KB ID 0001027 Dtd 31/01/15
I had an ASA Active/Standby problem last week, each time I tried to make the primary firewall active, it would fail straight straight back. A look on the ASA told me the problem was one of the clients DMZ connections, (it was stuck in a ‘waiting’ state). A no monitor-interface DMZ command let me bring the primary ASA up active, but I had to visit the site to investigate the problem.
The firewall showed that its interface was up/up, the other end of the cable (a Cisco 3560-X) said;
GigabitEthernet0/23 is up, line protocol is down (monitoring) Hardware is Gigabit Ethernet, address is 5087.89ed.4917 (bia 5087.89ed.4917) Description: Uplink-To-Firewall MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 1d01h, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 3000 bits/sec, 2 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected
I thought only I had ever worked on this switch, so I was confused, why could I not bring the interface up? The switch could not ping the firewall and vice versa.
Every Google I did for people with a similar problem said, ‘This port is part of a SPAN config’, but as far as I knew only I had ever configured this switch and I certainly never enabled SPAN, and if i had, it would not have been on the firewall uplink port! But just to be on the safe side I did a ‘show monitor session all’ and guess what? Someone had, so let’s turn it off;
DMZ-Switch(config)#no monitor session all
Related Articles, References, Credits, or External Links