Access asa in standby

Hi,
Is there a way to access the asa in a failover pair that is in standby mode from the primary asa?
IE I am logged into the primary asa via command line and was hoping to access the other asa from here.
Thank you.

You can apply commands and see its outputs, but you won't be logged into the other unit from the active one.
To do that, there is a command:
"Failover mate exec "
I.e
Failover mate exec show version
For this to work, the failover link should be up.

Similar Messages

Cisco ASA Active standby failover problem

We have configured ASA Active standby failover with ASA5505 . When primary unit power off, secondary unit became active. when primary unit power on, then primary unit is becoming active again. i think for active standby setup there is no preemption. The real issue is when primary ASA became active after power on all the external connectivity getting down. Please see the below config,
ASA01# show run
ASA01# show running-config
: Saved
ASA Version 8.2(5)
hostname ASA01
enable password PVSASRJovmamnVkD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.1 MPLS_Router description MPLS_Router
name 192.168.2.1 SCADA_Router description SCADA_Router
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 2
interface Ethernet0/3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.8 255.255.255.0 standby 192.168.3.9
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.8 255.255.255.0 standby 192.168.1.9
interface Vlan3
description LAN Failover Interface
ftp mode passive
clock timezone AST 3
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any host MPLS_Router
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface FAILOVER Vlan3
failover key *****
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route-map Route_Out permit 1
match ip address inside_access_in outside_access_in
match interface inside
route outside 0.0.0.0 0.0.0.0 MPLS_Router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http authentication-certificate inside
http authentication-certificate outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password eY/fQXw7Ure8Qrz7 encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1a8e46a787aa78502ffd881ab62d1c31
: end

I suggest removing the failover configuration on both units and then re-add them, and then test.
Primary
failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit primary
failover key KEY
failover
Secondary
failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit secondary
failover key KEY
failover
Please remember to select a correct answer and rate helpful posts

Why i cant access asa 8.4 thruogh asdm from outside interface ???

hi all ,
plz help e why i cant access asa asdm from outside interface
my puclic ip on outisde is :
x.x.55.34
i changed portf of asdm to 65000 because i have portforward ,
i tried to connect to my ip thriuogh asdm bu :
x.x.55.34
x.x.55.34:65000
but no luck ,
it succed if i try to connect locally
here is my sh run command :
====================================================
ASA5505#
ASA5505# sh run
: Saved
ASA Version 8.4(2)
hostname ASA5505
enable password qsddsEGCCSH encrypted
passwd 2KFsdsdbNIdI.2KYOU encrypted
names
interface Ethernet0/0
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 2
interface Vlan1
nameif ins
security-level 100
ip address 10.66.12.1 255.255.255.0
interface Vlan2
nameif outside
security-level 50
ip address x.x.55.34 255.255.255.248
boot system disk0:/asa842-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network localsubnet
subnet 10.66.12.0 255.255.255.0
description localsubnet
object network HTTP-Host
host 10.66.12.249
description web server
object network HTTPS-HOST
host 10.66.12.249
description Https
object network RDP-Host
host 10.66.12.122
description RDP host
object network citrix-host
host 10.66.12.249
description citrix
object service rdp
service tcp destination eq 3389
object service https
service tcp destination eq https
object service citrix
service tcp destination eq 2598
object service http
service tcp destination eq www
object network RDP1
host 10.66.12.249
object network HTTPS-Host
host 10.66.12.249
object network CITRIX-Host
host 10.66.12.249
object-group network RDP-REDIRECT
object-group network HTTP-REDIRECT
object-group network HTTPS-REDIRECT
object-group network CITRIX-ICA-HDX-REDIRECTION
object-group network CITRIX-ICA-SESSION-RELIABILITY-REDIRECTION
object-group service CITRIX-ICA-HDX
object-group service CITRIX-SR
object-group service RDP
object-group network MY-insideNET
network-object 10.66.12.0 255.255.255.0
access-list outside_in extended permit tcp any host 10.66.12.249 eq www
access-list outside_in extended permit tcp any host 10.66.12.249 eq https
access-list outside_in extended permit tcp any host 10.66.12.249 eq 2598
access-list outside_in extended permit tcp any host 10.66.12.122 eq 3389
access-list outside_in extended permit tcp any host 10.66.12.249 eq citrix-ica
access-list outside_in extended permit tcp any host x.x.55.34 eq 65000
access-list outside_in extended permit tcp any host x.x.55.34 eq https
access-list outside_in extended permit ip any any
pager lines 24
mtu ins 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
object network localsubnet
nat (ins,outside) dynamic interface
object network HTTP-Host
nat (ins,outside) static interface service tcp www www
object network RDP-Host
nat (ins,outside) static interface service tcp 3389 3389
object network HTTPS-Host
nat (ins,outside) static interface service tcp https https
object network CITRIX-Host
nat (ins,outside) static interface service tcp citrix-ica citrix-ica
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.109.55.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 65000
http 10.66.12.0 255.255.255.0 ins
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
    30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
    30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
    496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
    74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
    68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
    3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
    63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
    0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
    a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
    9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
    7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
    15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
    63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
    18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
    4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
    81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
    db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
    7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
    ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
    45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
    2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
    1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
    03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
    69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
    02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
    6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
    c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
    69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
    1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
    551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
    1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
    2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
    4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
    b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
    6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
    481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
    b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
    5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
    6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
    6c2527b9 deb78458 c61f381e a4c4cb66
quit
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access outside
dhcpd address 10.66.12.160-10.66.12.180 ins
dhcpd dns 212.112.166.22 212.112.166.18 interface ins
dhcpd enable ins
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username test password P4ttSdddd3SV8TYp encrypted privilege 15
username ADMIN password 5dddd3ThngqY encrypted privilege 15
username drvirus password p03BtCddddryePSDf encrypted privilege 15
username cisco password edssdsdOAQcNEL encrypted privilege 15
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

