Active-Active Failover when different contexts monitor different interfaces

I'm trying to understand the relationship between failover groups and contexts, however it appears that the configuration is split in an way that I am having trouble understanding.
The interfaces that you actually monitor are configured PER CONTEXT e.g.
ciscoasa/ConextA(config)# monitor-interface inside
But the number of interfaces that need to fail for failover to take place is done PER FAILOVER GROUP e.g.
ciscoasa(config)# failover group 1
ciscoasa(config-fover-group)# interface-policy 1
(from the system context)
If my laptop could take it, I would spin up a test environment in GNS3, but I think the best way to ask the question is to give an example. What would happen in the following setup:
OPTION 1
OPTION 2
Thanks in advance

You would never have a scenario where, as you put it, the Admin context would monitor Gi0 and ContextB also monitor Gi0.  This is because you need to assign the interface to a specific context and once it is assigned to one context it can not also be assigned to another...unless you have configured subinterfaces, then those subinterfaces can be split up and assigned to seperate contexts.  But one interface or one subinterface can not be assigned to more than one context.
Now, if you have failover groups configured and an interface on one failover group dies, then only the context that the interface belongs to will failover to the standby failover group.
The following is a good article to have a read through on the Active/Active failover functions:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91336-pix-activeactive-config.html
Please remember to rate and select a correct answer

Similar Messages

  • ASA Failover when Firewalls are at different sites - help

    I am implementing a solution for a customer whereby they have two Cisco ASA 5520X firewalls. They wish for the firewalls to be in an Active-Standby state.
    This not only means that if one firewall dies, the other will take over. It also means that any configuration changes made on the primary are copied to the backup.
    The only catch is, both firewalls are at different sites. There is no layer 2 WAN link running between the sites. They are seperated by both the internet cloud on one side and their internal company MPLS cloud on the other.
    The diagram, that I have taken from my GNS3 simulation and modified slightly, shows the setup. All of the IP addresses (and AS numbers) are made up. Any reflection on real world IPs is unintentional and just a coincidence.
    The diagram is probably too overcrowded with IP information than is needed in this question - but the basic idea is the following:
    1. Under normal conditions traffic will flow to the internet from the remote MPLS site and leave via the firewall (PAT) at site1 - however note the public range of 23.23.23.0/24 is configured at both Site-1 and Site-2 - so at the moment the internet cloud is prefering Site-1 to reach that range.
    2. If the internet link fron INT-PRI at Site-1 fails, remote MPLS traffic destined for the internet will be forwarded out to the internet at Site-2.
    3. If the two MPLS links to Site-1 fail, INT-PRI will stop advertising the public range to the internet PE routers and traffic from the remote MPLS router destined for the internet will go out via Site-2.
    I have the tracking and dynamic routing failover setup between the sites all configured and worked out (I can provide the details of how INT-PRI tracks a sponge address in the MPLS cloud to determine whether or not it advertises the public range to the internet etc etc if you want, but on this question I want to focus on the firewalls).
    Currently the customer has resigned to having to do manual copying between the firewalls every time a change is made (i.e. there is no dynamic failover configured and the Site-2 firewall is just a clone that is kept up to date by their change management team).
    Is there a smart way to set up an Active-Standby configuration between these distant sites? Or at the very least dynamically copy the configuraiton to the backup everytime a change is made? My first though would be some kind of EEM or TCL script but I'm not that experienced with either. Alternatively, if there is smart was to get the two firewalls talking over Layer 2 it might be a better way forward.
    Thanks in advance. Apologies for this question being too wordy.

