ASA Failover messages

Similar Messages

• CSM error message on ASA Failover interface

  Hello
  We use CSM 4.4 to manage our ASA firewalls.                   
  One of them is a failover pair. CSM now always creates a warning message when approving an activity, stating:
  FWSVC Access Rules Warnings ->  The following interfaces GigabitEthernet0/3,management, are not bound to any Access Rules and remain wide open for traffic to lower security level interfaces
  Is there a way to surpress those messages?
  Or is it required to configure an access-list to the lan-based failover interface?
  Thanks
  Patrick

  Hi Bro
  Yes, there is a way to suppress these error messages by issuing the command "no logging message " in that particular context but I wouldn't advise to do so.
  Perhaps, this could indicate a legitimate error on your part. If you could paste the show run output here, that would be great. We could advice your accordingly.
  Regards,
  Ram

• ASA failover: secondary ASA disabled failover on its own

  Hi all
  I have a failover pair of ASA 5520 (Software Version 8.2(4)4)
  located in two different data centers.
  Because of a network issue the layer 2 connection between both locations has been interrupted for a couple of seconds and the ASAs went into split-brain as one would expect them to do.
  The thing is that after approx. 1 minute the secondary ASA switched off its failover configuration (i.e. "show run" gives "no failover") without anybody telling it to do so. Here is the "show failover history" of the device:
  07:57:34 MESZ Aug 15 2011
  Standby Ready              Just Active                HELLO not heard from mate
  07:57:34 MESZ Aug 15 2011
  Just Active                Active Drain               HELLO not heard from mate
  07:57:34 MESZ Aug 15 2011
  Active Drain               Active Applying Config     HELLO not heard from mate
  07:57:34 MESZ Aug 15 2011
  Active Applying Config     Active Config Applied      HELLO not heard from mate
  07:57:34 MESZ Aug 15 2011
  Active Config Applied      Active                     HELLO not heard from mate
  07:58:03 MESZ Aug 15 2011
  Active                     Cold Standby               Failover state check
  07:58:18 MESZ Aug 15 2011
  Cold Standby               Disabled                   HA state progression failed
  At this point failover was switched off completely and the split-brain remained even after the layer-2-connection has been reestablished.
  This is no good.:( I have searched for "HA state progression failed" without any useful result/explanation.
  Why did the device switch off failover on its own and how can we assure that it won't do this again?
  Best regards,
  Grischa

  Yes, only thing I needed to do was issuing "failover" on the secondary. It detected its active mate and went properly into standby:
  09:16:18 MESZ Aug 15 2011
  Disabled                   Negotiation                Set by the config command
  09:16:19 MESZ Aug 15 2011
  Negotiation                Cold Standby               Detected an Active mate
  09:16:21 MESZ Aug 15 2011
  Cold Standby               Sync Config                Detected an Active mate
  09:16:31 MESZ Aug 15 2011
  Sync Config                Sync File System           Detected an Active mate
  09:16:31 MESZ Aug 15 2011
  Sync File System           Bulk Sync                  Detected an Active mate
  09:16:31 MESZ Aug 15 2011
  Bulk Sync                  Standby Ready              Detected an Active mate
  I guess we will go the TAC way if we encounter this situation a second time. This time we will be warned and know where to look at.
  Is there really no documentation available of the "HA state progression failed" message? What does it mean and how is it triggered usually?
  Regards,
  Grischa

• ASA Failover based on IP SLA

  Hello.
  I have a scenario that 2 Distribution Switches (DS1 and DS2), then 2 Filtering Devices in transparent mode and then 2 ASA Firewalls in active-standby mode connected in the following way.
  DS1--> FD1 -->ASA1 
  DS2--> FD2 -->ASA2
  How can we configure to perform failover if the connectivity between DS1 and FD1 is down (still ASA1 to Filtering Device 1 status is up). Is it possible with IP SLA?
  Regards
  Rahul

