Support Engineer
asked on
ASA 5520 problem with Failover in Active/Standby
The active asa failed unknowingly, in this process the ASA's did not failover correctly, attached are the show tech's from both Active and standby. Below is an error log.
ERROR: You have attempted to configure LAN failover, but do not have the complete
minimal configuration commands setup.
TRY THIS: Verify the following configuration commands:
'failover'
'failover lan enable'
'failover lan interface'
'failover lan unit primary' (for the primary unit only)
We are also not monitoring IMPORTANT interfaces.
Last Failover at: 03:42:11 EST May 4 2016
This host: Primary - Active
Active time: 3459 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.3(1)) status (Up Sys)
Interface management (10.42.198.66): Normal
Interface fulltrust (10.42.186.201): Normal (Not-Monitored)
Interface totrust (10.42.185.130): Normal (Not-Monitored)
slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
pfwthm1-primary.log
pfwthm1-standby.log
ERROR: You have attempted to configure LAN failover, but do not have the complete
minimal configuration commands setup.
TRY THIS: Verify the following configuration commands:
'failover'
'failover lan enable'
'failover lan interface'
'failover lan unit primary' (for the primary unit only)
We are also not monitoring IMPORTANT interfaces.
Last Failover at: 03:42:11 EST May 4 2016
This host: Primary - Active
Active time: 3459 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.3(1)) status (Up Sys)
Interface management (10.42.198.66): Normal
Interface fulltrust (10.42.186.201): Normal (Not-Monitored)
Interface totrust (10.42.185.130): Normal (Not-Monitored)
slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
pfwthm1-primary.log
pfwthm1-standby.log
Also there are some configuration mismatch errors being observed.
probably provide a sanitized running config on your ASA, a show failover and failover history would probably help as well
for the failover configurations and monitoring, you will need this commands
failover
failover lan unit primary <-- this would depend if primary or standby unit
failover lan interface failover GigabitEthernetx/x <-- your chosen failover interface
failover key <failover key>
failover interface ip failover 10.x.x.1 255.255.255.252 standby 10.x.x.2 <-- your failover subnet
!
monitor interface <interfaces you want to monitor>
for the failover configurations and monitoring, you will need this commands
failover
failover lan unit primary <-- this would depend if primary or standby unit
failover lan interface failover GigabitEthernetx/x <-- your chosen failover interface
failover key <failover key>
failover interface ip failover 10.x.x.1 255.255.255.252 standby 10.x.x.2 <-- your failover subnet
!
monitor interface <interfaces you want to monitor>
ASKER
**************************
------------------ show failover ------------------
Failover On
Failover unit Primary
Failover LAN Interface: state GigabitEthernet0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 160 maximum
Version: Ours 8.3(1), Mate 8.3(1)
Last Failover at: 03:42:11 EST May 4 2016
This host: Primary - Active
Active time: 1468 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.3(1)) status (Up Sys)
Interface management (10.42.198.66): Normal
Interface fulltrust (10.42.186.201): Normal (Not-Monitored)
Interface totrust (10.42.185.130): Normal (Not-Monitored)
slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Secondary - Standby Ready
Active time: 12616 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.3(1)) status (Up Sys)
Interface management (10.42.198.65): Normal
Interface fulltrust (10.42.186.200): Normal (Not-Monitored)
Interface totrust (10.42.185.129): Normal (Not-Monitored)
slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : state GigabitEthernet0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 3031 0 3712 0
sys cmd 1850 0 1850 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 599 0 14 0
UDP conn 582 0 1828 0
ARP tbl 0 0 20 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 12 17595
Xmit Q: 0 1 4501
------------------ show failover history ------------------
==========================
From State To State Reason
==========================
00:14:37 EST May 4 2016
Not Detected Negotiation No Error
00:15:09 EST May 4 2016
Negotiation Cold Standby Detected an Active mate
00:15:11 EST May 4 2016
Cold Standby Sync Config Detected an Active mate
00:15:23 EST May 4 2016
Sync Config Sync File System Detected an Active mate
00:15:23 EST May 4 2016
Sync File System Bulk Sync Detected an Active mate
00:15:38 EST May 4 2016
Bulk Sync Standby Ready Detected an Active mate
03:42:11 EST May 4 2016
Standby Ready Just Active Set by the config command