    You could used Ethernet over MPLS (EoMPLS) or Virtual Private Lan Services (VPLS), though if I remember correctly this is limited to certain platforms and IOS versions.
    Here is a design guide you could have a read through on the options
    http://www.cisco.com/c/en/us/products/collateral/data-center-virtualization/data-center-interconnect/white_paper_c11_493718.html#wp9000079
    EoMPLS configuration guide:
    http://www.cisco.com/c/en/us/td/docs/wireless/asr_901/Configuration/Guide/config_guide/eompls.html
    VPLS configuration guide:
    http://www.cisco.com/c/en/us/td/docs/optical/cpt/r9_5/configuration/guide/cpt95_configuration/cpt95_configuration_chapter_011000.html
    Please remember to rate and select a correct answer

  • Multi-context active-active etherchannel failover

    Hi All,
    Is there a way to monitor individual interfaces on a box doing multicontext etherchannel failover?
    I can understand on an individual box you can add monitor-interface to the physical interface, but in multi context mode, there is only one interface (the logical etherchannel subinterface) pushed through from the system context to each of the other contexts. I've been looking around and can't work out how to get a context failover to fail if only one of the etherchannel fails.
    If the other box has more active etherchannels then that's the one I want active, but can't see it at the moment.
    Possibly missed something somewhere. Any ideas?
    Thanks,
    Gaz

    monitor-interface will only work on "named" interfaces.  So, what you are looking to do is not possible.
    The member interfaces on a port-channel will not have "nameif" associated with them.
    -Kureli

  • Stat machine workflow task workflow status different values on different state activity(Approval level)

    i have developed the State machine workflow in which i am using default workflow task
    i have added one status dropdown and that is having approve or reject that i set using workflow task drop down values
    now my requirement is that when my workflow goes to different approval i need to have different status values in dropdown
    for example
    on manager approval state activity i need to add additional status value forward to legal
    but when it moved to next activity this task status field should show only approve and reject
    in summary i need to have different status values for workflow task when it moved to different state activity(approval levels)
    can we set these status field of task for state machine workflow programtically as well like for different approval level of task i need different status to be set for the dropdown of task status field
    MCTS,ITIL

    Hi Shahid Siddique,
    I have seen a similar thread from you about this issue, create custom form for the seperate form is a considerable workaround, you can have a check whether it works.
    http://social.technet.microsoft.com/Forums/en-US/9baa0c32-1cde-4c58-aa7c-3568ccf0cdc9/different-approval-level-of-task-i-need-different-status-to-be-set-for-the-dropdown-of-task-status?forum=sharepointdevelopmentprevious
    Thanks,
    Qiao Wei
    TechNet Community Support

  • Cisco asa security context active/active failover

    Hi,                  
    I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
    Each ASA appliance will have two security context named "ctx1" & "ctx2".
    I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
    I am a reading a book on failover configuration in active/active in that below note is mentioned.
    If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
    What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
    Regards,
    Nick

    Yout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.

  • Multiple context mode and Active Active

    Hi Everyone,
    ASA in multiple context  mode works as active active mode.
    ASA has 2 contexts admin and  x.
    We have 2  physical ASA say ASA1 and ASA2 .
    Under system context we have hostname ASA
    When i ssh to ASA1 it brings the ASA/admin mode.
    sh failover shows
    sh failover shows
    This host:    Primary
    This host:    Primary
    When i try to login to ASA 2 it brings me to ASA/x prompt.
    sh failover shows
      This context: Active
    Peer context: Standby Ready
    Need to  know is there any way that i can login to other physical ASA?
    i hope my question makes sense.
    Message was edited by: mahesh parmar

    Hi Mahesh,
    To it seems that you are logging to different contexts in these 2 cases.
    Normally an admin always logs to the "admin" context IP address owned either by the primary IP address for the Active unit or the secondary IP address for the Standby unit.
    So what I would suggest you do first is that you go to the context "admin" and issue the command "show run interface"
    Then go to the context "x" and issue the command "show run interface"
    Now check the IP addresses on the interfaces.
    Especially the interface on the "admin" context should contain an IP address for both of the ASA units. Check the interface IP address which originally lead you to the "admin" context.
    For example
    ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
    If the above were true you would connecto the IP address 10.10.10.1 when you wanted to connect to the Active unit and use the IP address 10.10.10.2 when you wanted to connect to the current Standby unit
    - Jouni

  • Best practice for ASA Active/Standby failover

    Hi,
    I have configured a pair of Cisco ASA in Active/ Standby mode (see attached). What can be done to allow traffic to go from R1 to R2 via ASA2 when ASA1 inside or outside interface is down?
    Currently this happens only when ASA1 is down (shutdown). Is there any recommended best practice for such network redundancy?  Thanks in advanced!

