To display information about the failover status of a high-availability unit, use the show failover command.
show failover
[
group
num
|
history
[
details
]
|
interface
|
state
|
trace
[
options
]
|
app-sync stats
|
statistics
[
all
|
unit
|
np-clients
|
|
cp-clients
|
bulk-sync
[
all
|
control-plane
|
data-plane
] |
interface
[
all
] ]
|
details
|
config-sync errors
[
all
|
current
]
|
config-sync stats
[
all
|
current
]
]
Syntax Description
group
num
|
Displays the running state of the specified failover group.
|
history [ details]
|
Displays failover history. This includes past failover state changes and the reasons for the state changes. This information
helps with troubleshooting.
Add the details keyword to display failover history from the peer unit. This includes failover state changes and the reason for the state
change, for the peer unit.
Note that the history information is cleared when the device is rebooted.
|
interface
|
Displays failover and stateful link information.
|
state
|
Displays the failover state of both the failover units. The information displayed includes the primary or secondary status
of the unit, the Active or Standby status of the unit, and the last reported reason for failover. The fail reason remains in the output even when the reason
for failure is cleared.
|
trace
[options ]
|
(Optional) Shows the failover event trace. Options include the failover event trace levels from 1 to 5:
-
critical
: Filters failover critical event trace (level = 1).
-
debugging : Filters failover debugging trace (debug level = 5).
-
error : Filters failover internal exception (level = 2).
-
informational : Filters failover informational trace (level = 4).
-
warning : Filters failover warnings (level = 3).
|
statistics[ all| events| unit| np-clients| cp-clients| bulk-sync[ all| control-plane| data-plane]
|
Displays local device events, transmit, and receive packet counts of failover interface and bulk-sync time duration.
-
np-clients —displays the HA data-path client's packet's statistics.
-
cp-clients —displays the HA control plane client's packet's statistics.
-
bulk-sync —displays the sync time for the HA data-plane clients, control-plane clients, or both.
-
events —displays the local failures notified by App agent—HA LAN link uptime, Supervisor's heartbeat failures, Snort crashes, and
Disk full issues.
-
all —displays the consolidated failover statistics for interface, np-client, cp-client, and bulk-sync.
|
app-sync stats |
Displays the failover app-sync statistics information.
|
details
|
Displays the failover details of the pairs in a high-availability pair.
|
config-sync
|
-
errors : Display the details of synchronization errors while replicating the configuration changes from the active unit. Add the
all keyword to get the cumulative results for all the configuration synchronizations from the time of deployment. Add the current keyword to get the result for the current configuration synchronization.
-
stats: Display the statistics about configuration synchronization, including size of the configuration, count of the configuration
commands, and duration of the synchronization. Add the all keyword to get the cumulative results for all the configuration synchronizations from the time of deployment. Add the current keyword to get the result for the current configuration synchronization.
|
Command History
Release
|
Modification
|
6.1
|
This command was introduced.
|
6.2.3
|
The history details keyword was added.
|
6.4
|
The following object static counts were added:
-
Rule DB B-Sync
-
Rule DB P-Sync
-
Rule DB Delete
|
7.0
|
The details keyword was added.
|
7.4.1
|
The config-sync error, config-sync stats , statistics all,statistics events,statistics np-clients,statistics cp-clients, and statistics bulk-sync , keywords were added.
The app-sync stats keyword was enhanced to display the failover app-sync statistics information. |
Usage Guidelines
The show failover command displays the dynamic failover information, interface status, and Stateful Failover statistics.
If both IPv4 and IPv6 addresses are configured on an interface, both addresses appear in the output. Because an interface
can have more than one IPv6 address configured on it, only the link-local address is displayed. If there is no IPv4 address
configured on the interface, the IPv4 address in the output appears as 0.0.0.0. If there is no IPv6 address configured on
an interface, the address is simply omitted from the output.
The Stateful Failover Logical Update Statistics output appears only when Stateful Failover is enabled. The “xerr” and “rerr”
values do not indicate errors in failover, but rather the number of packet transmit or receive errors.
In the show failover command output, the stateful failover fields have the following values:
If you do not enter a failover IP address, the show failover command displays 0.0.0.0 for the IP address, and monitoring of the interfaces remain in a “waiting” state. You must set a
failover IP address for failover to work.
