Cisco :: ASA 5520 - LU Allocate Xlate Failed / Failover Unit Reloads
Mar 24, 2010
We just had an issue with our failover unit reloading. In perusing the logs there were a number of %ASA-3-210007:
LU allocate x late failed, errors prior to the reload. These units had just had their OS upgraded to fix a DOS issue a few weeks ago. I have not seen the error since it reloaded. However, I was asked to report the issue just in case it is a bug in the new version of the OS.Two units in failover.
Cisco Adaptive Security Appliance Software Version 8.0(5)9 Device Manager Version 6.0(2). Compiled on Mon 01-Feb-10 10:36 by buildersSystem image file is
"disk0:/asa805-9-k8.bin"Config file at boot was "startup-config"
CP-ASA up 17 days 21 hoursfailover cluster up 17 days 22 hours
[code]....
View 1 Replies
ADVERTISEMENT
Oct 10, 2011
we have two ASA 5520, on the failover unit is showing LU allocate xlate failed. We read on [URL] that it could be a memory problem , but have cheked it and we have 85% of memory free on both nodes. We also can see all xlate on failover unit.
We have forced failover this evenig and we can´t stablish outbound connexions by outside interface, we think xlates or nat cant work properly.
View 5 Replies
View Related
Sep 13, 2011
I got an asa5510. After problems with ipsec connections the log said :
LU allocate xlate failed this error repeats every minute. At the cisco site i found the following :
explantion : stateful failover failed to allocate a translation (xlate) slot record recommended Action : check the available memory by using the show memory command to make sure that the security appliance had free memory in the system. If no memory is available, add more memory
But when i do there is free memory. (about 54%)
What can i do to fix this ?
View 2 Replies
View Related
Oct 9, 2012
I am currently getting a strange error when trying to use and crypto services on our ASA 5520 (8.0.3)Initially I observed that a connected VPN had dropped.Then when I attempted to use ASDM or SSH I was blocked.
In the end I opened telnet as a test and this was successful. Syslog also shows that traffic is passing as normal.The only obvious error I can see when observing various debug traces is this;
FW02# CTM: rsa session with no priority allocated @ 0xCF1FBBA0
CTM: Session 0xCF1FBBA0 uses a nlite (Nitrox Lite) as its hardware engine
CTM: rsa context allocated for session 0xCF1FBBA0
CTM: rsa session with no priority allocated @ 0xCE7A5EA8
[code]....
View 5 Replies
View Related
May 12, 2011
What process I need to follow to rebuild my failover unit? I've had to turn it off because it seems that both the primary and secondary were thinking they should both be the active unit. I'm not sure why. But in turning off the failover, I had internet access again. So I think I want to rebuild the secondary unit's configuration. Do I need to turn off failover from the primary unit first? Disconnect the secondary unit, console into it and remove the configuration (command to remove from flash?)? Rebuild the interfaces..all interfaces or just STATE between the units? Just trying to get a list of the process
View 1 Replies
View Related
Jan 2, 2012
So i setup a failover active / passive with 2 ASA5520's
Primary asa has 750 Anyconnect vpn licensing and the secondary asa has 2 Anyconnect licenses
I haven't setup the second asa with the new 750 licenses i purchased but when i do a show version it shows that the failover licensed features shows 750...
Does this mean i do not have to install the secondary anyconnect licenses on the standby ASA unit?
output of secondary asa
:
Licensed features for this platform:Maximum Physical Interfaces : Unlimited perpetualMaximum VLANs : 150 perpetualInside Hosts : Unlimited perpetualFailover : Active/Active
[Code]......
View 1 Replies
View Related
Apr 10, 2012
i just received a RMA for failed ASA 5520 that was acting as secondary unit in multicontext configuration. What would be correct procedure to install it back in production? Do i need to restore backed up config of the fallen unit or is it just enough to enable multimode and connect to existing (primary) unit? Any good link for documentation that deal with this issues.
