ASA FAQ: Why does the "show failover history" command indicate a configuration mismatch?

Available Languages

Download Options

  • PDF     (6.5 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (73.9 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (72.6 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 28, 2014
Document ID:117906

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes why a show failover history command ouput sometimes shows that the Adaptive Security Appliance (ASA) standby firewall transitioned from a "Standby Ready" state into a "Cold Standby" state due to a "Configuration Mismatch".

Why does the "show failover history" command indicate a configuration mismatch?

An ASA active/standby failover configuration allows a standby ASA to take over the functionality of an active failed ASA. Failover functionality requires that the active and standby appliance configurations remain synchronized. A show failover history command ouput sometimes shows that the standby firewall transitioned from a "Standby Ready" state into a "Cold Standby" state due to a "Configuration Mismatch".

ASA/stb# show failover history
==========================================================================
From State                 To State                   Reason
==========================================================================
16:01:05 CET Sep 23 2013
Standby Ready              Cold Standby               Configuration mismatch
16:01:07 CET Sep 23 2013
Cold Standby               Sync Config                Configuration mismatch
16:01:31 CET Sep 23 2013
Sync Config                Sync File System           Configuration mismatch
16:01:31 CET Sep 23 2013
Sync File System           Bulk Sync                  Configuration mismatch
16:01:47 CET Sep 23 2013
Bulk Sync                  Standby Ready              Configuration mismatch

The transition from "Standby Ready" to "Cold Standby" on the standby ASA is caused when a user enters a write standby command from the active firewall. This command is sometimes mistakenly used in order to save the configuration on the standby unit. However, the write standby command forces a complete resynchronization of the configuration from the active firewall to the standby firewall and should not be used during normal ASA operation.

If you want to save the standby ASA in-service configuration to flash, enter the write mem command on the active unit. This command is synchronized between both units and writes the configuration to flash on both the active and standby firewalls.

Note: Per the ASA online documentation, the write standby command replicates the configuration to the in-service configuration of the peer unit; it does not save the configuration to the startup configuration. In order to save the configuration changes to the startup configuration, enter the copy running-config startup-config command on the active unit. The command will be replicated to the standby peer unit and the configuration saved to the startup configuration.

Related Information

Revision History

Revision Publish Date Comments
1.0
28-Jul-2014
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Haitham Jaradat and Magnus Mortensen
    Cisco TAC Engineers.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products