Guest

Preview Tool

Cisco Bug: CSCvv99256 - Large object-group config with increased control point CPU usage can lead to config sync failure

Last Modified

Oct 08, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(2.9)

Description (partial)

Symptom:
Standby ASA/FTD trying to join a failover/HA setup might end up rebooting during initial configuration sync with a message like the following:

*** REPLICATION OF CONFIGURATION FROM ACTIVE TO STANDBY UNIT IS INCOMPLETE, TO PREVENT THE STANDBY UNIT TAKING OVER AS ACTIVE WITH A PARTIAL CONFIGURATION, THE STANDBY UNIT WILL NOW REBOOT ***

This happens within a minute of unit trying to sync the configuration.

Conditions:
Relatively large object-group and access-list configuration along with slightly elevated control point CPU usage on the Active firewall. The control point CPU usage can be confirmed using the "show cpu detailed" command and during the sync, the Active firewall will show it as 100% as below:

Current control point elapsed versus the maximum control point elapsed for:
5 seconds = 100.0%; 1 minute: 8.0%; 5 minutes: 1.7%
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.