ASA 5545X OSPF Failover Issue

sandersjames · ‎01-22-2013

Hi all, this is my first post since I didn’t have to ask for help before.

I'm experiencing a something weird with the new ASA 5545X. Here's the setup before I start. I have two switches and two ASA in active/standby as connected below. These devices are running OSPF 128 in one area (Area 0).I'm pinging from both laptops to each other both ways. The ASA has the latest "8.6.1-5" image. I've configured the firewall failover polltime to 1s with holdtime of 4s. Pings both ways OK.

<LAPTOP> IP:10.112.132.10/24

| [ACCESS PORT VLAN10]

/ <SWITCH> \ [SVI VLAN10: IP:10.112.132.1/24]

/ \ [SVI VLAN20: IP:10.113.128.11/28]

.12 / [ACCESS PORT VLAN20] \ .13

<ASA-ACTIVE> --- FOVER LINK --- <ASA-STANDBY>

.4 \ [ACCESS PORT VLAN30] / .5

\ / [SVI VLAN30: IP:10.113.130.2/27]

\ <SWITCH> / [SVI VLAN40: IP:10.113.130.17/27]

| [ACCESS PORT VLAN40]

<LAPTOP> IP: 10.113.130.20/27

I fail the primary firewall (ASA-ACTIVE). I get a 4 seconds ping loss which is expected (holdtime) however after 10 seconds of pings I get another outage which last anywhere between 5 and 15 seconds. I've done a fair amount of debugging and I did notice that the second outage occurs with the OSPF neighbor goes from "loading" to "full". This doesn't make any sense because the routing table is fully populated when going to “full”.

When perfoming a manual fail back (type failover active on ASA-ACTIVE), pings goes on for approximately 10seconds and then an outage between 5 to 15 seconds. Agsin this outage occurs when OSPF neighbor goes from "loading" to "full".

I've tried debugging on the switches and found nothing. Could it be some LS updates going around cause OSPF to converge? I'm stuck and was hoping someone out there may know the cause before I log a TAC.

Thanks in advanced.

James.

sandersjames · ‎01-22-2013

No replies? I guess the information I supplied was too confusing. Here's a cut down version...

We have purchased a number of ASA5545-X with image asa861-5-smp-k8.bin. We’ve paired ASA5545-X in an active/standby configuration running OSPF using area 0 on both inside and outside interfaces.

When manually failing the active unit (command: failover active), we are seeing traffic (ICMP) being blocked through the ASA after OSPF adjacencies are restored (loading to full state). This outage varies from 5 to 15 seconds. I’m not able to identify the cause of this outage.

This also occurs when you perform a power down of the active ASA which occurs after the initial outage until the ASA failover hold time expires.

Ping to the inside and outside interfaces does not drop during this outage. The ASA is causing this outage and I need an explanation to why it’s happening. This may not be OSPF related.

Julio Carvajal · ‎01-22-2013

Hello James,

So just to understand,

As soon as failover happens traffic through the box fails for 15 seconds.. Please advise is that is correct,

Also, does this happen only to ICMP traffic??

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

sandersjames · ‎01-22-2013

When you perform "no failover active" on the active ASA, the ping continues without any interruptions (during switching from Active to Standby) for approximately 8 to 10 seconds. At that point OSPF went from loading to full and after this we have a 5 to 15 seconds outage (no fixed time)

Interesting thing is that when using static instead of OSPF we do not experience any of this 5 to 15 seconds outage.

I’m guess it’s something to do with OSPF, perhaps a LS update but this should have occurred during OSPF adjacency and this outage starts after OSPF adjacency gone to full.

BTW: I'm only using ICMP to test the converges times.