Scribd
Upload
90 views

ASA Failover Troubleshooting On 7.x and 8

This document provides guidance on troubleshooting ASA failover issues in Cisco ASA versions 7.x and 8.x. It lists common error messages related to failover link issues, configuration problems, and possible upgrade issues. It then provides recommendations for resolving failover issues, such as checking network cables, switch port settings, and using the "show fail" command to check the failover state and monitoring links.

Uploaded by

Akash Thakur
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
90 views

ASA Failover Troubleshooting On 7.x and 8

This document provides guidance on troubleshooting ASA failover issues in Cisco ASA versions 7.x and 8.x. It lists common error messages related to failover link issues, configuration problems, and possible upgrade issues. It then provides recommendations for resolving failover issues, such as checking network cables, switch port settings, and using the "show fail" command to check the failover state and monitoring links.

Uploaded by

Akash Thakur
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

12/19/2017 ASA failover troubleshooting on 7.x and 8.

x - from blog post Cisco (DataTravelers BLOG)

Home » Blog » Cisco » ASA » ASA failover troubleshooting on 7.x and 8.x

Cisco - ASA failover troubleshooting on 7.x and 8.x


Check out our other Blog posts!
Brand: Cisco
Blog Post: ASA failover troubleshooting
See our other posts:

     0 comments / Write a comment

BLOG POST COMMENTS (0)

Cisco Cisco Blog


Cisco ASA failover can fail in complicated ways and if you have had to troubleshoot these
issues they are known to be cumbersome. This document is somewhat of a living testament to
my experience with these issues and I will be quickly transforming it into a resource for people
who find themselves in similar situations.
Errors related to Layer 1-3 issues on failover link:
%ASA-1-101001: (Primary) Failover cable OK. %ASA-1-101002: (Primary) Bad failover cable.
%ASA-1-101003: (Primary) Failover cable not connected (this unit). %ASA-1-101004:
(Primary) Failover cable not connected (other unit). %ASA-1-101005: (Primary) Error reading
failover cable status. %ASA-1-102001: (Primary) Power failure/System reload other side.
%ASA-1-103001: (Primary) No response from other firewall (reason code = code). %ASA-1-
103003: (Primary) Other firewall network interface interface_number failed. %ASA-1-105011:
(Primary) Failover cable communication failure %ASA-1-105006: (Primary) Link status `Up’ on
interface interface_name. %ASA-1-105007: (Primary) Link status `Down’ on interface
interface_name. %ASA-1-105032: LAN Failover interface is down
Issues typical to configuration problems: %ASA-1-105040: (Primary) Mate failover version is
not compatible. %ASA-1-105039: (Primary) Unable to verify the Interface count with mate.
http://www.datatravelers.com/asa-failover-troubleshooting-on-7x-and-8x 1/5
12/19/2017 ASA failover troubleshooting on 7.x and 8.x - from blog post Cisco (DataTravelers BLOG)

Failover may be disabled in mate. %ASA-1-105038: (Primary) Interface count mismatch


Possible upgrade issues: %ASA-1-105037: The primary and standby units are switching back
and forth as the active unit. %ASA-1-104001: (Secondary) Switching to ACTIVE – Service
card in other unit has failed (IDS/SSM Modules)
Remediation:
1. Check the network cables connected to the interface in the waiting/failed state and, if it is
possible, replace them. Always start with layer 1 & 2 connectivity for these types of issues and
confirm the ports are negotiating, linked and communicating.
2. If there is a switch connected between the two units, verify that the networks connected to
the interface in the waiting/failed state function correctly.
3. Check the switch port connected to the interface in the waiting/failed state and, if it is
possible, use the another FE port on the switch..
4. Check that you have enabled port fast and disabled both trunking and channeling on the
switch ports that are connected to the interface. You will need this to be an access port.
5. Check the output of “sh fail” for a failed device state and information on the monitoring links.
infolab-external/act# sh fail ?

descriptor Show failover interface descriptors. Two numbers are shown for
each interface. When exchanging information regarding a
particular interface, this unit uses the first number in message
it sends to its peer. And it expects the second number in
messages it receives from its peer. For trouble shooting, collec
the show output from both units and verify that the numbers
match.
exec Show failover command execution information
history Show failover switching history
interface Show failover command interface information
state Show failover internal state information
statistics Show failover command interface statistics information
| Output modifiers
Home Account
infolab-external/act# sh fail
Failover On
Failover unit Primary
 Search
Failover LAN entire store...
Interface: sync Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
BLOG
Interface Policy 1 SECURITY ALERTS SUPPORT CALL
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.4(4)5, Mate 8.4(4)5
Last Failover at: 14:25:46 UTC Jul 23 2013
This host: Primary - Active
Active time: 23200414 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(4)5) status (Up Sys)
Interface outside (140.0.0.0): Normal (Monitored)
Interface inside (10.0.0.0): Normal (Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/7.1(7)E4) status (Up/Up)
IPS, 7.1(7)E4, Up
http://www.datatravelers.com/asa-failover-troubleshooting-on-7x-and-8x 2/5
12/19/2017 ASA failover troubleshooting on 7.x and 8.x - from blog post Cisco (DataTravelers BLOG)