The following table describes the interface states for failover.
Table 8. Failover Interface States
State
|
Description
|
Normal
|
The interface is up and receiving hello packets from the corresponding interface on the peer unit.
|
Normal (Waiting)
|
The interface is up but has not yet received a hello packet from the corresponding interface on the peer unit. Verify that
a standby IP address has been configured for the interface and that there is connectivity between the two interfaces.
You can also see this state when the failover interface goes down.
|
Normal (Not-Monitored)
|
The interface is up but is not monitored by the failover process. The failure of an interface that is not monitored does not
trigger failover.
|
No Link
|
The physical link is down.
|
No Link (Waiting)
|
The physical link is down and the interface has not yet received a hello packet from the corresponding interface on the peer
unit. After restoring the link, verify that a standby IP address has been configured for the interface and that there is connectivity
between the two interfaces.
|
No Link (Not-Monitored)
|
The physical link is down but is not monitored by the failover process. The failure of an interface that is not monitored
does not trigger failover.
|
Link Down
|
The physical link is up, but the interface is administratively down.
|
Link Down (Waiting)
|
The physical link is up, but the interface is administratively down and the interface has not yet received a hello packet
from the corresponding interface on the peer unit. After bringing the interface up, verify that a standby IP address has been
configured for the interface and that there is connectivity between the two interfaces.
|
Link Down (Not-Monitored)
|
The physical link is up, but the interface is administratively down but is not monitored by the failover process. The failure
of an interface that is not monitored does not trigger failover.
|
Testing
|
The interface is in testing mode due to missed hello packets from the corresponding interface on the peer unit.
|
Failed
|
Interface testing has failed and the interface is marked as failed. If the interface failure causes the failover criteria
to be met, then the interface failure causes a failover to the secondary unit or failover group.
|
Examples
The following is a sample output from the show failover command for active-standby failover:
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Failover On
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 61 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.7(0)74, Mate 9.7(0)74
Serial Number: Ours 9A41CKDXQJU, Mate 9A3MFP0H1CP
Last Failover at: 19:23:17 UTC Oct 26 2016
This host: Primary - Active
Active time: 589 (sec)
slot 0: empty
Interface diagnostic (0.0.0.0): Normal (Waiting)
Interface outside (192.168.77.1): Normal (Waiting)
Interface inside (192.168.87.1): Normal (Waiting)
slot 1: snort rev (1.0) status (up)
slot 2: diskstatus rev (1.0) status (up)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface diagnostic (0.0.0.0): Normal (Waiting)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
slot 1: snort rev (1.0) status (up)
slot 2: diskstatus rev (1.0) status (up)
Stateful Failover Logical Update Statistics
Link : failover GigabitEthernet0/2 (up)
Stateful Obj xmit xerr rcv rerr
General 45 0 44 0
sys cmd 44 0 44 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 1 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Rule DB B-Sync 0 0 1 0
Rule DB P-Sync 5 0 1 0
Rule DB Delete 12 0 5 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 10 44
Xmit Q: 0 11 238
The following is a sample output from the show failover state command for an active-standby setup:
> show failover state
State Last Failure Reason Date/Time
This host - Primary
Negotiation Backplane Failure 15:44:56 UTC Jun 20 2016
Other host - Secondary
Not Detected Comm Failure 15:36:30 UTC Jun 20 2016
====Configuration State===
Sync Done
====Communication State===
Mac set
The following table describes the output of the show failover state command.
Table 9. show failover state Field Descriptions
Field
|
Description
|
Configuration State
|
Displays the state of configuration synchronization.
The following are possible configuration states for the standby unit:
-
Config Syncing - STANDBY : Set while the synchronized configuration is being executed.
-
Interface Config Syncing - STANDBY
-
Sync Done - STANDBY : Set when the standby unit has completed a configuration synchronization from the active unit.
The following are possible configuration states for the active unit:
-
Config Syncing : Set on the active unit when it is performing a configuration synchronization to the standby unit.
-
Interface Config Syncing
-
Sync Done : Set when the active unit has completed a successful configuration synchronization to the standby unit.
