We've encountered an outage in our Cisco FPR 2100 High Availability (HA) pair running ASA OS. The Primary ASA firewall crashed or auto reload and didn't failover properly to the Secondary ASA firewall. I also had to reload the Secondary ASA firewall in order for HA to synchronize.
Aside from the usual show tech-support in the ASA command, Cisco TAC will ask for the show tech-support fprm detail output (GZ archive file), which can be generated from the FX-OS CLI. This saves time in troubleshooting and would allow TAC to further investigate using their internal database.
Based on the FX-OS show tech, the auto reload was due to a memory bug CSCwk27830. TAC recommended to perform an ASA OS upgrade using the known fixed release.
Threadname: **lina**
| Rip: ****
| Version: **9.xx**
| Hardware: **FPR-21xx**
| 0x00000000019862b8 : ikev2_copy_ike_policy+216 at ikev2/granite/ikev2/core/policy/ikev2_policy.c:1677
| 0x00000000019c1144 : ikev2_initiate_sa+476 at ikev2/granite/ikev2/core/ikev2_sa_management.c:132
| 0x00000000018e300c : asa_connect_continue+136 at ikev2/ikev2_asa_connect.c:663
| 0x000000000193f214 : asa_spi_mgt_callback+1060 at ikev2/ikev2_spi_mgt.c:666
| 0x000000000193dcc0 : ikev2_pitcher+328 at ikev2/ikev2_pitcher.c:880
| 0x000000000193a768 : IKEv2ProcessMsg+140 at ikev2/ikev2_daemon.c:548
| 0x000000000193c9c4 : Ikev2Daemon+1452 at ikev2/ikev2_daemon.c:343
ciscoasa/pri/act/admin# connect fxos admin
Configuring session.
.
Connecting to FXOS.
...
Connected to FXOS. Escape character sequence is 'CTRL-^X'.
NOTICE: You have connected to the FXOS CLI with admin privileges.
Config commands and commit-buffer are not supported in appliance mode.
Certain components of this software are licensed under the "GNU General Public
License, version 3" provided with ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, Version 3", available here:
http://www.gnu.org/licenses/gpl.html. See User Manual (''Licensing'') for
details.
<OUTPUT TRUNCATED>
firepower-2100# connect
asa Connect to ASA Application CLI
local-mgmt Connect to Local Management CLI
firepower-2120#
connect local-mgmt
Warning: network service is not available when entering 'connect local-mgmt'
firepower-2120(local-mgmt)# show
active-connections Show active TCP/IP connections
cli CLI Information
clock Clock
consent-token consent token
debug Debugging functions
env Show environmental monitoring data
failsafe-params Show the failsafe mode configuration
file File Commands
fxos-mode Fxos-mode
lacp LACP command
mgmt-ip-debug IP Debug Info
npu-accel Show NPU accelerator data
ntp NTP Status
open-network-ports Show open network ports
pktmgr pktmgr command
platform-sw-processes Show the state of platform software processes
pmon Pmon
portchannel portchannel command
portmanager portmanager command
processes Processes
running-config Running-config
software Software
sshkey Sshkey
tech-support Tech Support
version System version
firepower-2100(local-mgmt)# show tech-support
fprm FPRM
firepower-2100(local-mgmt)# show tech-support fprm
<CR>
> Redirect it to a file
>> Redirect it to a file in append mode
brief Brief
detail Detail
| Pipe command output to filter
firepower-2120(local-mgmt)#
show tech-support fprm detail
The show tech output is savedin the ASA flash (disk0:) and can be simply transferred to your PC via ASDM and then upload it to the Cisco Support Case portal.
ciscoasa/pri/act/admin# changeto system
ciscoasa/pri/act# show flash
--#-- --length-- -----date/time------ path
44053 98 Apr 06 2023 07:50:39 log
134673345 4096 Jun 26 2023 05:19:00 log/from_tmp
134673346 145713 Jul 31 2024 17:26:02 log/from_tmp/asa-appagent.log
134673347 0 Jul 22 2024 16:46:23 log/from_tmp/asa-fxos_xml.log
<OUTPUT TRUNCATED>
134217933
17421854 Jul 30 2024 05:41:58 fxos/20240730054152_firepower-2100_FPRM.tar.gz
<OUTPUT TRUNCATED>
21475885056 bytes total (20623392768 bytes free)
No comments:
Post a Comment