  If the interface is logically down then the ASA will perform a series of connectivity tests to determine if the link really is down.  If the ASA determines that the link is down then a failover will occur.
  Interface Monitoring
  You can monitor up to 250 interfaces divided between all contexts. You should monitor important interfaces, for example, you might configure one context to monitor a shared interface (because the interface is shared, all contexts benefit from the monitoring).
  When a unit does not receive hello messages on a monitored interface for half of the configured hold time, it runs the following tests:
  1. Link Up/Down test—A test of the interface status. If the Link Up/Down test indicates that the interface is operational, then the security appliance performs network tests. The purpose of these tests is to generate network traffic to determine which (if either) unit has failed. At the start of each test, each unit clears its received packet count for its interfaces. At the conclusion of each test, each unit looks to see if it has received any traffic. If it has, the interface is considered operational. If one unit receives traffic for a test and the other unit does not, the unit that received no traffic is considered failed. If neither unit has received traffic, then the next test is used.
  2. Network Activity test—A received network activity test. The unit counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If no traffic is received, the ARP test begins.
  3. ARP test—A reading of the unit ARP cache for the 2 most recently acquired entries. One at a time, the unit sends ARP requests to these machines, attempting to stimulate network traffic. After each request, the unit counts all received traffic for up to 5 seconds. If traffic is received, the interface is considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the end of the list no traffic has been received, the ping test begins.
  4. Broadcast Ping test—A ping test that consists of sending out a broadcast ping request. The unit then counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops.
  If all network tests fail for an interface, but this interface on the other unit continues to successfully pass traffic, then the interface is considered to be failed. If the threshold for failed interfaces is met, then a failover occurs. If the other unit interface also fails all the network tests, then both interfaces go into the "Unknown" state and do not count towards the failover limit.
  An interface becomes operational again if it receives any traffic. A failed security appliance returns to standby mode if the interface failure threshold is no longer met.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/failover.html#wp1042489
  Please remember to select a correct answer and rate helpful posts

• ASA Failover when Firewalls are at different sites - help

  I am implementing a solution for a customer whereby they have two Cisco ASA 5520X firewalls. They wish for the firewalls to be in an Active-Standby state.
  This not only means that if one firewall dies, the other will take over. It also means that any configuration changes made on the primary are copied to the backup.
  The only catch is, both firewalls are at different sites. There is no layer 2 WAN link running between the sites. They are seperated by both the internet cloud on one side and their internal company MPLS cloud on the other.
  The diagram, that I have taken from my GNS3 simulation and modified slightly, shows the setup. All of the IP addresses (and AS numbers) are made up. Any reflection on real world IPs is unintentional and just a coincidence.
  The diagram is probably too overcrowded with IP information than is needed in this question - but the basic idea is the following:
  1. Under normal conditions traffic will flow to the internet from the remote MPLS site and leave via the firewall (PAT) at site1 - however note the public range of 23.23.23.0/24 is configured at both Site-1 and Site-2 - so at the moment the internet cloud is prefering Site-1 to reach that range.
  2. If the internet link fron INT-PRI at Site-1 fails, remote MPLS traffic destined for the internet will be forwarded out to the internet at Site-2.
  3. If the two MPLS links to Site-1 fail, INT-PRI will stop advertising the public range to the internet PE routers and traffic from the remote MPLS router destined for the internet will go out via Site-2.
  I have the tracking and dynamic routing failover setup between the sites all configured and worked out (I can provide the details of how INT-PRI tracks a sponge address in the MPLS cloud to determine whether or not it advertises the public range to the internet etc etc if you want, but on this question I want to focus on the firewalls).
  Currently the customer has resigned to having to do manual copying between the firewalls every time a change is made (i.e. there is no dynamic failover configured and the Site-2 firewall is just a clone that is kept up to date by their change management team).
  Is there a smart way to set up an Active-Standby configuration between these distant sites? Or at the very least dynamically copy the configuraiton to the backup everytime a change is made? My first though would be some kind of EEM or TCL script but I'm not that experienced with either. Alternatively, if there is smart was to get the two firewalls talking over Layer 2 it might be a better way forward.
  Thanks in advance. Apologies for this question being too wordy.

