Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2075
Views
0
Helpful
3
Replies

asa 5525 failover issue

mickyq
Level 1
Level 1

‎06-30-2015 05:17 AM - edited ‎03-11-2019 11:12 PM

Hi

I am using a pair of 5525's with ver 9.1 ios.

The failover secondary unit goes into standby briefly then fails.

any help would be appreciated.

config:

failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/7
failover link failover GigabitEthernet0/7
failover interface ip failover 1.1.1.1 255.255.255.0 standby 1.1.1.2

 

 

buffer log:

.%ASA-7-720042: (VPN-Secondary) Receiving Delete RAMFS message delete path /sessions/20480@1435494958/MISC from active unit

.%ASA-7-720042: (VPN-Secondary) Receiving Delete RAMFS message delete path /sessions/20480@1435494958/user:ssltest from active unit

.%ASA-1-104004: (Secondary) Switching to OK.

.%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=104,op=2,my=Standby Ready,peer=Active.

.%ASA-7-720048: (VPN-Secondary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_standby_ready.

.%ASA-6-720040: (VPN-Secondary) VPN failover client is transitioning to standby state

.%ASA-7-720049: (VPN-Secondary) FSM action trace end: state=, last event=, return=2, func=vpnfo_fsm_standby_ready.

.%ASA-7-720042: (VPN-Secondary) Receiving Command Link Bulk Sync message (Command 6) from active unit

.%ASA-7-720042: (VPN-Secondary) Receiving Sync Self-Signed Cert message (Interface outside) from active unit

.%ASA-7-720042: (VPN-Secondary) Receiving Sync Self-Signed Cert message (Interface inside) from active unit

.%ASA-7-720042: (VPN-Secondary) Receiving Sync Self-Signed Cert message (Interface management) from active unit

.%ASA-7-720042: (VPN-Secondary) Receiving WebVPN SYNC CSD XML Data message src flash:/sdesktop/data.xml, dst cache:/sdesktop/data.xml from active unit

.%ASA-7-720042: (VPN-Secondary) Receiving Trustpool certs message CLEAN from active unit

.%ASA-7-720042: (VPN-Secondary) Receiving Command Link Bulk Sync message (Command 7) from active unit

.%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_STANDBY_READY, my state Standby Ready, peer state Active.

.%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=405,op=80,my=Standby Ready,peer=Active.

.%ASA-6-720027: (VPN-Secondary) HA status callback: My state Standby Ready.

.%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_MY_STATE, my state Standby Ready, peer state Active.

.%ASA-1-105004: (Secondary) Monitoring on interface outside normal

.%ASA-1-105004: (Secondary) Monitoring on interface inside normal

.%ASA-1-105004: (Secondary) Monitoring on interface dmz1 normal

.%ASA-1-105004: (Secondary) Monitoring on interface dmz2 normal

.%ASA-1-105004: (Secondary) Monitoring on interface dmz3 normal

.%ASA-1-105004: (Secondary) Monitoring on interface dmz4 normal

.%ASA-6-720037: (VPN-Secondary) HA progression callback: id=3,seq=200,grp=0,event=52,op=23,my=Failed,peer=Active.

.%ASA-7-720048: (VPN-Secondary) FSM action trace begin: state=, last event=, func=vpnfo_fsm_fail.

.%ASA-7-720049: (VPN-Secondary) FSM action trace end: state=, last event=, return=0, func=vpnfo_fsm_fail.

.%ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_FAILED, my state Failed, peer state Active.

.%ASA-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=405,op=20,my=Failed,peer=Active.

.%ASA-6-720027: (VPN-Secondary) HA status callback: My state Failed.

.%ASA-6-721002: (WebVPN-Secondary) HA status change: event HA_STATUS_MY_STATE, my state Failed, peer state Active.