03:42:11 EST May 4 2016
Just Active Active Drain Set by the config command
03:42:11 EST May 4 2016
Active Drain Active Applying Config Set by the config command
03:42:11 EST May 4 2016
Active Applying Config Active Config Applied Set by the config command
03:42:11 EST May 4 2016
Active Config Applied Active Set by the config command
==========================
********************** From the Standby **************************
------------------ show failover ------------------
Failover On
Failover unit Secondary
Failover LAN Interface: state GigabitEthernet0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 160 maximum
Version: Ours 8.3(1), Mate 8.3(1)
Last Failover at: 03:19:35 EST May 4 2016
This host: Secondary - Standby Ready
Active time: 12616 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.3(1)) status (Up Sys)
Interface management (10.42.198.65): Normal
Interface fulltrust (10.42.186.200): Normal (Not-Monitored)
Interface totrust (10.42.185.129): Normal (Not-Monitored)
slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Primary - Active
Active time: 1495 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.3(1)) status (Up Sys)
Interface management (10.42.198.66): Normal
Interface fulltrust (10.42.186.201): Normal (Not-Monitored)
Interface totrust (10.42.185.130): Normal (Not-Monitored)
slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : state GigabitEthernet0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 17983451 0 98000151 55
sys cmd 17978423 0 17978422 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 52 0 50617869 0
UDP conn 4956 0 29300286 0
ARP tbl 20 0 103574 55
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 232880786
Xmit Q: 0 1485 17997334
------------------ show failover history ------------------
==========================
From State To State Reason
==========================
12:08:12 EST Apr 7 2016
Cold Standby Sync Config Configuration mismatch
12:08:23 EST Apr 7 2016
Sync Config Sync File System Configuration mismatch
12:08:23 EST Apr 7 2016
Sync File System Bulk Sync Configuration mismatch
12:08:38 EST Apr 7 2016
Bulk Sync Standby Ready Configuration mismatch
12:23:07 EST Apr 7 2016
Standby Ready Cold Standby Configuration mismatch
12:23:09 EST Apr 7 2016
Cold Standby Sync Config Configuration mismatch
12:23:21 EST Apr 7 2016
Sync Config Sync File System Configuration mismatch
12:23:21 EST Apr 7 2016
Sync File System Bulk Sync Configuration mismatch
12:23:33 EST Apr 7 2016
Bulk Sync Standby Ready Configuration mismatch
06:35:35 EST Apr 18 2016
Standby Ready Cold Standby Configuration mismatch
06:35:37 EST Apr 18 2016
Cold Standby Sync Config Configuration mismatch
06:35:48 EST Apr 18 2016
Sync Config Sync File System Configuration mismatch
06:35:48 EST Apr 18 2016
Sync File System Bulk Sync Configuration mismatch
06:36:03 EST Apr 18 2016
Bulk Sync Standby Ready Configuration mismatch
23:49:43 EST May 3 2016
Standby Ready Just Active HELLO not heard from mate
23:49:43 EST May 3 2016
Just Active Active Drain HELLO not heard from mate
23:49:43 EST May 3 2016
Active Drain Active Applying Config HELLO not heard from mate
23:49:43 EST May 3 2016
Active Applying Config Active Config Applied HELLO not heard from mate
23:49:43 EST May 3 2016
Active Config Applied Active HELLO not heard from mate
03:19:35 EST May 4 2016
Active Standby Ready Other unit wants me Standby
==========================
show-run--Primary-.txt
show-run--standby-.txt
------------------ show failover ------------------
Failover On
Failover unit Primary
Failover LAN Interface: state GigabitEthernet0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 160 maximum
Version: Ours 8.3(1), Mate 8.3(1)
Last Failover at: 03:42:11 EST May 4 2016
This host: Primary - Active
Active time: 1468 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.3(1)) status (Up Sys)
Interface management (10.42.198.66): Normal
Interface fulltrust (10.42.186.201): Normal (Not-Monitored)
Interface totrust (10.42.185.130): Normal (Not-Monitored)
slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Secondary - Standby Ready
Active time: 12616 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.3(1)) status (Up Sys)
Interface management (10.42.198.65): Normal
Interface fulltrust (10.42.186.200): Normal (Not-Monitored)
Interface totrust (10.42.185.129): Normal (Not-Monitored)
slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : state GigabitEthernet0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 3031 0 3712 0
sys cmd 1850 0 1850 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 599 0 14 0
UDP conn 582 0 1828 0
ARP tbl 0 0 20 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 12 17595
Xmit Q: 0 1 4501