-
Ready for Config Sync : Set on the active unit when the standby unit signals that it is ready to receive a configuration synchronization.
|
Communication State
|
Displays the status of the MAC address synchronization.
-
Mac set : The MAC addresses have been synchronized from the peer unit to this unit.
-
Updated Mac : Used when a MAC address is updated and needs to be synchronized to the other unit. Also used during the transition period
where the unit is updating the local MAC addresses synchronized from the peer unit.
|
Date/Time
|
Displays a date and timestamp for the failure.
|
Last Failure Reason
|
Displays the reason for the last reported failure. This information is not cleared, even if the failure condition is cleared.
This information changes only when a failover occurs.
The following are possible fail reasons:
|
State
|
Displays the Primary or Secondary and Active or Standby status for the unit.
|
This host/Other host
|
This host indicates information for the device upon which the command was executed. Other host indicates information for the
other device in the failover pair.
|
The following is a sample output from the show failover history command on the primary unit:
> show failover history
==========================================================================
From State To State Reason
==========================================================================
14:29:59 UTC Nov 11 2017
Not Detected Negotiation No Error
14:30:36 UTC Nov 11 2017
Negotiation Cold Standby Detected an Active mate
14:30:38 UTC Nov 11 2017
Cold Standby Sync Config Detected an Active mate
14:30:47 UTC Nov 11 2017
Sync Config Sync File System Detected an Active mate
14:30:47 UTC Nov 11 2017
Sync File System Bulk Sync Detected an Active mate
14:31:00 UTC Nov 11 2017
Bulk Sync Standby Ready Detected an Active mate
14:31:39 UTC Nov 11 2017
Standby Ready Failed Interface check
This host:1
single_vf: OUTSIDE
Other host:0
14:31:46 UTC Nov 11 2017
Failed Standby Ready Interface check
This host:0
Other host:0
14:33:36 UTC Nov 11 2017
Standby Ready Just Active HELLO not heard from mate
14:33:36 UTC Nov 11 2017
Just Active Active Drain HELLO not heard from mate
14:33:36 UTC Nov 11 2017
Active Drain Active Applying Config HELLO not heard from mate
14:33:36 UTC Nov 11 2017
Active Applying Config Active Config Applied HELLO not heard from mate
14:33:36 UTC Nov 11 2017
Active Config Applied Active HELLO not heard from mate
==========================================================================
The following is a sample output from the show failover history command on the secondary unit:
> show failover history
==========================================================================
From State To State Reason
==========================================================================
17:17:29 UTC Nov 10 2017
Not Detected Negotiation No Error
17:18:06 UTC Nov 10 2017
Negotiation Cold Standby Detected an Active mate
17:18:08 UTC Nov 10 2017
Cold Standby Sync Config Detected an Active mate
17:18:17 UTC Nov 10 2017
Sync Config Sync File System Detected an Active mate
17:18:17 UTC Nov 10 2017
Sync File System Bulk Sync Detected an Active mate
17:18:30 UTC Nov 10 2017
Bulk Sync Standby Ready Detected an Active mate
17:19:09 UTC Nov 10 2017
Standby Ready Failed Interface check
This host:1
single_vf: OUTSIDE
Other host:0
17:19:21 UTC Nov 10 2017
Failed Standby Ready Interface check
This host:0
Other host:0
==========================================================================
Each entry provides the time and date the state change occurred, the beginning state, the resulting state, and the reason
for the state change. The newest entries are located at the bottom of the display. Older entries appear at the top. A maximum
of 60 entries can be displayed. Once the maximum number of entries has been reached, the oldest entries are removed from the
top of the output as new entries are added to the bottom.
The failure reasons include details that help in troubleshooting. These include interface check, failover state check, state
progression failure and service module failure.
