR_1001-U-INTERNET) Remote_Net_Astor1  access-list AH_INTERCO_nat_static
access-group AHR_1001-U-INTERNET_access_in in interface AHR_1001-U-INTERNET
access-group AH_INTERCO_access_in in interface AH_INTERCO
!
router ospf 1
 log-adj-changes
!
router ospf 110
 network 178.251.16.0 255.255.255.192 area 0
 area 0 authentication
 log-adj-changes
!
route AH_INTERCO RemoteNet_Interact 255.255.255.0 172.32.1.253 1
route AH_INTERCO RemoteNet_Soreco 255.255.255.0 172.32.1.253 1
route AH_INTERCO RemoteHost_Intrum 255.255.255.255 172.32.1.253 1
route AH_INTERCO RemoteNet_Tackti 255.255.255.0 172.32.1.253 1
route AH_INTERCO RemoteNet_Paco 255.255.255.224 172.32.1.253 1
route AH_INTERCO Remote_Net_Astor1 255.255.255.0 172.32.1.253 1
route AH_INTERCO Remote_Net_Astor2 255.255.255.0 172.32.1.253 1
route AH_INTERCO NAT_RemoteNet_Astor1 255.255.255.0 172.32.1.253 1
route AH_INTERCO NAT_RemoteNet_Astor2 255.255.255.0 172.32.1.253 1
route AH_INTERCO RemoteNet_Sears 255.255.255.0 172.32.1.253 1
route AH_INTERCO RemoteHost_AH_Simpsons1 255.255.255.255 172.32.1.253 1
route AH_INTERCO RemoteHost_AH_Simpsons2 255.255.255.255 172.32.1.253 1
route MGMT 172.31.0.0 255.255.0.0 172.30.5.254 2
route AH_INTERCO RemoteNet_Lalpack 255.255.255.0 172.32.1.253 1
route AH_INTERCO AH_456-OFFICE-SERV 255.255.255.0 172.32.1.253 1
route AH_INTERCO AH_167-IVR 255.255.255.240 172.32.1.253 1
route AH_INTERCO AH_455-PROD-SERV 255.255.255.224 172.32.1.253 1
route AH_INTERCO AH_887-SegmentBlue 255.255.255.240 172.32.1.253 1
route AH_INTERCO RemoteHost_Intrum1 255.255.255.255 172.32.1.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.30.0.0 255.255.0.0 MGMAH
http 172.30.0.0 255.255.0.0 MGMT
http 172.31.0.0 255.255.0.0 MGMAH
http 172.31.0.0 255.255.0.0 MGMT
snmp-server host MGMT 172.31.12.17 community ******
no snmp-server location
no snmp-server contact
snmp-server community ******
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map AHR_1001-U-INTERNET_map 1 match address AHR_1001-U-INTERNET_1_cryptomap
crypto map AHR_1001-U-INTERNET_map 1 set peer 90.132.11.4
crypto map AHR_1001-U-INTERNET_map 1 set transform-set ESP-3DES-MD5
crypto map AHR_1001-U-INTERNET_map interface AHR_1001-U-INTERNET
crypto isakmp enable AHR_1001-U-INTERNET
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh 172.30.0.0 255.255.0.0 MGMAH
ssh 172.31.0.0 255.255.0.0 MGMAH
ssh 172.31.0.0 255.255.0.0 MGMT
ssh 172.30.0.0 255.255.0.0 MGMT
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.32.1.253 source AH_INTERCO
webvpn
group-policy Policy_TV2AB internal
group-policy Policy_TV2AB attributes
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec
username Administrator password ZUlb3Nc9fYOvZKpq encrypted privilege 15
tunnel-group 90.132.11.4 type ipsec-l2l
tunnel-group 90.132.11.4 general-attributes
 default-group-policy Policy_TV2AB
tunnel-group 90.132.11.4 ipsec-attributes
 pre-shared-key ***
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f30ec8150415b2507035939b0e6abf72
: end

Data.jpg
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:cheops01
Comment Utility
The line you see in red on the graph - it means, the ASA was unavailable (it rebooted).
0
 
LVL 13

Accepted Solution

by:
3nerds earned 500 total points
Comment Utility
Wow that is alot of named objects!

You said that the ASA is now rebooting every 4 hours, I would normally tell you to contact TAC as it sounds like a defective device but if I am reading your message correctly you have replace the ASA and it is doing the same thing?

Can you confirm that I am understanding what you have done so far correctly?


Regards,

3nerds
0
 

Author Comment

by:cheops01
Comment Utility
Indeed, I swapped the ASA yesterday. I kept the same configuration that I injected in the standalone ASA 5500.

We've passed the 4-hour reboot time - hurray - It might be an IOS bug otherwise I'm off solutions.

I included one more graph here. (I'm in the Paris time zone).

Thank you
Graph2.jpg
0
 
LVL 13

Assisted Solution

by:3nerds
3nerds earned 500 total points
Comment Utility
The only thing remotely like this I have heard of before was a logging issue where a customer had the logging levels set to high and it was overloading the device and causing it to reboot every couple hours. I see you have trap set to debug but in the size of the device you are working with I find it odd if that would be a problem. At this point I would be reaching out to TAC as I agree it could be a code problem.

Good luck,

3nerds
0
 

Author Comment

by:cheops01
Comment Utility
It turned out:
I got a message from a TAC I opened up:


I understand that you are crashing and have decoded the crash and I could find the problem that you are facing now. The bug ID that you are facing now is  CSCta02170.
0
 

Author Closing Comment

by:cheops01
Comment Utility
Thank you
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now