[c-nsp] ASA5585-X IPS Upgrade causes ASA failover

Antonio Soares amsoares at netcabo.pt
Tue Jan 22 06:21:08 EST 2013 

TAC tells me that is related with this bug:

+++++++++++++++++++++++++++++++
CSCud41702 Bug Details 

IPS: After IPS config change, a false failover occurs with the ASA 

Symptom:

Immediately after an IPS config change, an ASA failover occurs with the
following messages:

Nov 14 23:01:41 10.30.91.76 ASA-1-505013 ASA5585-SSP-IPS40 Module in slot 1,
application reloading "IPS", vers
ion "7.1(6)E4" Config Change
Nov 14 23:01:45 10.30.91.76 ASA-1-505015 ASA5585-SSP-IPS40 Module in slot 1,
application up "IPS", version "7.
1(6)E4" Normal Operation
Nov 14 23:01:45 10.30.91.76 ASA-1-323006 ASA5585-SSP-IPS40 Module in slot 1
experienced a data channel communi
cation failure, data channel is DOWN.

Conditions:
ASA-IPS pair in failover running code versions 8.4(4)1 and 7.1(6)E4,
respectively

Workaround:
None
+++++++++++++++++++++++++++++++

Fixed-In: Release-Pending


Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
http://www.ccie18473.net



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio Soares
Sent: sexta-feira, 18 de Janeiro de 2013 19:23
To: 'Pete Lumbis'
Cc: 'cisco-nsp'
Subject: Re: [c-nsp] ASA5585-X IPS Upgrade causes ASA failover

Just found that even with a basic configuration change like enabling a
signature, I have a failover... Is this normal ?


Thanks.

Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
http://www.ccie18473.net


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio Soares
Sent: sexta-feira, 9 de Novembro de 2012 23:56
To: 'Pete Lumbis'
Cc: 'cisco-nsp'
Subject: Re: [c-nsp] ASA5585-X IPS Upgrade causes ASA failover

Thanks, it seems another enhancement that won't see the light of day...
Found in 8.0.3... Code that has almost 5 years...


Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
http://www.ccie18473.net



-----Original Message-----
From: Pete Lumbis [mailto:alumbis at gmail.com]
Sent: sexta-feira, 9 de Novembro de 2012 22:06
To: Antonio Soares
Cc: cisco-nsp
Subject: Re: [c-nsp] ASA5585-X IPS Upgrade causes ASA failover

CSCsm81086 - Allow user to exclude the status of the SSM or SSP from
failover checks

Still in the New state :(

On Fri, Nov 9, 2012 at 3:08 PM, Antonio Soares <amsoares at netcabo.pt> wrote:
> Hello group,
>
> I had a bad surprise today, I was updating the IPS software of two
> ASA5585-SSP-IPS10 modules and found that it caused the Failover of the 
> parent ASA5585-SSP-10. It seems this is the normal behavior
> (https://supportforums.cisco.com/thread/2035549) but I was not 
> expecting this at all. I'm not using any of the SSP-IPS10 interfaces 
> thus there is not monitoring on those interfaces so why the hell this 
> is like this ? I knew that the IPS upgrade would cause the module 
> reload but taking into account what I mentioned, it  caught me 
> completely by surprise. This should not be a big problem but since I 
> have OSPF running on the ASAs, Failover is something that breaks a lot 
> of things. No NSF support... :(
>
> Anyone knows if it is possible to disable this behavior, I mean, the 
> implicit monitoring of the IPS module ? This is what failover history 
> shows
> me:
>
> 18:36:55 WEST Nov 9 2012
> Standby Ready              Just Active                Service card in
other
> unit has failed
> 18:36:55 WEST Nov 9 2012
> Just Active                Active Drain               Service card in
other
> unit has failed
> 18:36:55 WEST Nov 9 2012
> Active Drain               Active Applying Config     Service card in
other
> unit has failed
> 18:36:55 WEST Nov 9 2012
> Active Applying Config     Active Config Applied      Service card in
other
> unit has failed
> 18:36:55 WEST Nov 9 2012
> Active Config Applied      Active                     Service card in
other
> unit has failed
>
> Is this really the expected behavior ? I'm still trying to find where 
> this is documented.
>
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
> http://www.ccie18473.net
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list