For access over VPN you need:
management-access inside
and don't forget:
ssh inside
http inside
I'm guessing you forgot to grant ASDM (http/https) access to the IP addresses used by the VPN? Can you SSH? If not, that is your problem to solve first.

ASA Active/Standby mode and Hello messages

Hi Everyone,
On ASA Active/Standby mode i know thatsay inside or any other interface of active and standby ASA should connect to same switch and vlan.
When we assign say ip address to inside interface of both ASA like
ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2 255.255.255.0
Need to know if these inside interface talk to each other or not?
Do they send hello messages?
Thanks
MAhesh

Hi Mahesh,
The ASA Active/Standby Failover pair uses both the dedicated Failover interface and the actual Data interfaces to monitor the "health" of the Failover pair.
The units send Failover hello messages and wait for a reply to determine if the other unit is alive or not.
By default all Physical interfaces are automatically monitored. To my understanding Logical interfaces such as Trunk interfaces are NOT monitored by default. You will have to configure monitoring for each subinterface of the Trunk that you want to be monitored.
You would use the command
monitor-interface
Check the Command Reference section for this
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2123112
I would also suggest reading the following section of the Configuration Guide
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1079010
It has information of the Unit and Interface health monitoring of the Failover pair.
If you want to debug Failover activity you could use the command
debug fover
It has multiple additional parameter after that command
Here is the Command Reference section for the debug command
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/d1.html#wp2093011
You can even attach a computer on the switch between the ASAs and capture the packets between them an you can see the Failover messages etc from the ASAs
- Jouni

Best practice for ASA Active/Standby failover

Hi,
I have configured a pair of Cisco ASA in Active/ Standby mode (see attached). What can be done to allow traffic to go from R1 to R2 via ASA2 when ASA1 inside or outside interface is down?
Currently this happens only when ASA1 is down (shutdown). Is there any recommended best practice for such network redundancy? Thanks in advanced!