  You could used Ethernet over MPLS (EoMPLS) or Virtual Private Lan Services (VPLS), though if I remember correctly this is limited to certain platforms and IOS versions.
  Here is a design guide you could have a read through on the options
  http://www.cisco.com/c/en/us/products/collateral/data-center-virtualization/data-center-interconnect/white_paper_c11_493718.html#wp9000079
  EoMPLS configuration guide:
  http://www.cisco.com/c/en/us/td/docs/wireless/asr_901/Configuration/Guide/config_guide/eompls.html
  VPLS configuration guide:
  http://www.cisco.com/c/en/us/td/docs/optical/cpt/r9_5/configuration/guide/cpt95_configuration/cpt95_configuration_chapter_011000.html
  Please remember to rate and select a correct answer

• ASA failover with 1 AIP SSM in Active/Standby?

  I have a customer with two ASAs; in Active/Standby. They want to purchase one AIP. Will failover (without the AIP functionality) to the Standby work if the AIP is configured for Promiscuous mode? Thanks, Bob

  The only connection to the SSM that can be done internally through the ASA is a "session". This is an internal telnet to the SSM and can be used to access the SSM's CLI.
  This is very usefull when you manage your SSM directly through the CLI.
  However, most customers prefer to use a graphics based tool like IDM, ASDM, or CSM for managing the configuration of the SSM, and prefer to use a graphics based tool like IEV or CS MARS for monitoring of the alerts from the SSM.
  All of these graphics based tools need network access to the SSM through a web port (https on port 443 by default). Access to this port is not allowed internally through the ASA direct to the SSM.
  All web connections must be made to the External Management interface of the SSM.
  If you are not using all 4 of your ASA interfaces you could choose to wire the External SSM interface directly to one of your ASA interfaces, and create a small subnet for the ASA and IPS IP Addresses. So then all external connections to the SSM would be routed into the ASA, then out of the ASA, and into the external port of the SSM.
  That subnet of just the ASA and SSM could be made using a network reserved for local IPs (like a 10, or 172, or 192 network) and then use NAT/PAT for translation on the other network interfaces of the ASA.
  But it does still require that wire connected to the external port of the SSM.

• Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

  Hi,
  I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

  No, both units need the same hardware, that includes the installed modules.
  Sent from Cisco Technical Support iPad App

• PIX/ASA Failover conditions

  I have a asa cluster in active/standby mode with lan cable connected for stateful failover. I want to know about the condtions when the box fails over to the other. One parameter should be the hello timers going between the failover interfaces.
  Does this failover happen when the inside or outside interface of the primary asa goes down.

  What type of Firewall is it? What version.
  For PIX 7.2 for example I would look at the configuration guide
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html
  In particular look at the section entitled "Failover Actions" for active/standby. These is a nice table of failover conditions there.
  Similar for otehr PIX/FWSM/ASA

• ASA failover is not replicating configuration

  Hi:
  I discover an issue with my CISCO ASA 5550 because I'm looking at the vlans that I have configured and some vlans on the Stand by device had not an IP address configured, checking the configuration of the failover I don't see anything wrong so I don't if maybe I'm missing something, Can you help me please, and if you need more information about my configuration let me know.
  Regards.

  There will only be a standby IP address assigned if the active configuration specifies one in the interface configuration section. It's optional whether or not to use standby IP addresses.

• ASA has messages log in denied from CSM to ASA

  Hi Everyone,
  Since i added ASA   to csm 4.3  our syslog server always see the message  message
  : Login denied from x.x.x.x/56432 to inside y.y.y.y/https.or user ""
  where x   is csm server ip
  y is fw interface ip.
  And after this message just after few secs i can see the CSM   has successfully log to cisco ASA.
  Need to know why i get this message with blank usernam
  Regards
  Mahesjh
  Message was edited by: mahesh parmar