The following is a sample output from the show failover history details command:
>show failover history details
==========================================================================
From State To State Reason
==========================================================================
09:58:07 UTC Jan 18 2017
Not Detected Negotiation No Error
09:58:10 UTC Jan 18 2017
Negotiation Just Active No Active unit found
09:58:10 UTC Jan 18 2017
Just Active Active Drain No Active unit found
09:58:10 UTC Jan 18 2017
Active Drain Active Applying Config No Active unit found
09:58:10 UTC Jan 18 2017
Active Applying Config Active Config Applied No Active unit found
09:58:10 UTC Jan 18 2017
Active Config Applied Active No Active unit found
==========================================================================
PEER History Collected at 09:58:54 UTC Jan 18 2017
=======================PEER-HISTORY=========================================
From State To State Reason
=========================PEER-HISTORY=======================================
09:57:46 UTC Jan 18 2017
Not Detected Negotiation No Error
09:58:19 UTC Jan 18 2017
Negotiation Cold Standby Detected an Active mate
09:58:21 UTC Jan 18 2017
Cold Standby Sync Config Detected an Active mate
09:58:29 UTC Jan 18 2017
Sync Config Sync File System Detected an Active mate
09:58:29 UTC Jan 18 2017
Sync File System Bulk Sync Detected an Active mate
09:58:42 UTC Jan 18 2017
Bulk Sync Standby Ready Detected an Active mate
=========================PEER-HISTORY=====================================
The show failover history details command requests the peer's failover history and prints the unit failover history along with the peer's latest failover history.
If the peer does not respond within one second it displays the last collected failover history information.
The following table shows the failover states. There are two types of states—stable and transient. Stable states are states
that the unit can remain in until some occurrence, such as a failure, causes a state change. A transient state is a state
that the unit passes through while reaching a stable state.
Table 10. Failover States
States
|
Description
|
Disabled
|
Failover is disabled. This is a stable state.
|
Failed
|
The unit is in the failed state. This is a stable state.
|
Negotiation
|
The unit establishes the connection with peer and negotiates with peer to determine software version compatibility and Active/Standby
role. Depending upon the role that is negotiated, the unit will go through the Standby Unit States or the Active Unit States
or enter the failed state. This is a transient state.
|
Not Detected
|
The ASA cannot detect the presence of a peer. This can happen when the ASA boots up with failover enabled but the peer is
not present or is powered down.
|
Standby Unit States
|
Cold Standby
|
The unit waits for the peer to reach the Active state. When the peer unit reaches the Active state, this unit progresses to
the Standby Config state. This is a transient state.
|
Sync Config
|
The unit requests the running configuration from the peer unit. If an error occurs during the configuration synchronization,
the unit returns to the Initialization state. This is a transient state.
|
Sync File System
|
The unit synchronizes the file system with the peer unit. This is a transient state.
|
Bulk Sync
|
The unit receives state information from the peer. This state only occurs when Stateful Failover is enabled. This is a transient
state.
|
Standby Ready
|
The unit is ready to take over if the active unit fails. This is a stable state.
|
Active Unit States
|
Just Active
|
The first state the unit enters when becoming the active unit. During this state a message is sent to the peer alerting the
peer that the unit is becoming active and the IP and MAC addresses are set for the interfaces. This is a transient state.
|
Active Drain
|
Queues messages from the peer are discarded. This is a transient state.
|
Active Applying Config
|
The unit is applying the system configuration. This is a transient state.
|
Active Config Applied
|
The unit has finished applying the system configuration. This is a transient state.
|
Active
|
The unit is active and processing traffic. This is a stable state.
