Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

ASA FAQ: Why does the "show failover history" command indicate a configuration mismatch?

Document ID: 117906

Updated: Jul 28, 2014

Contributed by Haitham Jaradat and Magnus Mortensen, Cisco TAC Engineers.

   Print

Introduction

This document describes why a show failover history command ouput sometimes shows that the Adaptive Security Appliance (ASA) standby firewall transitioned from a "Standby Ready" state into a "Cold Standby" state due to a "Configuration Mismatch".

Why does the "show failover history" command indicate a configuration mismatch?

An ASA active/standby failover configuration allows a standby ASA to take over the functionality of an active failed ASA. Failover functionality requires that the active and standby appliance configurations remain synchronized. A show failover history command ouput sometimes shows that the standby firewall transitioned from a "Standby Ready" state into a "Cold Standby" state due to a "Configuration Mismatch".

ASA/stb# show failover history
==========================================================================
From State To State Reason
==========================================================================
16:01:05 CET Sep 23 2013
Standby Ready Cold Standby Configuration mismatch
16:01:07 CET Sep 23 2013
Cold Standby Sync Config Configuration mismatch
16:01:31 CET Sep 23 2013
Sync Config Sync File System Configuration mismatch
16:01:31 CET Sep 23 2013
Sync File System Bulk Sync Configuration mismatch
16:01:47 CET Sep 23 2013
Bulk Sync Standby Ready Configuration mismatch

The transition from "Standby Ready" to "Cold Standby" on the standby ASA is caused when a user enters a write standby command from the active firewall. This command is sometimes mistakenly used in order to save the configuration on the standby unit. However, the write standby command forces a complete resynchronization of the configuration from the active firewall to the standby firewall and should not be used during normal ASA operation.

If you want to save the standby ASA in-service configuration to flash, enter the write mem command on the active unit. This command is synchronized between both units and writes the configuration to flash on both the active and standby firewalls.

Note: Per the ASA online documentation, the write standby command replicates the configuration to the in-service configuration of the peer unit; it does not save the configuration to the startup configuration. In order to save the configuration changes to the startup configuration, enter the copy running-config startup-config command on the active unit. The command will be replicated to the standby peer unit and the configuration saved to the startup configuration.

Related Information

Updated: Jul 28, 2014
Document ID: 117906