  Hi MArvin,
  I checked under --configuration manager, right click on firewall in question and choose Device properties, credentials
  Under Primary Credentials username,password  and enable password are the same.
  Also below that   under
  HTTP  Credentials
  Use PRimary Credentials is checked.
  Do i have to  config Credentials  under Polices window,platform,credentials also?
  Regards
  MAhesh

• ASAs failover pair which design is the best

  Guys
  I am designing the firewall solution. I have 2 ASA with 2 Switches. Please see the diagram design1 and design2. Let me know your thoughts. Design 1 uses a stacking cable with 2 switches but in a diagram it is represented as one due to lack of diagram availability. Design 2 uses 2 switches connected seperately. What are advantages of one over the another.?
  Thanks in advance.

  By all means you can use a switch to interconnect both ASAs and it is not achieving anything different from using a cross-over cable for the purpose of deploying a state-full failover.
  I have deployed at least 15 state-full failover ASAs over the course of 14 years of network career just by using a cross-over cable.  If you weight pros and cons using a switch vs the cross-over cable.  I would say cross-over cable have more pros than con and this is my take.
  Nothing against Cisco but sometime Cisco recommendation also comes with sales and marketing strategy.
  "Each interface should connect to a switch port so that the link status is always up"
  So does the cross-over cable and there is an additional point of failure by a switch coming in between ASA and a switch that sending statefull sync data to standby ASA.
  Thanks   

• Will ASA-SSM-20 reload affect ASA failover?

  I have 2 ASA 5520s with an ASA-SSM-20 installed in each. The ASA-SSM-20 in the primary ASA is not working correctly:
  Error: Cannot communicate with mainApp (getVersion). Please contact your system administrator.
  Would you like to run cidDump?[no]:
  I would like to reload the module, but I don't know if that will cause the whole ASA to failover. The ASAs are running 7.2(3).
  Any thoughts?

  Thanks Brett.
  We are using stateful failover. Not all sessions get dropped, just enough Telnet and application interface links that we start getting calls and people show up at my door. This is on a new ASA5520 that normally runs <5% CPU utilization. I just checked the failover link is set to 1000FULL so there should not be any delay updated state information.
  Am I missing something in the config?
  Portcullis# sho run failover
  failover
  failover lan unit primary
  failover lan interface heartbeat GigabitEthernet0/2
  failover polltime unit 3 holdtime 9
  failover replication http
  failover link heartbeat GigabitEthernet0/2
  failover interface ip heartbeat 172.31.0.201 255.255.255.0 standby 172.31.0.202
  Portcullis# sho run interface g0/2
  interface GigabitEthernet0/2
  description LAN/STATE Failover Interface
  speed 1000
  duplex full
  Portcullis#
  -Roy-

• CISCO ASA Failover

  Any one tell me which protocole is use  for failove in ASA & how it  working.

  ASAs use keepalive packets between eachother that are sent over the failover link.  By using the keepalive packets, the standby ASA monitors the health status of the Active ASA.  If the standby ASA stops recieving keepalive packets from the active ASA it will send out 3 test packets, out the monitored interfaces.  that is to say it will send test packets out the actual interfaces that will trigger a failover if one of them fails.  If the standby ASA still does not recieve a reply from the active ASA it will now assume that the active ASA is dead and will take over the role as active ASA.
  The failover link is also used to replicate the configuration between the active and standby ASAs.
  The state link is used to replicate the state table and other relevant active connection information.
  Please remember to rate and select a correct answer