|
Each state change is followed by a reason for the state change. The reason typically remains the same as the unit progresses
through the transient states to the stable state. The following are the possible state change reasons:
-
No Error
-
Set by the CI config cmd
-
Failover state check
-
Failover interface become OK
-
HELLO not heard from mate
-
Other unit has different software version
-
Other unit operating mode is different
-
Other unit license is different
-
Other unit chassis configuration is different
-
Other unit card configuration is different
-
Other unit want me Active
-
Other unit want me Standby
-
Other unit reports that I am failed
-
Other unit reports that it is failed
-
Configuration mismatch
-
Detected an Active mate
-
No Active unit found
-
Configuration synchronization done
-
Recovered from communication failure
-
Other unit has different set of vlans configured
-
Unable to verify vlan configuration
-
Incomplete configuration synchronization
-
Configuration synchronization failed
-
Interface check
-
My communication failed
-
ACK not received for failover message
-
Other unit got stuck in learn state after sync
-
No power detected from peer
-
No failover cable
-
HA state progression failed
-
Detect service card failure
-
Service card in other unit has failed
-
My service card is as good as peer
-
LAN Interface become un-configured
-
Peer unit just reloaded
-
Switch from Serial Cable to LAN-Based fover
-
Unable to verify state of config sync
-
Auto-update request
-
Unknown reason
The following is a sample output from the show failover interface command. The device has an IPv6 address configured on the failover interface:
> show failover interface
interface folink GigabitEthernet0/2
System IP Address: 2001:a0a:b00::a0a:b70/64
My IP Address : 2001:a0a:b00::a0a:b70
Other IP Address : 2001:a0a:b00::a0a:b71
Examples
The following is a sample output from the show failover details command from peer device on a high-availability pair:
> show failover details
Failover On
Failover unit Secondary
Failover LAN Interface: HA-LINK GigabitEthernet0/3 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
1 Hold Interval Success: 12 Failure: 0
2 Hold Interval Success: 15 Failure: 0
3 Hold Interval Success: 15 Failure: 0
4 Hold Interval Success: 15 Failure: 0
5 Hold Interval Success: 15 Failure: 0
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 311 maximum
Interface: management
1 Hold Success: 0 Failure: 0
2 Hold Success: 0 Failure: 0
3 Hold Success: 0 Failure: 0
4 Hold Success: 0 Failure: 0
5 Hold Success: 0 Failure: 0
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 99.16(2)10, Mate 99.16(2)10
Serial Number: Ours 9A7WJNE35T5, Mate 9A3497TXPU6
Last Failover at: 06:56:25 UTC Jan 25 2021
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASAv hw/sw rev (/99.16(2)10) status (Up Sys)
Interface management (203.0.113.130/fe80::250:56ff:feb7:4927): Unknown (Waiting)
slot 1: snort rev (1.0) status (up)
snort poll success:2877 miss:0
slot 2: diskstatus rev (1.0) status (up)
disk poll success:2877 miss:0
Other host: Primary - Active
Active time: 2910 (sec)
Interface management (203.0.113.130): Unknown (Waiting)
slot 1: snort rev (1.0) status (up)
peer snort poll success:2877 miss:0
slot 2: diskstatus rev (1.0) status (up)
peer disk poll success:2877 miss:0
Stateful Failover Logical Update Statistics
Link : HA-LINK GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 379 0 380 0
sys cmd 379 0 379 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
The following is a sample failover warnings output from the show failover trace command:
> show failover trace warning
Warning:Output can be huge. Displaying in pager mode
Oct 14 UTC 20:56:56.345 [CABLE] [ERROR]fover: peer rcvd down ifcs info
Oct 14 UTC 20:56:56.345 [CABLE] [ERROR]fover: peer has 1 down ifcs
Oct 14 UTC 20:56:56.345 [CABLE] [ERROR]fover: peer rcvd down ifcs info
Oct 14 UTC 20:56:56.345 [CABLE] [ERROR]fover: peer has 1 down ifcs
Oct 14 UTC 20:56:56.345 [CABLE] [ERROR]fover: peer rcvd down ifcs info
The following is sample failover output from the show failover statistics command for Versions prior to 7.2.x:
ciscoftd(config)# show failover statistics
tx:121456
rx:121306
The following is sample failover output from the show failover statistics command for Version 7.2.x or later:
ciscoftd(config)# show failover statistics
tx:3396
rx:3296
Unknown version count for Fover ctl client: 0
Unknown reason count for peer's switch reason: 0
fover cd log create failed: 0
-
The tx and rx counters includes all the failover control packets, which are sent or received over the failover LAN interface.
-
The "Unknown version count for Fover ctl client" counter is incremented when the failover control packets has version as 0 in the received packets.
-
The "Unknown reason count for peer's switch reason" counter is incremented if the received HA switchover reason from peer unit is out of the locally known reason list.
-
The “fover cd log create failed” is set to 1 if the fover cd log file handle was not created.