    Hi Vibhor,
    I test ping from R1 to R2 and ping drop when I shutdown either inside (g1) or outside (g0) interface of the Active ASA. Below is the ASA 'show' failover' and 'show run',
    ASSA1# conf t
    ASSA1(config)# int g1
    ASSA1(config-if)# shut
    ASSA1(config-if)# show failover
    Failover On
    Failover unit Primary
    Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 5 seconds, holdtime 25 seconds
    Interface Policy 1
    Monitored Interfaces 3 of 60 maximum
    Version: Ours 8.4(2), Mate 8.4(2)
    Last Failover at: 14:20:00 SGT Nov 18 2014
            This host: Primary - Active
                    Active time: 7862 (sec)
                      Interface outside (100.100.100.1): Normal (Monitored)
                      Interface inside (192.168.1.1): Link Down (Monitored)
                      Interface mgmt (10.101.50.100): Normal (Waiting)
            Other host: Secondary - Standby Ready
                    Active time: 0 (sec)
                      Interface outside (100.100.100.2): Normal (Monitored)
                      Interface inside (192.168.1.2): Link Down (Monitored)
                      Interface mgmt (0.0.0.0): Normal (Waiting)
    Stateful Failover Logical Update Statistics
            Link : FAILOVER GigabitEthernet2 (up)
            Stateful Obj    xmit       xerr       rcv        rerr
            General         1053       0          1045       0
            sys cmd         1045       0          1045       0
            up time         0          0          0          0
            RPC services    0          0          0          0
            TCP conn        0          0          0          0
            UDP conn        0          0          0          0
            ARP tbl         2          0          0          0
            Xlate_Timeout   0          0          0          0
            IPv6 ND tbl     0          0          0          0
            VPN IKEv1 SA    0          0          0          0
            VPN IKEv1 P2    0          0          0          0
            VPN IKEv2 SA    0          0          0          0
            VPN IKEv2 P2    0          0          0          0
            VPN CTCP upd    0          0          0          0
            VPN SDI upd     0          0          0          0
            VPN DHCP upd    0          0          0          0
            SIP Session     0          0          0          0
            Route Session   5          0          0          0
            User-Identity   1          0          0          0
            Logical Update Queue Information
                            Cur     Max     Total
            Recv Q:         0       9       1045
            Xmit Q:         0       30      10226
    ASSA1(config-if)#
    ASSA1# sh run
    : Saved
    ASA Version 8.4(2)
    hostname ASSA1
    enable password 2KFQnbNIdI.2KYOU encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface GigabitEthernet0
     nameif outside
     security-level 0
     ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2
     ospf message-digest-key 20 md5 *****
     ospf authentication message-digest
    interface GigabitEthernet1
     nameif inside
     security-level 100
     ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
     ospf message-digest-key 20 md5 *****
     ospf authentication message-digest
    interface GigabitEthernet2
     description LAN/STATE Failover Interface
    interface GigabitEthernet3
     shutdown
     no nameif
     no security-level
     no ip address
    interface GigabitEthernet4
     nameif mgmt
     security-level 0
     ip address 10.101.50.100 255.255.255.0
    interface GigabitEthernet5
     shutdown
     no nameif
     no security-level
     no ip address
    ftp mode passive
    clock timezone SGT 8
    access-list OUTSIDE_ACCESS_IN extended permit icmp any any
    pager lines 24
    logging timestamp
    logging console debugging
    logging monitor debugging
    mtu outside 1500
    mtu inside 1500
    mtu mgmt 1500
    failover
    failover lan unit primary
    failover lan interface FAILOVER GigabitEthernet2
    failover link FAILOVER GigabitEthernet2
    failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-715-100.bin
    no asdm history enable
    arp timeout 14400
    access-group OUTSIDE_ACCESS_IN in interface outside
    router ospf 10
     network 100.100.100.0 255.255.255.0 area 1
     network 192.168.1.0 255.255.255.0 area 0
     area 0 authentication message-digest
     area 1 authentication message-digest
     log-adj-changes
     default-information originate always
    route outside 0.0.0.0 0.0.0.0 100.100.100.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 10.101.50.0 255.255.255.0 mgmt
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh 10.101.50.0 255.255.255.0 mgmt
    ssh timeout 5
    console timeout 0
    tls-proxy maximum-session 10000
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username cisco password 3USUcOPFUiMCO4Jk encrypted
    prompt hostname context
    no call-home reporting anonymous
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    crashinfo save disable
    Cryptochecksum:fafd8a885033aeac12a2f682260f57e9
    : end
    ASSA1#

