Preview Tool

Cisco Bug: CSCta10530 - ASA - management sockets are not functional after failover via vpn

Last Modified

Nov 08, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases


Description (partial)

We noticed strange behavior of the management interface after failover.
Apparently some sockets are closed or not functional after failing from one unit to the other. 

The symptoms are for example, ssh does not work any more, or http does not work. 

In the logs we see connection closed due to SYN timeout:
ASA# sh log | i
Jun 08 2009 11:50:17: %ASA-6-302013: Built inbound TCP connection 41844293 for inside: ( to identity: ( (useri)

ASA# sh log | i

ASA# sh log | i
Jun 08 2009 11:50:26: %ASA-6-302014: Teardown TCP connection 41843606 for inside: to identity: duration 0:00:30 bytes 0 SYN Timeout (useri)
You can verify the status of the socket via show asp table socket.

For example before failover we see the following:

TCP       03cef8c4     *               LISTEN
TCP       03cf045c     *               LISTEN

Here the https socket on management interface is not listening although the correct statement is tehre:
ASA# sh run http
http server enable 10443
http inside
http mgmt
After failover:
DUNASA1/pri/act# sh asp t so
Protocol  Socket    Local Address               Foreign Address         State
SSL       064d2624  *               LISTEN
TCP       0bb0405c     *               LISTEN

Here the https is now open but the ssh is closed.

not clear yet.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.