Hi Vibhor,
I test ping from R1 to R2 and ping drop when I shutdown either inside (g1) or outside (g0) interface of the Active ASA. Below is the ASA 'show' failover' and 'show run',
ASSA1# conf t
ASSA1(config)# int g1
ASSA1(config-if)# shut
ASSA1(config-if)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:20:00 SGT Nov 18 2014
This host: Primary - Active
Active time: 7862 (sec)
Interface outside (100.100.100.1): Normal (Monitored)
Interface inside (192.168.1.1): Link Down (Monitored)
Interface mgmt (10.101.50.100): Normal (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (100.100.100.2): Normal (Monitored)
Interface inside (192.168.1.2): Link Down (Monitored)
Interface mgmt (0.0.0.0): Normal (Waiting)
Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet2 (up)
Stateful Obj xmit xerr rcv rerr
General 1053 0 1045 0
sys cmd 1045 0 1045 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 5 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 1045
Xmit Q: 0 30 10226
ASSA1(config-if)#
ASSA1# sh run
: Saved
ASA Version 8.4(2)
hostname ASSA1
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0
nameif outside
security-level 0
ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet2
description LAN/STATE Failover Interface
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet4
nameif mgmt
security-level 0
ip address 10.101.50.100 255.255.255.0
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
clock timezone SGT 8
access-list OUTSIDE_ACCESS_IN extended permit icmp any any
pager lines 24
logging timestamp
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet2
failover link FAILOVER GigabitEthernet2
failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
access-group OUTSIDE_ACCESS_IN in interface outside
router ospf 10
network 100.100.100.0 255.255.255.0 area 1
network 192.168.1.0 255.255.255.0 area 0
area 0 authentication message-digest
area 1 authentication message-digest
log-adj-changes
default-information originate always
route outside 0.0.0.0 0.0.0.0 100.100.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.101.50.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.101.50.0 255.255.255.0 mgmt
ssh timeout 5
console timeout 0
tls-proxy maximum-session 10000
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:fafd8a885033aeac12a2f682260f57e9
: end
ASSA1#

No Internet Access ASA 5510 with Site to Site VPN

I have inherited an ASA5510.
We have configured a site to site VPN between it and a Juniper SRX550. The Site to Site VPN works fine but users behind the ASA can not see the Internet. I'm pretty sure I'm missing something. Any help would be greatly appreciated.
Thanks
Here is the Confg
: Saved
ASA Version 9.0(4)
hostname ciscoasa
enable password m.EmhnDT1BILmiAY encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool RA_VPN_Hosts 10.10.1.200-10.10.1.225 mask 255.255.255.0
interface Ethernet0/0
nameif Outside
security-level 0
ip address 209.112.49.2 255.255.255.192
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Ethernet0/2
shutdown
nameif DMZ
security-level 50
ip address 10.10.11.1 255.255.255.0
interface Ethernet0/3
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa904-k8.bin
ftp mode passive
clock timezone GMT 0
object network obj-10.10.11.0
subnet 10.10.11.0 255.255.255.0
object network obj-10.10.1.0
subnet 10.10.1.0 255.255.255.0
object network NETWORK_OBJ_10.10.1.192_26
subnet 10.10.1.192 255.255.255.192
object network NETWORK_OBJ_10.10.1.0_24
subnet 10.10.1.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_24
subnet 10.10.10.0 255.255.255.0
access-list Split_Tunnel_list standard permit 10.10.1.0 255.255.255.0
access-list Split_Tunnel_list standard permit 10.10.10.0 255.255.255.0
access-list Outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list Outside_cryptomap extended permit ip object obj-10.10.1.0 10.10.10.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any4
access-list Outside_access_in extended permit ip any any
access-list global_access extended permit ip any any
access-list s2s extended permit ip object NETWORK_OBJ_10.10.10.0_24 any
access-list s2s extended permit ip 10.10.1.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,Outside) source static obj-10.10.1.0 obj-10.10.1.0 destination static NETWORK_OBJ_10.10.1.192_26 NETWORK_OBJ_10.10.1.192_26 no-proxy-arp route-lookup
object network obj-10.10.1.0
nat (any,Outside) dynamic interface
access-group Outside_access_in in interface Outside
access-group inside_access_in in interface inside
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 209.112.49.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.1.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection preserve-vpn-flows
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer 209.171.34.91
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 1 set ikev2 pre-shared-key *****
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev1 enable Outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.10.10.0 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-filter value Outside_cryptomap
group-policy RA_VPN internal
group-policy RA_VPN attributes
dns-server value 10.10.1.5 10.10.1.6
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_list
default-domain value carepath.com
group-policy GroupPolicy_209.171.34.91 internal
group-policy GroupPolicy_209.171.34.91 attributes
vpn-filter value s2s
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
username cpadmin password SuNpolqZO8KYoffw encrypted privilege 15
username cpadmin attributes
vpn-group-policy RA_VPN
username steve password zKezdIDBYe0zxG6W encrypted privilege 15
username steve attributes
vpn-group-policy RA_VPN
username Forrestj password VhlOu4i/.IyOOTmy encrypted privilege 15
username Forrestj attributes
vpn-group-policy RA_VPN
username janarthan password n32zoOqGRkFKGlJB encrypted privilege 15
username janarthan attributes
vpn-group-policy RA_VPN
username Mckyedo password CcFuHnol1NALuUZs encrypted privilege 15
username Mckyedo attributes
vpn-group-policy RA_VPN
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool RA_VPN_Hosts
default-group-policy RA_VPN
tunnel-group RA_VPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 209.171.34.91 type ipsec-l2l
tunnel-group 209.171.34.91 general-attributes
default-group-policy GroupPolicy_209.171.34.91
tunnel-group 209.171.34.91 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f49e465720761f4829d125b81e4bdc1f
: end
asdm image disk0:/asdm-731-101.bin
no asdm history enable