  • FWSM 4.0: switch from active/standby to active/active failover mode

    Hello,
    I have a pair of FWSM's running version 4.0 currently in active/standby failover mode, and I'd like to switch them to be active/active.  Is there a documented procedure for doing this?  What are the implications for any contexts switched to be primary on the FWSM that is currently acting as a standby (i.e., what kind of outage time can we expect)?
    Thanks in advance,
    Mike

    Hi Bro
    Thanks for the update, but still you'll need to create 2 contexts, each context will be ACTIVE on different Cisco ASA FW units. Hence, there will be some cut, copy and paste effort, not forgetting recabling, if that's needed. Here's a Cisco document to configure ACTIVE/ACTIVE for those who can't seem to find this document http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#req
    Conclusion: There will be some network downtime. I'm guessing 15min, if it was me :-)
    P/S: If you think this comment is helpful, please do rate it nicely :-)

  • 5510 to 5505 failover (active/active)

    Hello,
    We have both a 5510 and a 5505, and they are both running the security plus licenses. At this time, the 5510 is connected to our primary (and much faster) ISP connection. We also have a DSL connection available that I could connect to the 5505. A different ISP supplies each device (Charter and AT&T, respectively). Each are assigned a single, public IP address via DHCP from the respective ISP.
    Is it possible to configure the 5505 to accept the connection and become primary in the event that the 5510 goes offline (either due to outage or failure)?
    If so, what are the steps I would take to configure this? Examples of commands to issue would be very helpful.
    Many Thanks in Advance!
    -Rob

    You cannot configure a direct Failover/HA setup with two different ASA models.
    For a solution to your problem, I'd suggest using IP SLA on a router or L3 switch that both ASAs plug into - that way if one link/ASA goes down, the default route will change to the other ASA.
    EDIT: By the way, the failover setup you describe is Active/Standby. Active/Active refers to two separate ASAs running multi-context, with one ASA being active for "context1" and the other ASA being active for "context2". ASA 5505's do not support multi-context.

  • ASA CX / PRSM Active/Active Failover?

    Hi everyone.
    I've spent my last 2 days trying to find something on this matter, but I can't find anything conclusive about it.
    I'm trying to find if a 2 ASAs+CX in Active/Active configuration is supported and how to do it.
    On one side, on the PRSM configuration guide for 9.2, it says "Active-Standby is the only supported high availability configuration", but I don't understand if it's just for adding devices to PRSM or that an Active/Active configuration is not supported by the CX module.
    On the other hand, this forum discussion says that they are using Active/Active with CX.
    So, I need to know if it will work. I know that if I use Active/Active I should use contexts, which some are Active on one ASA and others are active on the other one.  I would assume that the CX module configuration should be the same for both ASAs as to support all the networks policies, but I want to know if this will work (I don't want to tell the customer that it'll work and then be stuck with an unsupported and non-working configuration).
    Any advice on this? Guides maybe?
    Thanks in advance.

    Yes, it can be done. Off-box PRSM manages an ASA context like a "separate" ASA. That's when it's managing the ASA configuration itself - distinct from managing the CX module features.
    Note however that there is an unresolved bug with CX modules and HA ASA pairs: https://tools.cisco.com/bugsearch/bug/CSCud54665
    The other thing to remember - as you had alluded to - is that the CX configuration is a common one despite there being multiple contexts (with potentially differing security policies with respect to the web filtering and IPS functions they want from the CX) on the box.