The following is a sample output from the show failover config-sync errors command from the active device on a high-availability pair:
config)# show failover config-sync errors all
config failure details: time, return value, replication type, config
Mar 17 03:44:47.398 -3 CONFIG_SYNC name-server 10.1.1.208
Mar 17 04:31:32.868 -3 CONFIG_SYNC name-server 10.1.1.208
The following is a sample output from the show failover config-sync stats command from the standby device on a high-availability pair:
show failover config-sync stats current
Current HA state : Standby Ready
Config sync skipped : FALSE
FREP count : 7
FREP_CMD count : 0
FREP_CMD_STBY count : 0
FREP_ACL count : 0
FREP size(bytes) : 7580
FREP duration(ms) : 1070
Worst case FREP time(ms) : 30
Clear config duration(ms) : 840
Config apply duration(ms) : 1880
Config tmatch duration(ms) : 1710
Config latency info:
1 second - 10 seconds
No observed executions > 1 second
10 seconds - 20 seconds
No observed executions > 10 seconds
Above 20 seconds
No observed executions > 20 seconds
FREP
is the entire configuration that the active unit sends to the joining unit while forming a failover pair. FREP_CMD
, FREP_CMD_STBY
, and FREP_ACL
are the commands that the active unit sends to the standby unit while performing a configuration synchronization. Worst Case FREP time
is the highest time take between two full configuration synchronizations.
The following is sample failover output from the show failover statistics all command:
ciscoftd(config)# show failover statistics all
show failover statistics unit
-----------------------------
Unit Poll frequency 2 seconds, holdtime 10 seconds
Failover unit health statistics set size 10
1 Hold Interval Success: 3 Failure: 0
2 Hold Interval Success: 5 Failure: 0
3 Hold Interval Success: 5 Failure: 0
4 Hold Interval Success: 5 Failure: 0
5 Hold Interval Success: 5 Failure: 0
show failover statistics interface all
--------------------------------------
Interface Poll frequency 2 seconds, holdtime 10 seconds
Interface Policy 1
Monitored Interfaces 3 of 1285 maximum
Health statistics monitored interfaces 3
Failover interface health statistics set size 10
Interface: outside
1 Hold Success: 0 Failure: 0
2 Hold Success: 0 Failure: 0
3 Hold Success: 0 Failure: 0
4 Hold Success: 0 Failure: 0
5 Hold Success: 0 Failure: 0
Interface: inside
1 Hold Success: 0 Failure: 0
2 Hold Success: 0 Failure: 0
3 Hold Success: 0 Failure: 0
4 Hold Success: 0 Failure: 0
5 Hold Success: 0 Failure: 0
Interface: diagnostic
1 Hold Success: 0 Failure: 0
2 Hold Success: 0 Failure: 0
3 Hold Success: 0 Failure: 0
4 Hold Success: 0 Failure: 0
5 Hold Success: 0 Failure: 0
show failover statistics np-clients
-----------------------------------
Abbreviations:
BLErr - Buffer lock error, HIErr - HA Interface error, PI - Peer incompatible
PSErr - Packet size error, IPkt - Invalid pkt, CPkt - Corrupted pkt
BErr - Buffer error, MDErr - Msg descriptor error, MxBErr - Multiplexer buffer error
MxBDErr - Multiplexer buffer descriptor error
HA DP Clients Statistics
TX Statistics
-----------------------------------------------------------------------------------------------------------------
Client Name Tx In Tx Out BLErr HIErr PI
-----------------------------------------------------------------------------------------------------------------
SNP HA private client 0 0 0 0 0
Soft NP flow stateful failover 0 0 0 0 0
Soft NP SVC stateful failover 0 0 0 0 0
SIP inspection engine 0 0 0 0 0
SCTP inspection engine 0 0 0 0 0
Soft NP NLP HA client 16 16 0 0 0
ODNS inspection engine 0 0 0 0 0
DNS BRANCH/SNOOPING module 0 0 0 0 0
ARP DP module 0 0 0 0 0
TFW DP module 0 0 0 0 0
SNP HA Heartbeat client 1130 1130 0 0 0
ZTNA DP module 0 0 0 0 0
Unknown client 0 0 0 0 0
RX Statistics
-----------------------------------------------------------------------------------------------------------------
Client Name Rx In Rx Out PSErr IPkt CPkt PI
-----------------------------------------------------------------------------------------------------------------
SNP HA private client 0 0 0 0 0 0
Soft NP flow stateful failover 0 0 0 0 0 0
Soft NP SVC stateful failover 0 0 0 0 0 0
SIP inspection engine 0 0 0 0 0 0
SCTP inspection engine 0 0 0 0 0 0
Soft NP NLP HA client 1 1 0 0 0 0
ODNS inspection engine 0 0 0 0 0 0
DNS BRANCH/SNOOPING module 0 0 0 0 0 0
ARP DP module 0 0 0 0 0 0
TFW DP module 0 0 0 0 0 0
SNP HA Heartbeat client 1121 1121 0 0 0 0
ZTNA DP module 0 0 0 0 0 0
Unknown client 0 0 0 0 0 0
Buffer Failure Statistics
-----------------------------------------------------------------------------------------------------------------
Client Name BErr MDErr MxBErr MxBDErr