Please fix your ACL, please remove the first line and change the second line.
no access-list Outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list Outside_cryptomap extended permit ip object obj-10.10.1.0 10.10.1.192 255.255.255.192
Thirdly add this static route.
route Outside 10.10.1.192 255.255.255.192 209.112.49.1
Fourth
Please remove these line as well.
tunnel-group 209.171.34.91 general-attributes
no default-group-policy GroupPolicy_209.171.34.91
no group-policy GroupPolicy_209.171.34.91 internal
no group-policy GroupPolicy_209.171.34.91 attributes
no vpn-filter value s2s
no vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
and these as well.
Fifth you don't need them, remove this acl.
no access-list s2s extended permit ip object NETWORK_OBJ_10.10.10.0_24 any
no access-list s2s extended permit ip 10.10.1.0 255.255.255.0 10.10.10.0 255.255.255.0
Hope this helps.
thanks
Rizwan Rafeek

ASM Direct file access (for creating standby database in Standard Edition)

Hi all,
Just really looking for any opinions, experience etc. that people may have about this.
My company are looking to set up a RAC system. They have also asked me to think about creating a standby database for disaster recovery. The first problem they give me here is that they only pay for Standard Edition of Oracle, therefore Dataguard is not an option.
I know that one can setup "manual" standby databases with Standard Edition, automating the shipping of archive logs with hand-written scripts etc. However, as the primary here is RAC, and will be using ASM on the shared storage, I'm not sure that this would be possible (and I'm even less sure that it would be desirable!). I say this because I don't know of a way to access (using only the O/S and/or Oracle) the database files stored in ASM, and even if there was a way, I can't imagine it being a good idea..
Anybody know of a way to tackle it, or care to contribute anything to this? As I say, my opinion is that even if it is possible to get to those files within ASM and hence manipulate them, I'd be worried that it wouldn't be such a good idea. But I'm willing to bet I'm not the first to have thought about it...
Regards,
Ados
Edit 1:
Sorry, I should state that in principal, the basic environment is:
Windows 2003 Server
Oracle 10g R2
I didn't state that originally though, as I'd be keen to hear from anyone who may have attempted this on any O/S and Oracle version.
Edited by: Ados on 16-sep-2009 9:32
Edit 2:
I also realise we could put the archive logs on the local nodes.. but to reinforce the point, I'm talking about having them on the shared storage where - in theory - the management is easier and more effective.
Edited by: Ados on 16-sep-2009 9:35

For anyone interested..
I guess it would be done using RMAN (in fact, I'm sure of it...) in which case, I feel a lot more comfortable doing it!!
For example:
backup as copy archivelog ALL to destination 'c:\temp\';
This way, it shouldn't matter if the arch logs are stored using ASM, we can now get them and "see" them.. and hence "manipulate" them (pass them on to a standby DB, for example).
I'm just waiting to get my hands on a Standard Edition installation where I can test all this.. To try it all out (with 2-node RAC, and a standby server) I don't think I'll get a chance, so still interested in opinions, or if anyone's actually done this.
Regards,
Ados

Step to prep CSC SSM on ASA Active/Standby mode

Hi all,
I am trying to setup Active/Standby HA mode for my site.
Currently the site was installed with one unit ASA firewall with CSC-SSM module, the second unit is the new unit ready to be setup.
My question:
01. My concern is second unit CSC-SSM, what is the proper procedure or step need to prep it?
Is it need to prep the CSC-SSM before the ASA in HA mode Or it will auto propagate the configuration when both unit in HA mode?
What else need to concern? am i need to setup different IP for the CSC-SSM management interface?
Thanks
Noel