------------------ show failover history ------------------
==========================
From State To State Reason
==========================
00:14:37 EST May 4 2016
Not Detected Negotiation No Error
00:15:09 EST May 4 2016
Negotiation Cold Standby Detected an Active mate
00:15:11 EST May 4 2016
Cold Standby Sync Config Detected an Active mate
00:15:23 EST May 4 2016
Sync Config Sync File System Detected an Active mate
00:15:23 EST May 4 2016
Sync File System Bulk Sync Detected an Active mate
00:15:38 EST May 4 2016
Bulk Sync Standby Ready Detected an Active mate
03:42:11 EST May 4 2016
Standby Ready Just Active Set by the config command
03:42:11 EST May 4 2016
Just Active Active Drain Set by the config command
03:42:11 EST May 4 2016
Active Drain Active Applying Config Set by the config command
03:42:11 EST May 4 2016
Active Applying Config Active Config Applied Set by the config command
03:42:11 EST May 4 2016
Active Config Applied Active Set by the config command
==========================
********************** From the Standby **************************
------------------ show failover ------------------
Failover On
Failover unit Secondary
Failover LAN Interface: state GigabitEthernet0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 160 maximum
Version: Ours 8.3(1), Mate 8.3(1)
Last Failover at: 03:19:35 EST May 4 2016
This host: Secondary - Standby Ready
Active time: 12616 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.3(1)) status (Up Sys)
Interface management (10.42.198.65): Normal
Interface fulltrust (10.42.186.200): Normal (Not-Monitored)
Interface totrust (10.42.185.129): Normal (Not-Monitored)
slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Primary - Active
Active time: 1495 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.3(1)) status (Up Sys)
Interface management (10.42.198.66): Normal
Interface fulltrust (10.42.186.201): Normal (Not-Monitored)
Interface totrust (10.42.185.130): Normal (Not-Monitored)
slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : state GigabitEthernet0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 17983451 0 98000151 55
sys cmd 17978423 0 17978422 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 52 0 50617869 0
UDP conn 4956 0 29300286 0
ARP tbl 20 0 103574 55
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 232880786
Xmit Q: 0 1485 17997334
------------------ show failover history ------------------
==========================
From State To State Reason
==========================
12:08:12 EST Apr 7 2016
Cold Standby Sync Config Configuration mismatch
12:08:23 EST Apr 7 2016
Sync Config Sync File System Configuration mismatch
12:08:23 EST Apr 7 2016
Sync File System Bulk Sync Configuration mismatch
12:08:38 EST Apr 7 2016
Bulk Sync Standby Ready Configuration mismatch
12:23:07 EST Apr 7 2016
Standby Ready Cold Standby Configuration mismatch
12:23:09 EST Apr 7 2016
Cold Standby Sync Config Configuration mismatch
12:23:21 EST Apr 7 2016
Sync Config Sync File System Configuration mismatch
12:23:21 EST Apr 7 2016
Sync File System Bulk Sync Configuration mismatch
12:23:33 EST Apr 7 2016
Bulk Sync Standby Ready Configuration mismatch
06:35:35 EST Apr 18 2016
Standby Ready Cold Standby Configuration mismatch
06:35:37 EST Apr 18 2016
Cold Standby Sync Config Configuration mismatch
06:35:48 EST Apr 18 2016
Sync Config Sync File System Configuration mismatch
06:35:48 EST Apr 18 2016
Sync File System Bulk Sync Configuration mismatch
06:36:03 EST Apr 18 2016
Bulk Sync Standby Ready Configuration mismatch
23:49:43 EST May 3 2016
Standby Ready Just Active HELLO not heard from mate
23:49:43 EST May 3 2016
Just Active Active Drain HELLO not heard from mate
23:49:43 EST May 3 2016
Active Drain Active Applying Config HELLO not heard from mate
23:49:43 EST May 3 2016
Active Applying Config Active Config Applied HELLO not heard from mate
23:49:43 EST May 3 2016
Active Config Applied Active HELLO not heard from mate
03:19:35 EST May 4 2016
Active Standby Ready Other unit wants me Standby
==========================
show-run--Primary-.txt
show-run--standby-.txt
Hi there,
I will get back to you by 23:00 IST
I will get back to you by 23:00 IST
i would advise you to remove the speed/duplex settings on the failover interface. Check if the failover cable is good as it seems you are loosing communications between both firewall. the reason you are not monitoring other interfaces is because you are did not add it on the configuration
monitor-interface fulltrust
should do the trick
monitor-interface fulltrust
should do the trick
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
going to try the recommended steps. and will post back thanks!
Kindly share the HA related config of both the firewalls.