-----------------------------------------------------------------------------------------------------------------
SNP HA private client 0 0 0 0
Soft NP flow stateful failover 0 0 0 0
Soft NP SVC stateful failover 0 0 0 0
SIP inspection engine 0 0 0 0
SCTP inspection engine 0 0 0 0
Soft NP NLP HA client 0 0 0 0
ODNS inspection engine 0 0 0 0
DNS BRANCH/SNOOPING module 0 0 0 0
ARP DP module 0 0 0 0
TFW DP module 0 0 0 0
SNP HA Heartbeat client 0 0 0 0
ZTNA DP module 0 0 0 0
Unknown client 0 0 0 0
-----------------------------------------------------------------------------------------------------------------
show failover statistics bulk-sync
-----------------------------------
For session 0, NP Client Bulk Sync stats
===================================================================================================================
Client Name Status Start Time End Time Time Taken
===================================================================================================================
Soft NP flow stateful failover Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
Soft NP SVC stateful failover Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
SCTP inspection engine Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
DNS BRANCH/SNOOPING module Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
ARP DP module Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
TFW DP module Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
ZTNA DP module Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
===================================================================================================================
For session 0, CP Client Bulk Sync stats
===================================================================================================================
Client Name Status Start Time End Time Time Taken
===================================================================================================================
HA Internal Control Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
Failover Control Module Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
Legacy LU support Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
vpnfo Done 06:44:50 UTC Feb 10 2023 06:45:00 UTC Feb 10 2023 00:00:10
vpnfo Done 06:44:50 UTC Feb 10 2023 06:45:00 UTC Feb 10 2023 00:00:10
SIP inspection engine Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
NetFlow Module Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
HA Shared License Client Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
Route HA engine Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
CTS Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
CTS SXP Module Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
IPv6 Route HA engine Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
Service Tag Switching Module Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
CFG_HIST HA Client Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
SCTP inspection engine Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
KCD Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
HA CD Proxy Client Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
DHCPv6 HA engine Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
Attribute Module Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
ODNS inspection engine Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
Ruld ID DB Client Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
DNS branch HA CP client Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
DNS_TRUSTED_SOURCE module Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
Threat-Detection Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
ZTNA HA Module Done 06:44:50 UTC Feb 10 2023 06:44:50 UTC Feb 10 2023 00:00:00
===================================================================================================================
The following is a sample output (only non-zero rows) from the show failover statistics cp-clients command:
show failover statistics cp-clients
Abbreviations:
TxIn - Pkt rcvd at HA from client, TxOut - Pkt sent from HA to Interface
BErr - Buffer alloc failure, MDErr - Msg desc alloc failure, AckRcvd - Ack rcvd
ReTx - Retransmit pkts, NoSvc - HA service is down, PIErr - Client is incompatible
EncErr - Error in encrypting pkt, RepCfg - Replace cfg enabled
RxIn - Pkt rcvd from Interface to HA, RxOut - Pkt sent from HA to client
MDErr - Msg desc alloc failure, AckSent - Ack sent, NMsgCb - No Msg callback for client
InVcid - Invalid vcid rcvd, PIErr - Client is incompatible, InvPkt - Invalid pkt rcvd,
HA CP Clients Statistics
TX Statistics
-----------------------------------------------------------------------------------------------------------------
