Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2705
Views
5
Helpful
3
Replies

Cisco ASA connection table in ACTIVE/STBY scenerio

CCOCNSC21
Level 1
Level 1

‎08-05-2018 10:35 PM - edited ‎02-21-2020 08:03 AM

Hi All,

 

Recently during IOS upgrade in Cisco ASA pair (active/stby), users experienced partial outage after I failed over the traffic to secondary ASA, while upgrading the primary. Basically connection table didnt get replicated completly. So how to check whether the connection table get fully converged after the upgrade ?

 

 


I failed the traffic to secondary from ACTIVE unit using "no failover active" after saw following message and thought connection table get  replicated as well. But it wasnt.

************WARNING****WARNING****WARNING********************************
Beginning configuration replication: Sending to mate.
ASA/act#
ASA/act# End Configuration Replication to mate, peer taking too long to move to

standby state.

 

 

ASA/act# sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Secondary
               Active         None
Other host -   Primary
               Standby Ready  Comm Failure             22:20:57 EST Jul 30 2018

====Configuration State===
        Sync Done
        Sync Done - STANDBY
====Communication State===
        Mac set

2 people had this problem
0 Helpful
3 Replies 3

johnlloyd_13
Level 9
Level 9

‎08-06-2018 01:08 AM

hi,

you can issue a show conn to view state table on the ASA.

it's also wise to perform an ASA code upgrade in a maintenance window so end users are informed and covered for any disruptions.

also try to use the failover replication http command.

Jason Gervia
Cisco Employee
Cisco Employee

‎08-06-2018 01:07 PM

Do you have the output from a 'show run failover' command?

0 Helpful

CCOCNSC21
Level 1
Level 1
In response to Jason Gervia

‎08-06-2018 05:21 PM

ASA/act# sh running-config failover
failover
failover lan unit secondary
failover lan interface failover Vlan604
failover polltime unit msec 200 holdtime msec 800
failover polltime interface 1 holdtime 5
failover replication http
failover link statelink Vlan605
failover interface ip failover X.X.90.65 255.255.255.252 standby X.X.90.66
failover interface ip statelink X.X.90.5 255.255.255.252 standby X.X.90.6
ASA/act#

 

 

ASA/stby# sh running-config failover
failover
failover lan unit primary
failover lan interface failover Vlan604
failover polltime unit msec 200 holdtime msec 800
failover polltime interface 1 holdtime 5
failover replication http
failover link statelink Vlan605
failover interface ip failover X.X.90.65 255.255.255.252 standby X.X.90.66
failover interface ip statelink X.X.90.5 255.255.255.252 standby X.X.90.6
ASA/act#

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card