View 5 Replies
View Related
Mar 14, 2013
I have a pair of ASA 5520 firewalls running in active/standby mode on 8.3.2.34 code. My configuration performs authentication/authorization into ACS 5.1, however command authorization is failing when I try to execute a command on the standby from the active unit...
failover exec standby dir disk0:/
Fallback authorization. Username 'adminuser' not in LOCAL database Command authorization failed
I don't even see the authentication attempt going into ACS.
View 2 Replies
View Related
Jun 7, 2011
We saw this syslog on ASA5585 with version 8.4(1). I have two HA firewall pairs (contains 4 ASA5585, active/standby), and I saw this message on the standby ones.
Jun 7 07:36:26 10.99.96.32 last message repeated 4 times
Jun 7 07:36:26 10.99.96.32 :Jun 07 07:36:26 HKST: %ASA-ha-3-210005: LU allocate connection failed
[Code]....
View 4 Replies
View Related
Feb 17, 2013
Customer is running ASA 5550 with software 8.2.5 version.
They continously get the below messages
%ASA-3-210005: LU allocate connection failed
%ASA-3-210007: LU allocate xlate failed
I have already searched in the forums and also BUG toolkit, These issue has either been resolved in prior relases or in 8.4 .x train. I didnt find any bug which says that it has been found in 8.2.5 release.
I have also run "show conn count" and "show xlate count" I see these is difference in count output.
From Standby
COGINBLRMBPB1INTF1# show conn count
6097 in use, 17220 most used
COGINBLRMBPB1INTF1# sh xlate count
[Code].....
View 2 Replies
View Related
Oct 10, 2012
I have the ASA5520, everyday I have a lot of connections through my ASA5520. But buffer in ASA5520 to save connections is limited. Now, I want my ASA can auto save the conn detail and Xlate to my Syslog server, how can i do that?
View 3 Replies
View Related
Jun 11, 2009
we are running two failover pairs of asa (5510, 5505) in two different locations in active/standby configurations.Is it possible to access the inside ip of the standby unit via vpn terminated by the active unit? It's only for monitoring.With our configuration here it is not.Is that possible in general?
View 6 Replies
View Related
Nov 20, 2011
I have a single production 5510 with 2 contexts. Now I want to integrate the secondary failover unit. My question is: How much configuration needs to be done on the secondary firewall? How much of the configuration will be sync'd from the primary to the secondary when the secondary is connected?
For example, do I need to add the following on the secondary or will it be sync'd from the primary?
admin-context NAME
context NAME
allocate-interface Ethernet0/0.14
[Code].....
View 3 Replies
View Related
Sep 7, 2011
I have an issue bringing up my RMA'd primary ASA unit.
So what happened so far:
1. primary unit failed
2. secondary took over and is now secondary - active (as per sh fail)
2. requested RMA at Cisco
3. got ASA and checked that Lic (SSL), OS (8.2.2) and ASDM are at the same level as the secondary
4. issued wr erase and reloaded
5. copied the following commands to the new (RMA) primary unit:
failover lan unit primary
failover lan interface Failover Ethernet3
failover interface ip Failover 172.x.x.9 255.255.255.248 standby 172.x.x.10
int eth3
no shut
failover
wr mem
6. installed primary unit into rack
7. plugged-in all cables (network, failover, console and power)
8. fired up the primary unit
9. expected that the unit shows:
Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
10. but nothing happened on primary unit
What is a valid and viable approach in replacing a failed primary unit? Is there a missing step that hinders me to successfully replicate the secondary - active config to the primary - standby unit.
I was not able to find anything related to ASA55xx primary unit replacement with a clear guideline or step by step instructions.
View 10 Replies
View Related
Nov 11, 2012
I restored the HA pair back to Active/Standby.
1 remaining issue.
I have 3 IPsec Site-to_SIte tunnels.
