I've been running asa984-25 for a while. I've had some minor issues that I've been keeping an eye on such as random VPN disconnections that I attributed to brief loss of internet service. While actually, the ASA 5515-X HA pair that I have seems to have an problem. When looking at "show fail" output, there are messages being dropped between the HA pair. While nothing has changed except code upgrades.
Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet0/1 (up)
Stateful Obj xmit xerr rcv rerr
General 13076790 0 65410 18019
sys cmd 20892 0 20892 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 2579048 0 7300 426 ->>>>>>>>>>>>>>>>>
UDP conn 10371792 0 36767 17566 ->>>>>>>>>>>>>
ARP tbl 47062 0 206 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 11 0 1 0
VPN IKEv1 P2 11 0 1 0
VPN IKEv2 SA 55364 0 170 0
VPN IKEv2 P2 548 0 13 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 868 0 12 0
SIP Tx 217 0 10 0
SIP Pinhole 217 0 10 0
Route Session 759 0 27 27 ->>>>>>>>>>>>>>>
Router ID 1 0 1 0
User-Identity 0 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
I don't have access to ASA code at the moment either :twitch:
Given the constantly-arriving slew of Cisco security advisories, my first go-to is "upgrade?" Is that a possibility?
Looking to replace them in the near future. I think the only way to get the code is with smartnet which is lacking.
We use 5515x for VPN as well. I am showing a similar output. I don't have any failures on Route Session. I don't have any issues with VPN. Can regularly stay connected all day. If you don't have Smartnet you should be able to get an upgraded firmware if you can identify a security bug that is present in your current version. My understanding is you can open a request with Cisco, and they will give you a link to download the fixed release without Smartnet. I have not had to do it, but it might be worth a try.
-Otanx