Hello Yong,
Configuration related to the CSC or SSM modules will never get propagated so you will basically need to configure it manually.
Also it's not like if the Config on both modules is different failover will fail but ofcourse you wanna have the same one
IP addresses for each of the modules will be dedicated ones. Remember that failover will fail if one box has the CSC and the other not.
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com

Avoid read-only access at physical standby

Hi!
DB=11.2.0.2
when I start the standby with
SQL> startup
the db is open read-only.
Is there a way to configure the db so that startup command only mounts the db and start redo apply?
this is the config:
DGMGRL> show configuration verbose;
Configuration - w
Protection Mode: MaxPerformance
Databases:
w_01 - Primary database
w_02 - (*) Physical standby database
(*) Fast-Start Failover target
Properties:
FastStartFailoverThreshold = '30'
OperationTimeout = '30'
FastStartFailoverLagLimit = '30'
CommunicationTimeout = '180'
FastStartFailoverAutoReinstate = 'TRUE'
FastStartFailoverPmyShutdown = 'TRUE'
BystandersFollowRoleChange = 'ALL'
Fast-Start Failover: ENABLED
Threshold: 30 seconds
Target: w_02
Observer: ora
Lag Limit: 30 seconds
Shutdown Primary: TRUE
Auto-reinstate: TRUE
Configuration Status:
SUCCESS
DGMGRL> show database w_02
Database - w_02
Role: PHYSICAL STANDBY
Intended State: APPLY-ON
Transport Lag: 0 seconds
Apply Lag: 0 seconds
Real Time Query: OFF
Instance(s):
w
Database Status:
SUCCESS
br
Daniel

If Data Guard is setup correctly the application is not losing data, you cannot read from it, but it will apply logs:
Ex.
/home/oracle:STANDBY >sqlplus "/ as sysdba"
SQL> select * from BIGSHOW.CUSTOMER;
select * from BIGSHOW.CUSTOMER
ERROR at line 1:
ORA-01219: database not open: queries allowed on fixed tables/views only
So even as the SYS user I cannot read from my test user's tables.
ORA-01219 is expected when the standby is in this state.
You can open READ ONLY if you have Active Data Guard, but generally that will cost you extra.
OR, you can do thing to check your data:
To open a standby database for read-only access when it is currently performing managed recovery:
Cancel log apply services:
SQL> ALTER DATABASE RECOVER MANAGED STANDBY DATABASE CANCEL;
Open the database for read-only access:
SQL> ALTER DATABASE OPEN READ ONLY;
At some point you have start the recovery again, you probably don't have an issue.
If you want more peace of mind on this you have to setup a test Data Guard system and bang on it.
Best Regards
mseberg

Can not access ASAs inside interface via VPN tunnels

Hi there,
I have a funny problem.
I build up a hub and spoke VPN, with RAS Client VPN access for the central location.
All tunnels and the RAS VPN access are working fine.
I use the tunnels for Voip, terminal server access and a few other services.
The only problem I have is, that I could not access the inside IP address of any of my ASAs, neither via tunnels nor via RAS VPN access. No telnet access and no ping reach the inside interfaces.
No problem when I connect to the interface via a host inside the network.
All telnet statments in the config are ending with the INSIDE command.
On most of the ASAs the 8.2 IOS is running on one or two ASAs the 8.0(4).
For the RAS client access I use the Cisco 5.1 VPN client.
Did anybody have any suggestions?
Regards
Marcel

Marcel,
Simply add on the asas you want to administer through the tunnels
management-access
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985
for asa5505
management-access inside
for all others if you have management interface management0/0 defined then:
management-access management
then you may need to allow the source , for example if RA VPN pool network is 10.20.20.0/24 then you tell asa that network cann administer asa and point access to inside, but sounds you have this part already.
telnet 10.20.20.0 255.255.255.0 inside
http 10.20.20.0 255.255.255.0 inside
same principle for l2l vpns
Regards

ASA actice/standby with subinterface

I try to configure active/standby with ASA5520 Version 8.0(2). In configuration guide I read:
The if_name argument assigns a name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3.
But when I try to do this, I get an error message:
ERROR: Can not configure failover interface on a shared physical interface
What is going wrong?