I noticed that when the NEW UNIT becomes ACTIVE that I am unable to pass traffic over the VPN tunnels.When I failback I am able to pass traffic.
View 7 Replies
View Related
May 7, 2013
When I try to put my ASAs in active/standby config here is the error I get.Warning: Failover message decryption failure. Pleas make sure both units have the same failover shared key and crypto license or the system is out of memory.
View 1 Replies
View Related
Jun 20, 2011
Currently we have one ISP1 and all traffic goes to this way. Suppose our isp1 goes down, our outside user cant get the server. All servers are nated to this ISP1.We planned to purchase a another ISP2. Shall we Configure same inside server to map this ISP2? so that one primary ISP1 goes down it will take place the outside trafficISP2.
View 1 Replies
View Related
Jul 19, 2011
Is it possible to setup 2 x Cisco ASA 5520 that are in an Active/Standby failover using sla monitoring?
For example ASA1 outside interface connects to an upstream switch and you setup sla monitor with icmp echo to ping that switch. The switch goes down and you need the other ASA2 to become the Active ASA. Can the sla monitor be automatically integrated with the failover commands for this to happen?
View 5 Replies
View Related
Aug 24, 2011
I'd like to configure HA between an ISP router and a firewall ASA like shown in the document. I was thinking about HSRP but can I use HSRP between a router and a firewall?Another information.I have 1 asa 5520 on my site connected to an ISP 1, and a second asa 5520 at a second ISP's datacenter. My aim is that if the 2nd ISP is not available, all trafic go through the asa on site and to the first ISP.
View 4 Replies
View Related
Apr 17, 2011
I am having ASA 5520 with active/standby configured. Around 2 days ago, the ASA stopped responding & all of my websites stopped working. when i checked the failover status it said that failover is off. I had to manually turn the failover to start my traffic flow.During this time my secondary ASA was not responding. After some time, the primary stopped responding & secondary became active......to solve this i had to make the secondary unit as failover unit primary & the primary unit as failover unit secondary. i did get a log on ASA :-
“(Primary) Disabling Failover” with error message no.105001 which states the below:-
Error Message %PIX|ASA-1-105001: (Primary) Disabling failover.
Explanation In version 7.x and later, this message may indicate the following: failover has been automatically disabled because of a mode mismatch (single or multiple), a license mismatch (encryption or context), or a hardware difference (one unit has an IPS SSM installed, and its peer has a CSC SSM installed).(Primary) can also be listed as (Secondary) for the secondary unit.
View 1 Replies
View Related
Nov 24, 2011
I have 2 ASA5520's in failover pair.After failing over I cannot run ADSM on the secondary (now active device), I get "unable to launch device manager from [primary address]"
I can ASDM to the primary device (now marked as "standby ready") on the failover address. I can SSH to it also.I CANNOT ASDM to the secondary device (now marked as "active") on the primary address. I CAN SSH to it.
When I run "sh asdm image" I get valid output (asdm image disk0:/asdm-645.bin) on both.However when I run "sh ver" on each it appears ASDM is not running on the secondary device :
Cisco Adaptive Security Appliance Software Version xxxx [only]
Compared with :
Cisco Adaptive Security Appliance Software Version xxxx
Device Manager Version 6.4(5)
It appears as though ASDM is only running on the primary device (regardless of the fact it is now in standby mode). Is this normal?
I am having to run in a failover condition due to a intermittent hardware fault on the primary unit but require access to the ASDM for monitoring/diag purposes during this condition.
View 2 Replies
View Related
Apr 1, 2008
I currently have a set of firewalls in active standby configuration running an ospf process injecting a default route into the rest of my network.I noticed when i was testing the failover that the asa's do not actually pass the route tables on failover, thus forcing the need to wait for routes to converge and for the default route to be advertised back into the network. This of course is not acceptable.
