[c-nsp] ASA 5510 Configuration Replication Failure

Ryan West rwest at zyedge.com
Thu Jun 11 17:16:48 EDT 2009


Have you tried a crossover?  Can you post 'show run failover' ?  A console on the standby firewall might reveal something during the replication process too.

-ryan

-----Original Message-----
From: Jeff Wojciechowski [mailto:Jeff.Wojciechowski at midlandpaper.com] 
Sent: Thursday, June 11, 2009 3:16 PM
To: Ryan West
Cc: cisco-nsp at puck.nether.net
Subject: RE: ASA 5510 Configuration Replication Failure

Ryan,

Thx for the heads up on the 8.0(3) bugs.

I blew away the configs on the secondary unit - upgraded to 8.0(4) on both units, re synched and the synch interface goes line protocol down and got this:

OUTPUT FROM SECONDARY:
______________________

        Detected an Active mate
 Beginning configuration replication from mate.
Failover LAN Failed

        Switching to Active

VaultASA(config-if)# sh fail
Failover On
Failover unit Secondary
Failover LAN Interface: failover Ethernet0/3 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 14:05:04 CDT Jun 11 2009
        This host: Secondary - Active
                Active time: 53 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                  Interface outside (172.20.50.16): Normal (Waiting)
                  Interface inside (172.20.40.16): Normal (Waiting)
                slot 1: empty
        Other host: Primary - Failed
                Active time: 204 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Unknown/Unknown)
                  Interface outside (172.20.50.17): Unknown (Waiting)
                  Interface inside (172.20.40.17): Unknown (Waiting)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : failover Ethernet0/3 (Failed)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         0          0          0          0
        sys cmd         0          0          0          0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          0          0
        UDP conn        0          0          0          0
        ARP tbl         0          0          0          0
        Xlate_Timeout   0          0          0          0
        VPN IKE upd     0          0          0          0
        VPN IPSEC upd   0          0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       0       0
        Xmit Q:         0       0       0

Sh Fail on Primary (after failure):
___________________________________

VaultASA# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: failover Ethernet0/3 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 14:01:27 CDT Jun 11 2009
        This host: Primary - Active
                Active time: 387 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                  Interface outside (172.20.50.16): Normal (Waiting)
                  Interface inside (172.20.40.16): Normal (Waiting)
                slot 1: empty
        Other host: Secondary - Failed
                Active time: 0 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Unknown/Unknown)
                  Interface outside (172.20.50.17): Unknown (Waiting)
                  Interface inside (172.20.40.17): Unknown (Waiting)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : failover Ethernet0/3 (Failed)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         0          0          0          0
        sys cmd         0          0          0          0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          0          0
        UDP conn        0          0          0          0
        ARP tbl         0          0          0          0
        Xlate_Timeout   0          0          0          0
        VPN IKE upd     0          0          0          0
        VPN IPSEC upd   0          0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       0       0
        Xmit Q:         0       0       0


To answer your question - the failover interfaces are connected directly using a straight thru cable - the interfaces come 'up' long enough to synch and then immediately go down after a synch. And yes we tried different cable(s) on the synch interface :o)


Thanks,

-Jeff


-----Original Message-----
From: Ryan West [mailto:rwest at zyedge.com] 
Sent: Thursday, June 11, 2009 1:16 PM
To: Jeff Wojciechowski; cisco-nsp at puck.nether.net
Subject: RE: ASA 5510 Configuration Replication Failure

Jeff,

It's hard to tell exactly what happened based on your post, can you do a 'show failover'?  When the ASA's are paired, you should only need to do a wr to save config on both.  Try erasing the config on the backup ASA, regenerate your RSA key with your new hostname (on the primary), re-enter the failover commands (on the standby) and see if it sync's up again.  You should consider moving away from 8.0(3), there a number of publicized security risks with it.  The interim releases should have much fewer bugs as well.

As for the failover interface, are you using a crossover or does it connect to a switch?

-ryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Wojciechowski
Sent: Thursday, June 11, 2009 12:38 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA 5510 Configuration Replication Failure

Dearest List:

We are building a new active/standby ASA cluster with 5510's and the initial config synch went just fine.

However, when we changed the hostname on the primary unit and did a 'write standby' I got the following:

VaultASA(config)# wr stan
Building configuration...
[OK]
VaultASA(config)# Beginning configuration replication: Sending to mate.
Failover LAN Failed
Configuration Replication Failure
sh ver

Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.1(5)

Another interesting point about this is that both units show the synch interface (E0/3 on both units in our case) show line protocol down.

VaultASA(config)# sh int e0/3
Interface Ethernet0/3 "failover", is down, line protocol is down
  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
        Full-Duplex, 100 Mbps
        Description: LAN/STATE Failover Interface
        MAC address 0024.14d3.7b37, MTU 1500
        IP address x.x.x.x, subnet mask 255.255.255.0
        558 packets input, 49468 bytes, 0 no buffer
        Received 3 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        499 packets output, 71296 bytes, 0 underruns
        0 output errors, 0 collisions, 9 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max packets): hardware (0/25) software (0/0)
        output queue (curr/max packets): hardware (0/0) software (0/0)
  Traffic Statistics for "failover":
        558 packets input, 39264 bytes
        502 packets output, 59800 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
VaultASA(config)#

Ideas?

Thanks in advance.

Jeff
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list