Labels:
0 Helpful
3 Replies 3

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎06-30-2015 06:07 PM

Hi,

Can you post the output of :-

show failover history

show failover state

from both the ASA units.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

mickyq
Level 1
Level 1
In response to Vibhor Amrodia

‎07-01-2015 07:57 AM

Hi Vibhor

primary history

From State                 To State                   Reason
==========================================================================
13:57:28 UTC May 26 2015
Not Detected               Negotiation                No Error

13:58:14 UTC May 26 2015
Negotiation                Just Active                No Active unit found

13:58:14 UTC May 26 2015
Just Active                Active Drain               No Active unit found

13:58:14 UTC May 26 2015
Active Drain               Active Applying Config     No Active unit found

13:58:14 UTC May 26 2015
Active Applying Config     Active Config Applied      No Active unit found

13:58:14 UTC May 26 2015
Active Config Applied      Active                     No Active unit found

12:18:53 UTC Jun 28 2015
Active                     Disabled                   Set by the config command

12:19:11 UTC Jun 28 2015
Disabled                   Negotiation                Set by the config command

12:19:13 UTC Jun 28 2015
Negotiation                Just Active                No Active unit found

12:19:13 UTC Jun 28 2015
Just Active                Active Drain               No Active unit found

12:19:13 UTC Jun 28 2015
Active Drain               Active Applying Config     No Active unit found

12:19:13 UTC Jun 28 2015
Active Applying Config     Active Config Applied      No Active unit found

12:19:13 UTC Jun 28 2015
Active Config Applied      Active                     No Active unit found

 

 

secondary history

From State                 To State                   Reason
==========================================================================
04:13:47 UTC Jun 28 2015
Not Detected               Negotiation                No Error

04:13:53 UTC Jun 28 2015
Negotiation                Cold Standby               Detected an Active mate

04:13:54 UTC Jun 28 2015
Cold Standby               Sync Config                Detected an Active mate

12:13:10 UTC Jun 28 2015
Sync Config                Sync File System           Detected an Active mate

12:13:10 UTC Jun 28 2015
Sync File System           Bulk Sync                  Detected an Active mate

12:13:24 UTC Jun 28 2015
Bulk Sync                  Standby Ready              Detected an Active mate

12:13:34 UTC Jun 28 2015
Standby Ready              Failed                     Interface check

12:18:53 UTC Jun 28 2015
Failed                     Disabled                   Set by the config command

12:19:13 UTC Jun 28 2015
Disabled                   Negotiation                Set by the config command

12:19:15 UTC Jun 28 2015
Negotiation                Cold Standby               Detected an Active mate

12:19:16 UTC Jun 28 2015
Cold Standby               Sync Config                Detected an Active mate

12:19:30 UTC Jun 28 2015
Sync Config                Sync File System           Detected an Active mate

12:19:30 UTC Jun 28 2015
Sync File System           Bulk Sync                  Detected an Active mate

12:19:43 UTC Jun 28 2015
Bulk Sync                  Standby Ready              Detected an Active mate

12:19:52 UTC Jun 28 2015
Standby Ready              Failed                     Interface check

11:50:59 UTC Jun 30 2015
Failed                     Standby Ready              Failover state check

11:51:10 UTC Jun 30 2015
Standby Ready              Failed                     Interface check

 

primary failover state


               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         None
Other host -   Secondary
               Failed         Ifc Failure              11:51:10 UTC Jun 30 2015
                              management: No Link

====Configuration State===
        Sync Done
====Communication State===
        Mac set

 

 

secondary failover state


               State          Last Failure Reason      Date/Time
This host  -   Secondary
               Failed         Ifc Failure              11:51:10 UTC Jun 30 2015
                              management: No Link
Other host -   Primary
               Active         None

====Configuration State===
        Sync Done - STANDBY
====Communication State===
        Mac set

 

thanks

 

0 Helpful

mickyq
Level 1
Level 1

‎07-13-2015 07:54 AM

Hi

I found the problem. the managment interface on the secondary firewall wasnt connected so the interface was down.

thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card