Unwanted ASA Failover Due To SFR Error

edledge Cisco logo

Scenario
Make: Cisco
Model: Cisco 5500-x Series Firewall with FirePower
Mode: CLI [Command Line Interfae]
Description: Cisco ASA in failover mode is triggering unwanted automatic failover events due to false SFR errors.

Step1: Check SFR Module status in failover mode. This step is to check if the SFR module of both firewall units is up and connected.

edledge-asa# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FO GigabitEthernet1/4 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 1 seconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 2 of 310 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.13(1)10, Mate 9.13(1)10
Serial Number: Ours JAD23XXXXXX, Mate JAD23XXXXXX
Last Failover at: 13:02:21 PHST Jul 11 2020
This host: Primary - Active
Active time: 7877453 (sec)
slot 1: ASA5508 hw/sw rev (3.3/9.13(1)10) status (Up Sys)
Interface wan (103.1.2.2): Normal (Waiting)
Interface wan1 (211.5.6.2): Normal (Not-Monitored)
Interface SD-WAN (192.0.2.25): Normal (Waiting)
Interface Management (10.6.117.1): Normal (Not-Monitored)
slot 2: SFR5508 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Not-Monitored)
slot 2: SFR5508 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Not-Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 1: ASA5508 hw/sw rev (3.3/9.13(1)10) status (Up Sys)
Interface outside (0.0.0.0): Normal (Waiting)
Interface outside1 (0.0.0.0): Normal (Not-Monitored)
Interface SD-WAN (0.0.0.0): Normal (Waiting)
Interface Management (10.6.117.2): Normal (Not-Monitored)
slot 2: SFR5508 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Not-Monitored)
slot 2: SFR5508 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Not-Monitored)

Stateful Failover Logical Update Statistics
Link : Stateful_FO GigabitEthernet1/5 (up)
Stateful Obj xmit xerr rcv rerr
General 307151681 0 1218038 1113
sys cmd 1050750 0 1050749 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 131047508 0 91773 599
UDP conn 130308241 0 58539 511
ARP tbl 38316258 0 14642 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 6420815 0 2331 0
VPN IKEv2 P2 8107 0 2 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Route Session 1 0 1 3
Router ID 0 0 0 0
User-Identity 1 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 58 9119985
Xmit Q: 0 132 356504303
edledge-asa#

Step2: Check the SFR policy map. This step is to check and ensure the status of the mode if the SFR card fails.

edledge-asa# show service-policy sfr

Global policy:
Service-policy: global-policy
Class-map: SFR
SFR: card status Up, mode fail-open
packet input 119820096, packet output 119849191, drop 0, reset-drop 0

There are two situations which could happen if somehow the SFR module fails to work. When SFR module will fail either traffic will stop completely or traffic will bypass the SFR module. we can choose and configure to either open or close the traffic as per our requirement. Both options are mentioned below.

mode fail-open – In case there is SFR card failure then traffic will be not blocked or stopped.

mode fail-close – In case there is SFR card failure then all traffic will be blocked or stopped.

Step3: Check the global policy to ensure “SFR fail-open” is enabled so that traffic can still flow if the module fails.

edledge-asa# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global-policy
class SFR
sfr fail-open
class NetFlow
flow-export event-type all destination 10.10.1.10
class global-class
inspect pptp

Step4: Check the status of SFR module.

edledge-asa# sh run all monitor-interface
monitor-interface wan
no monitor-interface wan1
monitor-interface SD-WAN
no monitor-interface Management
monitor-interface service-module

In the above step, the outcome of the command “sh run all monitor-interface” shows that the monitor of the service module is enabled. To disable the monitoring of the service module please follow step 5.

Step5: Disable SFR module monitoring.

edledge-asa# conf t
edledge-asa(config)# no monitor-interface service-module

Step6: Check and confirm the Module monitoring status.

edledge-asa# sh run all monitor-interface
monitor-interface outside
no monitor-interface outside1
monitor-interface SD-WAN
no monitor-interface Management
no monitor-interface service-module

Re-Enable Monitoring: If you want to re-enable the monitoring of the service module, follow step 7.

Step7: Re-enable the SFR Module monitoring.

edledge-asa# conf t
edledge-asa(config)# monitor-interface service-module

If somehow the issue is not getting resolved please contact Cisco TAC for further troubleshooting or you could try to Re-image ASA SFR Module to see if that helps. Also once ASA SFR module is reimaged you may need to Activate ASA FirePower License again.

Source : Knowledge Base, Lab, Cisco

EA00030

Leave a Reply

Your email address will not be published.