Client Name TxIn TxOut BErr MDErr AckRcvd ReTx NoSvc PIErr EncErr RepCfg
-----------------------------------------------------------------------------------------------------------------
Legacy LU Support 478 478 0 0 0 0 0 0 0 0
vpnfo 2 2 0 0 2 0 0 0 0 0
HA CD Proxy Client 17 17 0 0 17 0 0 0 0 0
-----------------------------------------------------------------------------------------------------------------
Total Aggressive Ack rcvd : 0
RX Statistics
-----------------------------------------------------------------------------------------------------------------
Client Name RxIn RxOut MDErr AckSent NMsgCb InVcid PIErr InvPkt
-----------------------------------------------------------------------------------------------------------------
Legacy LU Support 478 478 0 0 0 0 0 0
vpnfo 1960 1960 0 12 0 0 0 0
CTS 1 1 0 1 0 0 0 0
CFG_HIST HA Client 12 12 0 12 0 0 0 0
HA CD Proxy Client 10 10 0 10 0 0 0 0
ZTNA HA Module 1 1 0 1 0 0 0 0
-----------------------------------------------------------------------------------------------------------------
Total Aggressive Ack sent : 0
Total Invalid pkts rcvd : 0
Total unknown client pkts rcvd : 0
Failover cumulative packet statistics
-------------------------------------
tx:854
rx:786
The following is a sample output (only non-zero rows) from the show failover statistics np-clients command:
show failover statistics np-clients
Abbreviations:
BLErr - Buffer lock error, HIErr - HA Interface error, PI - Peer incompatible
PSErr - Packet size error, IPkt - Invalid pkt, CPkt - Corrupted pkt
BErr - Buffer error, MDErr - Msg descriptor error, MxBErr - Multiplexer buffer error
MxBDErr - Multiplexer buffer descriptor error
HA DP Clients Statistics
TX Statistics
-------------------------------------------------------------------------------------------
Client Name Tx In Tx Out BLErr HIErr PI
-------------------------------------------------------------------------------------------
Soft NP flow stateful failover 1420091 1420091 0 0 0
Soft NP NLP HA client 45131 45131 0 0 0
Soft NP NLP HA client current 45129 45129 0 0 0
SNP HA Heartbeat Client 4240 4240 0 0 0
--------------------------------------------------------------------------------------------
RX Statistics
---------------------------------------------------------------------------------------------
Client Name Rx In Rx Out PSErr IPkt CPkt PI
---------------------------------------------------------------------------------------------
Soft NP NLP HA client 7943 7943 0 0 0 0
Soft NP NLP HA client current 7943 7943 0 0 0 0
SNP HA Heartbeat client 4185 4185 0 0 0 0
---------------------------------------------------------------------------------------------
Buffer Failure Statistics
---------------------------------------------------------------------------------------------
Client Name BErr MDErr MxBErr MxBDErr
---------------------------------------------------------------------------------------------
Soft NP NLP HA is the HA client.
Soft NP NLP HA Current shows the counters for app sync in the current session:
The following is a sample output from the show failover statistics events command that shows the failover events statistics information:
show failover statistics events
Info: App agent is initialized at 18:57:51 UTC May 23 2023
Info: App agent interfaces are synced at 19:01:06 UTC May 23 2023
==========================================================================
MIO Events Table | Time | blade_id | chassis_id|
==========================================================================
MIO heartbeat recovered| 18:57:57 UTC May 23 2023| 1 | 0 |
MIO heartbeat failure | 19:01:06 UTC May 23 2023| 1 | 0 |
==========================================================================
======================================================================
Snort/Disk Events Table | Time | Status |
======================================================================
NGFW-1.0-diskstatus-1.0 | 18:57:32 UTC May 23 2023| Initializing|
NGFW-1.0-snort-1.0 | 18:57:32 UTC May 23 2023| Initializing|
NGFW-1.0-diskstatus-1.0 | 18:57:33 UTC May 23 2023| UP |
NGFW-1.0-snort-1.0 | 18:57:33 UTC May 23 2023| UP |
======================================================================
The following is a sample output from the show failover app-sync stats command:
show failover app-sync stats
==============================
App-Sync statistics
==============================
16:50:29 UTC Oct 16 2023
This host:
HA role: Secondary
HA state: Standby Ready
==============================
App-Sync Transport Tx count: 17
App-Sync Transport Tx error: 0
App-Sync Immediate Tx count: 17
App-Sync Immediate Tx error: 0
App-Sync Rx count: 10
App-Sync Rx error: 0
==============================