  • Unable to failover the services in active-active cluster node

    Hi,
    i am applying the sp2 patch for sql server 2008 r2 in active-active cluster, we have 3 services in the cluster , node 1 as 2 prefered owner and node 2 as 1 prefered owner, when i try to move the service from node 2 to node1 , i am getting the below errors
    DCOM was unable to communicate with the computer XXXXXXXXX using any of the configured protocols.
    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server XXXXXXXXX. The target name used was RPCSS/XXXXXX. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal
    name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using
    a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server
    name is not fully qualified, and the target domain (XXXXXX) is different from the client domain (XXXXXXX), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
    The Cluster service failed to bring clustered service or application 'CHCROCHC045' completely online or offline. One or more resources may be in a failed state. This may impact the availability of the clustered service or application.
    Cluster resource 'SQL Server (CHCROCHC045)' in clustered service or application 'CHCROCHC045' failed.
    any inputs appreciated to resolve this issue as i could not procedd with patching
    BR
    PGR

    Hi PGR,
    As the issue is more related to Windows Server, I would like to recommend you post the issue in the
    Windows Server forums for better support.
    In addition, below are some article about troubleshooting error ” DCOM was unable to communicate with the computer XXXXXXXXX using any of the configured protocols” for your reference.
    Event ID 10009 — COM Remote Service Availability
    How to troubleshoot DCOM 10009 error logged in system event?
    Thanks,
    Lydia Zhang
    Lydia Zhang
    TechNet Community Support

  • ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    This topic has been beat to death, but I did not see a real answer. Here is configuration:
    1) 2 x ASA 5520, running 8.2
    2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
    3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
    4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
    This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
    Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
    The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
    In any case, any experts out there that can answer question? TIA!

    Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
    Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
    Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
    Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
    Thanks much,
    Mike

  • ASA 5520 Anyconnect License on Active/Standby Failover pair

    Hi
    Our customer has purchased 2 x L-ASA-AC-E-5520= Anyconnect Essentials VPN Licenses (750 Users)
    Ive installed both activated licenses as per the cisco guides, I didnt get any errors on the install. I did a reload on both, they are both back up and running as active/standby but when I do a sh ver the license still shows "ASA 5520 VPN Plus License"
    Am I being dumb and has this worked successfully or should it not now display Anyconnect when I do a sh ver
    Any help would be much appreciated on this one please
    Regards
    Graham

    Thanks Marvin
    Below is the show ver, but I was kind of expecting there to be a mention of Anyconnect if I had activated the license
    We previously had the VPN Plus License, and it still shows VPN Plus
    Licensed features for this platform:
    Maximum Physical Interfaces : Unlimited
    Maximum VLANs               : 150      
    Inside Hosts                 : Unlimited
    Failover                     : Active/Active
    VPN-DES                     : Enabled  
    VPN-3DES-AES                 : Enabled  
    Security Contexts           : 2        
    GTP/GPRS                     : Disabled
    VPN Peers                   : 750      
    WebVPN Peers                 : 2        
    AnyConnect for Mobile       : Disabled
    AnyConnect for Linksys phone : Disabled
    Advanced Endpoint Assessment : Disabled
    UC Proxy Sessions           : 2        
    This platform has an ASA 5520 VPN Plus license.