• ASA Failover pair Active/Standby

  Hi,
  Two days ago I had a problem with secondary unit in the ASA HA. The problem is because of the CX module failed in the secondary unit (service module failed) showing the standby unit failed in the "show fail" output. 
  Just I reloaded CX module in the secondary unit and then it was working fine.
  Now the same problem facing in Active unit. Kindly find the show fail output below. we are running ASA 5.1(5) in ASA and 9.3.2.1 system image in CX module.
  SOC-FW# sh fail
  Failover On
  Failover unit Secondary
  Failover LAN Interface: fail-1 GigabitEthernet0/4 (up)
  Unit Poll frequency 1 seconds, holdtime 6 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 114 maximum
  Version: Ours 9.1(5), Mate 9.1(5)
  Last Failover at: 03:54:49 IST Mar 28 2015
          This host: Secondary - Active
                  Active time: 206373 (sec)
                  slot 0: ASA5515 hw/sw rev (1.0/9.1(5)) status (Up Sys)
                    Interface OUTSIDE (112.133.222.218): Normal (Monitored)
                    Interface INSIDE (10.0.60.1): Normal (Monitored)
                    Interface DMZ_1 (10.0.40.1): Normal (Monitored)
                    Interface DMZ_2 (10.0.50.1): Normal (Monitored)
                    Interface management (172.16.10.49): Normal (Not-Monitored)
                  slot 1: CXSC5515 hw/sw rev (N/A/9.3.2.1) status (Up/Up)
                    ASA CX, 9.3.2.1, Up
          Other host: Primary - Failed
                  Active time: 326213 (sec)
                  slot 0: ASA5515 hw/sw rev (1.0/9.1(5)) status (Up Sys)
                    Interface OUTSIDE (112.133.222.219): Normal (Monitored)
                    Interface INSIDE (10.0.60.2): Normal (Monitored)
                    Interface DMZ_1 (10.0.40.2): Normal (Monitored)
                    Interface DMZ_2 (10.0.50.2): Normal (Monitored)
                    Interface management (172.16.10.50): Normal (Not-Monitored)
                  slot 1: CXSC5515 hw/sw rev (N/A/9.3.2.1) status (Up/Down)
                    ASA CX, 9.3.2.1, Up
  Kindly help if anybody have the solution.
  Thanks in advance.
  Thanks and regards,
  Ashok Kumar S.

  Hi,
  Thank you for opening a separate thread. This seems to be the issue with the DATA plane going down on the CX module and causing the fail-over event.
  Were there any configuration / updates etc done on the CX which caused this ?
  I think this might require some diagnostics log analysis on the CX and so i would request you to open a Cisco TAC case.
  If you want you can send the diagnostic from the CX to my email address and i can check the issue if possible. ([email protected])
  Thanks and Regards,
  Vibhor Amrodia

• ASA failover link over the etherchannel connected switches

  Hello,
  We have two ASA firewalls located in different locations.
  Firewalls are in Active/Standby modes.
  Failover links of firewalls are connected to two different switches.
  These switches are connected to each other with two dark fibers aggregated to Etherchannel (source-mac address mode)
  When one of fiber links fails and then immediately is connected again, secondary ASA is going to Active state and then to Standy state again.
  Please see the output bellow.
  The holddown timer is set to 15 seconds.
  What could be the cause of this state change?
  ciscoasa# sh failover history 
  ==========================================================================
  From State                 To State                   Reason
  ==========================================================================
  22:54:20 GET Apr 4 2014
  Standby Ready              Just Active                HELLO not heard from mate
  22:54:20 GET Apr 4 2014
  Just Active                Active Drain               HELLO not heard from mate
  22:54:20 GET Apr 4 2014
  Active Drain               Active Applying Config     HELLO not heard from mate
  22:54:20 GET Apr 4 2014
  Active Applying Config     Active Config Applied      HELLO not heard from mate
  22:54:20 GET Apr 4 2014
  Active Config Applied      Active                     HELLO not heard from mate
  22:54:42 GET Apr 4 2014
  Active                     Cold Standby               Failover state check
  22:54:43 GET Apr 4 2014
  Cold Standby               Sync Config                Failover state check
  22:55:36 GET Apr 4 2014
  Sync Config                Sync File System           Failover state check
  22:55:36 GET Apr 4 2014
  Sync File System           Bulk Sync                  Failover state check
  22:55:51 GET Apr 4 2014
  Bulk Sync                  Standby Ready              Failover state check

  Maybe spanning tree recalculation.  I know you said there was an etherchannel but I would make sure it is built properly.  Also run "Show spanning-tree detail" on the switches after you unplug/replug and check when the last topology change was.