If I recall correctly from my ASA setup (about 14 months ago so I could be mistaken), we tried setting our failover interface on a sub-interface and it didnt work. I then took a look at some Cisco documentation and they suggest that you use a dedicated interface for Failover (that is what we did). We have 1 interface for failover, 1 for DMZ, 1 for Outside and 1 for Inside and everything is functioning correctly. I am trying to find the link I used from Cisco when researching this, but I am fairly sure that was what I came up with.
Hope this helps
Chris

Accessing a file in a standby ASA5510

Hi all,
i have a file, a .txt of a backup configuration i need to access inside the standby ASA... Is there anyway that i can accesse the file, besides doing the failover on the active so that the passive becomes active?
Thank you

You can login to the standby ASA through the standby-IP and access the file there.

ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
This topic has been beat to death, but I did not see a real answer. Here is configuration:
1) 2 x ASA 5520, running 8.2
2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
In any case, any experts out there that can answer question? TIA!

Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
Thanks much,
Mike

Active/standby at standby ASA fail

Hi Dears.
the ASA1 is active then the second ASA is standby mode but after 1 minute the the second asa is failed.
is this config cause this problem?
1.i want to know that in failover of ASA 5520
can we use management interfase as a failover pair?
interface Management0/0
no nameif
no security-level
no ip address
interface Management0/0.901
vlan 901
nameif DMZ2
security-level 51
ip address 10.0.91.1 255.255.255.0 standby 10.0.91.2 interface Management0/0
no nameif
no security-level
no ip address
2. can i do this configuration at failover???
nterface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.10.156 255.255.255.0 standby 192.168.10.157
interface Ethernet0/2.903
vlan 903
nameif inside2
security-level 75
ip address 10.0.93.1 255.255.255.0 standby 10.0.93.2nterface Ethernet0/2

Hello,
1, You can use the management interface for Failover, is it not that recomended.
Also failover can't be configure on shared physical intefaces.
You can do it with subinterfaces but with a dedicated phisical interface
For you to use this you need the command:
no management-only
to set it up as a normal interface and setup the failover link/state on it.
2, The Primary unit will replicate the configuration to the secondary unit, all changes should be made on the primary unit.
Every change you make on the secondary will not replicate to primary and everytime you save configuration on the primary will replicate to secondary.
This been said,
interface Ethernet0/2.903
vlan 903
nameif inside2
security-level 75
ip address 10.0.93.1 255.255.255.0 standby 10.0.93.2 interface Ethernet0/2
this will replicate to secondary and create:
interface Ethernet0/2.903
vlan 903
nameif inside2
security-level 75
and will only take:
ip address 10.0.93.1 255.255.255.0 standby 10.0.93.2 not the part
interface Ethernet0/2.
Let me know if you have any other questions.
Regards.

ASA interface name and nameif are different

Hi Everyone,
On one of ASA i have this config say
interface BCISCO
nameif CISCO
ip address 192.168.x.x 255.255.0.0 standby IP 192.168.x.x
Need to understand why we have interface and nameif different here?
Also when i try to access ASA by ASDM to ASA from internal network log shows
built inbound TCP connection for ASA interface.
So need to know whenever we access ASA from internal network it will say inbound connection?
Or there are some criteria that tells when connection is inbound to ASA?
Thanks
MAhesh