  • Cisco ASA Active standby failover problem

    We have configured ASA Active standby failover with ASA5505 . When primary unit power off, secondary unit became active. when primary unit power on, then primary unit is becoming active again. i think for active standby setup there is no preemption. The real issue is when primary ASA became active after power on all the external connectivity getting down. Please see the below config,
    ASA01# show run
    ASA01# show running-config 
    : Saved
    ASA Version 8.2(5) 
    hostname ASA01
    enable password PVSASRJovmamnVkD encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 192.168.1.1 MPLS_Router description MPLS_Router 
    name 192.168.2.1 SCADA_Router description SCADA_Router
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
     switchport access vlan 2
    interface Ethernet0/3
    interface Ethernet0/4
     switchport access vlan 3
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.3.8 255.255.255.0 standby 192.168.3.9 
    interface Vlan2
     nameif outside
     security-level 0
     ip address 192.168.1.8 255.255.255.0 standby 192.168.1.9 
    interface Vlan3
     description LAN Failover Interface
    ftp mode passive
    clock timezone AST 3
    access-list inside_access_in extended permit icmp any any 
    access-list inside_access_in extended permit ip any any 
    access-list inside_access_in extended permit ip any host MPLS_Router 
    access-list outside_access_in extended permit icmp any any 
    access-list outside_access_in extended permit ip any any 
    access-list outside_access_in extended permit ip any 192.168.2.0 255.255.255.0 
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    failover
    failover lan unit primary
    failover lan interface FAILOVER Vlan3
    failover key *****
    failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route-map Route_Out permit 1
     match ip address inside_access_in outside_access_in
     match interface inside
    route outside 0.0.0.0 0.0.0.0 MPLS_Router 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.2.0 255.255.255.0 inside
    http authentication-certificate inside
    http authentication-certificate outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet 192.168.2.0 255.255.255.0 inside
    telnet 192.168.1.0 255.255.255.0 outside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username admin password eY/fQXw7Ure8Qrz7 encrypted
    prompt hostname context 
    no call-home reporting anonymous
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:1a8e46a787aa78502ffd881ab62d1c31
    : end

    I suggest removing the failover configuration on both units and then re-add them, and then test.
    Primary
    failover lan interface FAILOVER Vlan3
    failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
    failover lan unit primary
    failover key KEY
    failover
    Secondary
    failover lan interface FAILOVER Vlan3
    failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
    failover lan unit secondary
    failover key KEY
    failover
    Please remember to select a correct answer and rate helpful posts

  • To apply license in FWSM (Active-Active mode) and disable failover

    Dear Team
    I want to apply license to increase security context in FWSM which is running in Active-Active mode on VSS Core switches
    As per below document, first we need to disable failover by entering 'no failover' command on active FWSM and then apply the license seperately on both FWSM.
    I just want to know when i will disable the failover then standby move to pseudo-standby state. 
    Will there be any services impact which are running behind the FWSM when disbaling the failover and then re-enabling the failover.
    http://www.cisco.com/c/en/us/td/docs/security/fwsm/fwsm40/configuration/guide/fwsm_cfg/swcnfg_f.html#wp1073226
    Appreciate your response.

    Hi,
    I think in your case as it is Active/Active , there is one extra step required.
    You need to make all the contexts active on one unit and on the other one all should be standby.
    Then disable the failover and update the license and re-enable the failover.
    Thanks and Regards,
    Vibhor Amrodia

Maybe you are looking for

  • J6480 wireless and network help please!

    I have an officejet J6480 that has an error in printing system when printing wireless.  Everything is configured correctly and my printer reads the router and connects.  If this problem cannot be fixed, can i use an ethernet connection directly from

  • Help with Skype on my Kindle

    I just payed for this on my kindle how do I use it to call? It seems like I don't have an account at all

  • Problem regarding F-47

    Through t. code F-47 It is observed that system is allowing users to create DPR for closed & Partial Closed POs (GR made, invoices booked & payment made) as well. I need  validation that system should not allow users to create DPR for closed & Partia

  • How to add a quicktime file to a shake script?

    Hi I just purchased Shake 4.1 and can't figure out for the life of me how to add another quicktime file as a node in a script I am working on. Example: The source node file I sent from FCP which I need to key and add the background image to. How do I

  • 3 hours of phone tech support on my C309g and still no wireless contectivity

    I spent 3 hours on the phone with Tech support on Sunday trying to connect my printer wirelessly.  After that long 3 hours, the technician elevated my call and said I would be getting a call back.  2 days later and nothing yet.  The technician  opene