Is there a way around this or do I have to setup static default routes on every device in my network. I am trying to avoid setting up default routes on all of the devices because due to the setup of my network I have equal cost links configured in the event of hardware or link failure. So the devices then see an advertised default route from multiple paths.
View 4 Replies
View Related
Dec 5, 2011
I have 2 dual ASA 5520 devices running VPN at two geographically different locations. What is the best way to do failover between the two remote locations?i.e. can Cisco GSS / Cisco CSM/ACE be used and if so how would this work.
View 3 Replies
View Related
Sep 27, 2012
Cisco still doesn't provide failover (active/standby) between two different types of ASA, right?
[URL]
"The two units in a failover configuration must have the same hardware configuration. They must be the same model, have the same number and types of interfaces, and the same amount of RAM"
View 1 Replies
View Related
Jul 25, 2011
We have two asa5520 configured as primary and standby unit in fail over configuration, and all is working properly. Is it possible, with this configuration (fail over), to configure vpn load balancing/clustering?
View 7 Replies
View Related
Oct 31, 2012
i am trying to setup a failover pair on Cisco asa 5520 - need a state full failover. Do i need two ports dedicated to obtain the above - one for LAN based failover and one for state full fail over ? also do i need a switch in between to connect them ?
View 11 Replies
View Related
Jan 25, 2012
I have 2 Cisco 5520 ASAs and was configured for Fail over. Unfortunately our Primary ASA went down and Secondary becomes Active and network admin made lots of changes on Secondary Active ASA. What is the best practice to rejoin Primary as standby or active without loosing the existing configuration on Secondary Active ?
View 6 Replies
View Related
Apr 15, 2013
I have a running ASA5520 in my network and recently we plan to add a failover pair as a standby unit for the running asa. Both of the ASA have the same specs and software. the only thing that the soon to be secondary ASA does not have is the AnyConnect Essential license. is it still possible for the unit to be the standby unit?
below is the license capture from both of the unit.
Running ASA:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
[Code].....
View 3 Replies
View Related
Jun 3, 2013
According to the link here:[URL]Starting with Version 8.3(1), it no longer needs to install identical licenses. Typically, we only buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active.So I wanna know if there's some additional configuration to synchronize the licenses such as SSL VPN or Context between the primary one and the second one? Or they can just synchronize by default as soon as I finish the failover configuration and when the primary one gets down, the second one will take over the role including licenses automatically?
View 4 Replies
View Related
Mar 20, 2012
We have recently got 2 of our Cisco ASA 5520 firewalls through RMA. These are supposed to run in a Active/Active Failover Pair. There was only 1 RMA request that was opened for both the firewalls. We have received only 1 Activation key for this RMA request for both the firewalls. Just want to check with you if this Activation key will work on both firewalls or do we need a get a seperate one for the other box.
View 1 Replies
View Related
Sep 19, 2012
Recently, I unable to configure the failover on bridge group in transparent mode . I have five interfaces .out of this only 3 is showing in the show run config . Whether I can config failover on on of the data interfaces.
I have the ASA 5520 with the version ASA Version 7.2(4) <context>
View 3 Replies
View Related
Dec 3, 2012
I have a problem with my asa phone proxy. i have two ASA 5520 in HA. I have 10 phone register with ASA active primary. if i execute the command show phone-proxy secure-session. i can see the phone session on the ASA.
if i perform the same command on the passive ASA i can't see the session replicated from the active member.
If i switch the cluster the phone enter in a registrating loop and can't connect to the ASA now active.
If i switch back immediately (the session are still present on the first asa) the phone register again and all works
the ASA have version 8.4(5)
the phone are a 7921g
is normal that the skinny don't start again and re-register the phone on the ASA that became active after failover?
View 1 Replies
View Related
Oct 29, 2012
I made an ASDM upgrade for one of my two CISCO ASA 5520. If I copy a file to the primary ASA's flash, is there any command I can run on the primary ASA to copy a file to the secondary ASA?
View 1 Replies
View Related