Hi Jouni,
yes it is in context mode
72           2013/04/17 10:10:59.640 MST     192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-302013: Built inbound TCP connection 11283929 for Net:192.168.100.17/62287 (192.168.100.17/62287) to identity:192.168.100.12/443 (192.168.100.12/443)
71           2013/04/17 10:10:59.640 MST     192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62286 to 192.168.100.12/443 flags FIN ACK on interface Net
70           2013/04/17 10:10:59.640 MST     192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-302014: Teardown TCP connection 11283774 for Net:192.168.100.17/62286 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O
69           2013/04/17 10:10:59.640 MST     192.168.100.12 Apr 17 2013 17:10:58: %ASA-6-605005: Login permitted from 192.168.100.17/62286 to Net:192.168.100.12/https for user "cisco"
68           2013/04/17 10:10:56.343 MST     192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-302013: Built inbound TCP connection 11283774 for Net:192.168.100.17/62286 (192.168.100.17/62286) to identity:192.168.100.12/443 (192.168.100.12/443)
67           2013/04/17 10:10:56.343 MST     192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62285 to 192.168.100.12/443 flags FIN ACK on interface Net
66           2013/04/17 10:10:56.343 MST     192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-302014: Teardown TCP connection 11283684 for Net:192.168.100.17/62285 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O
65           2013/04/17 10:10:56.343 MST     192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-605005: Login permitted from 192.168.100.17/62285 to Net:192.168.100.12/https for user "cisco"
64           2013/04/17 10:10:56.343 MST     192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-606001: ASDM session number 0 from 192.168.100.17 started
63           2013/04/17 10:10:56.343 MST     192.168.100.12 Apr 17 2013 17:10:55: %ASA-6-605005: Login permitted from 192.168.100.17/62284 to Net:192.168.100.12/https for user "cisco"
62           2013/04/17 10:10:52.733 MST     192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-302013: Built inbound TCP connection 11283684 for Net:192.168.100.17/62285 (192.168.100.17/62285) to identity:192.168.100.12/443 (192.168.100.12/443)
61           2013/04/17 10:10:52.718 MST     192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-302013: Built inbound TCP connection 11283681 for Net:192.168.100.17/62284 (192.168.100.17/62284) to identity:192.168.100.12/443 (192.168.100.12/443)
60           2013/04/17 10:10:52.515 MST     192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62283 to 192.168.100.12/443 flags FIN ACK on interface Net
59           2013/04/17 10:10:52.515 MST     192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-302014: Teardown TCP connection 11283636 for Net:192.168.100.17/62283 to identity:192.168.100.12/443 duration 0:00:02 bytes 806 TCP Reset-O
58           2013/04/17 10:10:52.515 MST     192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-605005: Login permitted from 192.168.100.17/62283 to Net:192.168.100.12/https for user "cisco"
57           2013/04/17 10:10:52.358 MST     192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-606003: ASDM logging session number 0 from 192.168.100.17 started
56           2013/04/17 10:10:52.358 MST     192.168.100.12 Apr 17 2013 17:10:51: %ASA-6-605005: Login permitted from 192.168.100.17/62282 to Net:192.168.100.12/https for user "cisco"
55           2013/04/17 10:10:50.374 MST     192.168.100.12 Apr 17 2013 17:10:49: %ASA-6-302013: Built inbound TCP connection 11283636 for Net:192.168.100.17/62283 (192.168.100.17/62283) to identity:192.168.100.12/443 (192.168.100.12/443)
54           2013/04/17 10:10:50.140 MST     192.168.100.12 Apr 17 2013 17:10:49: %ASA-6-302013: Built inbound TCP connection 11283629 for Net:192.168.100.17/62282 (192.168.100.17/62282) to identity:192.168.100.12/443 (192.168.100.12/443)
53           2013/04/17 10:10:50.108 MST     192.168.100.12 Apr 17 2013 17:10:49: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62281 to 192.168.100.12/443 flags FIN ACK on interface Net
52           2013/04/17 10:10:50.108 MST     192.168.100.12 Apr 17 2013 17:10:49: %ASA-6-302014: Teardown TCP connection 11283529 for Net:192.168.100.17/62281 to identity:192.168.100.12/443 duration 0:00:02 bytes 3107 TCP Reset-O
51           2013/04/17 10:10:49.937 MST     192.168.100.12 Apr 17 2013 17:10:49: %ASA-6-605005: Login permitted from 192.168.100.17/62281 to Net:192.168.100.12/https for user "cisco"
50           2013/04/17 10:10:47.640 MST     192.168.100.12 Apr 17 2013 17:10:46: %ASA-6-302013: Built inbound TCP connection 11283529 for Net:192.168.100.17/62281 (192.168.100.17/62281) to identity:192.168.100.12/443 (192.168.100.12/443)
Where interface NET is ASA interface with IP 192.168.100.12
192.168.100.17 is MY PC IP
This is log while i access the ASA by https.
Can you please tell in logs why it has repeat logs for example
ASDM logging session started it has this line 2 times
Thanks
MAhesh

Access asa in standby

Similar Messages

Maybe you are looking for