ASA Failover Failed - ASA "crashed"

Eric Snijders · ‎12-03-2017

Today we experienced something weird. We have 2 ASA5515's in failover state. Checking the logs, every failover check was fine until the secondary reported "Ifc Faillure". After that our Active unit also became "unresponsive"from the network (both units were responsive with console cable but there was no time to troubleshoot right that time) and we had to reload both units to get everything back up.The Active unit is up and running and the Secondary is up and "Standby Ready".

Reloading the units also seemed to have "wiped" the show failover history. How can i investigate what happened now? We're having serious doubts about the failover now.

johnlloyd_13 · ‎12-03-2017

hi,

it's generally a good idea to retrieve logs and show command output before reloading the box.

you can use the show crashinfo command and open a TAC case. TAC can debug and have to tools to know what went wrong on your ASA pair.

Eric Snijders · ‎12-04-2017

Thank you for the information. Too bad there is no crashinfo since the units didn't completely crash. The problems we saw was:

- Secondary Unit reporting "(Secondary) Failover interface failed"

- 8 Seconds later Primary Unit reporting "(Primary) Failover interface failed"

The strange thing is that i wasn't able to SSH into any of the 2 ASA's, but both ASA's were still logging to our LogServer. There were also other signs of netwerk issue's.

Besided saving the logs before reloading next time, is there any other useful things i could check?

Rahul Govindan · ‎12-04-2017

Are the 2 ASA's connected directly to each other via the failover link (i.e.; not through a switch)? It may be possible that both the ASA's became active at the same time if the failover interface became down on both sides. That's why any traffic destined to the active or standby unit fails. Syslog from the ASA's is one way in the other direction, so wont be affected.