Other host: Secondary - Standby Ready


Active time: 2996 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(4)5) status (Up Sys)
Interface outside (140.0.0.0): Normal (Monitored)
Interface inside (10.0.0.0): Normal (Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/7.1(7)E4) status (Up/Up)
IPS, 7.1(7)E4, Up

Stateful Failover Logical Update Statistics


Link : sync Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 378041693 0 3144312 4
sys cmd 3093847 0 3093847 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 331924094 0 43279 4
UDP conn 42327883 0 7117 0
ARP tbl 574857 0 51 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 8599 0 0 0
VPN IKEv1 P2 104162 0 17 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 640 0 0 0
Route Session 0 0 0 0
User-Identity 7611 0 1 0

Logical Update Queue Information


Cur Max Total
Recv Q:
Xmit Q:
0
0
17
1473
3156810
454653330 
infolab-external/act#

Take notice of the output from “sh fail hist” and the reasons provided by this output.
infolab-external/act# sh fail hist
==========================================================================
From State To State Reason
==========================================================================
13:04:46 UTC Oct 29 2012
Not Detected Negotiation No Error

13:05:32 UTC Oct 29 2012


Negotiation Just Active No Active unit found

http://www.datatravelers.com/asa-failover-troubleshooting-on-7x-and-8x 3/5
12/19/2017 ASA failover troubleshooting on 7.x and 8.x - from blog post Cisco (DataTravelers BLOG)

13:05:32 UTC Oct 29 2012


Just Active Active Drain No Active unit found

13:05:32 UTC Oct 29 2012


Active Drain Active Applying Config No Active unit found

13:05:32 UTC Oct 29 2012


Active Applying Config Active Config Applied No Active unit found

13:05:32 UTC Oct 29 2012


Active Config Applied Active No Active unit found

13:35:51 UTC Jul 23 2013


Active Standby Ready Other unit wants me Stan

13:35:52 UTC Jul 23 2013


Standby Ready Failed Detect service card fail

13:43:52 UTC Jul 23 2013


Failed Standby Ready My service card is as go

14:25:46 UTC Jul 23 2013


Standby Ready Just Active Service card in other un

14:25:46 UTC Jul 23 2013


Just Active Active Drain Service card in other un

14:25:46 UTC Jul 23 2013


Active Drain Active Applying Config Service card in other un

14:25:46 UTC Jul 23 2013


Active Applying Config Active Config Applied Service card in other un

14:25:46 UTC Jul 23 2013


Active Config Applied Active Service card in other un

==========================================================================
infolab-external/act#

Consider running a debug to generate more specific logs:

hyat1hcnmfmfw02/act# debug fover ?

cable Failover LAN status


cmd-exec Failover EXEC command execution
fail Failover internal exception
fmsg Failover message
ifc Network interface status trace
open Failover device open
rx Failover Message receive

http://www.datatravelers.com/asa-failover-troubleshooting-on-7x-and-8x 4/5
12/19/2017 ASA failover troubleshooting on 7.x and 8.x - from blog post Cisco (DataTravelers BLOG)

rxdmp Failover recv message dump (serial console only)


rxip IP network failover packet recv
switch Failover Switching status
sync Failover config/command replication
tx Failover Message xmit
txdmp Failover xmit message dump (serial console only)
txip IP network failover packet xmit
verify Failover message verify

Note that this pair of devices includes SSM modules. In the case of a card goi

Tags: Cisco ASA failover troubleshooting 7.x 8.x ASA failover troubleshooting on 7.x and 8.x

Other Posts 

WHM - Brute Force HPUX 101 Ports commonly used

cPHulk Brute Force HOW-TO-HPUXHP-UX 101sam Here is a list of ports which are ASA
ProtectionThis interface allows Text User Interface (TUI) for sys commonly used20/21 – File to g
you to configure cPHulk, a config (GUI version avail if DI.. Transfer Protocol (FTP): used on 8
service tha.. fo..

Information Customer Service Extras My Account

About Us Contact Us Vendors Account


Privacy Policy Site Map Newsletter

DataTravelers 2015

http://www.datatravelers.com/asa-failover-troubleshooting-on-7x-and-8x 5/5

You might also like