Tag: ASA

How check what have caused failover on PIX or ASA

The failover is determined by execution of the following command

pix# show failover state

State Last Failure Reason Date/Time
This host - Primary
Active Ifc Failure 13:23:27 MET Aug 17 2012
Other host - Secondary
Standby Ready Ifc Failure 08:23:57 MET Aug 14 2012

====Configuration State===
Sync Done
Sync Done - STANDBY
====Communication State===
Mac set

You should observe FW log to check the reason of failover. Failover can be casued by User changes, software bugs and so on.

egrep '(\(Primary\)|User|Traceback)' pix.log

Otherwise, you can inverts search by excluding other info

egrep -v '(Built|Teardown|Deny|UDP|No tr|URL|No rou|TCP|ICMP|icmp|FTP|ARP)' pix.log

September 13, 2012 Comments (0)

ICMP permitting ACL

object-group icmp-type functional_ICMP
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo-reply
icmp-object source-quench
icmp-object parameter-problem

Unreachable, time-exceeded – routing problem,
echo-reply – all OK
parameter-problem, source-quench – MTU Path discovery features

August 14, 2012 Comments (1)