Active/Standby Configuration in CWLMS
Hi,
I have 2 LMS Server's in my LAN. I want 1 server will be Master & the other will be in Standby mode.
Whether, such type of configuration is possible in CWLMS??
I am using CWLMS version: 3.1
Rgds,
Partha
I don't think that LMS has a feature for HA installation.
You will find that in the document
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/ps7196/prod_white_paper0900aecd80695cad.pdf
on page 20 in chapter "7.1 Redundant-Server Scenario".
But there is an solution with two identical servers, one as master and the other as slave.
Details you will find in the document.
Similar Messages
-
Admin TACACS+ access fails ASA in Active/Standby Configuration
We have two ASA 5510 with version 8.2(1) in Active/Standby configuration, the failover works fine, but when the primary ASA comes back it remains standby , so we manually change it to active with the failover active command, then we try to access the device using a TACACS+ account , it doesnt work , just the local account works; after a period of time (15min) , the TACACS+ access start to work.
I'm not sure about your configuration but when in timed mode, a server that is declared "failed" will once again
be made available after 30 seconds. Unlike reactivation mode, it is not
necessary for all of the servers to fail before any can be reactivated.
On possible source of confusion to be aware of in timed mode:
The "show aaa-server" command will continue to show the server as FAILED
until the server is needed to authenticate a connection.
depletion
Reactivates failed servers only after all of the servers in the group are inactive.
timed
Reactivates failed servers after 30 seconds of down time.
Please tweak reactivation mode.
Regards,
~JG
Do rate helpful posts -
ASA 5550 Transparent Active/Standby Configuration
Hello guys!
I am in the process of adding a new ASA 5550 as a standby box to an existing ASA 5550 running on transparent mode. Both are on version ASA 8.0(4) and ASDM 6.2(1). I have set the new ASA 5550 to transparent mode. The configurations are the following for the HA:
Primary ASA:
interface GigabitEthernet1/3
description LAN Failover Interface
media-type sfp
failover
failover lan unit primary
failover lan interface failover GigabitEthernet1/3
failover interface ip failover 192.168.1.1 255.255.255.0 standby 192.168.1.2
Secondary ASA:
interface GigabitEthernet1/3
description LAN Failover Interface
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet1/3
failover interface ip failover 192.168.1.1 255.255.255.0 standby 192.168.1.2
My questions are the following:
1. The management ip address is different than the ip used for the failover link. Since the firewalls are on transparent mode, does the failover ip needs to be the same as the management ip address?
2. Does any other additional config is needed for HA to work for basic active/stand-by failover?
3. Wich is the best method to add the second box without disrupting the active box?
Thanks in advance guys!Hi Nephtali,
1. The aswer is no, it can be different.
2. You can optionaly add statefull failover config.
3. Issue the failover command on the primary device first, and then issue it on the secondary device. After you issue the failover command on the secondary device, the secondary device immediately pulls the configuration from the primary device and sets itself as standby. The primary ASA stays up and passes traffic normally and marks itself as the active device. From that point on, whenever a failure occurs on the active device, the standby device comes up as active.
Link to a config example:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aefd11.shtml#Reg
Regards
Mariusz -
ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
This topic has been beat to death, but I did not see a real answer. Here is configuration:
1) 2 x ASA 5520, running 8.2
2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
In any case, any experts out there that can answer question? TIA!Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
Thanks much,
Mike -
Active/standby in multiple context mode
is active/standby configuration possible in multilple context mode? i cannot find an article regarding this matter.
Hello John,
It is available
Actually the ones you need are the regular ones (documents) as the ASA will trigger failover if one of the context fail
Important Notes
For multiple context mode, the ASA can fail over the entire unit (including all contexts) but cannot fail over individual contexts separately.
. Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover.
VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for
Active/Standby Failover configurations in single context configurations.
With this I think you are ready to start configuring it:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml
Julio -
ASA 5520: Configuring Active/Standby High Availability
Hi,
I am new to Cisco firewalls. We are moving from a different vendor to Cisco ASA 5520s.
I have two ASA 5520s running ASA 8.2(5). I am managing them with ASDM 6.4(5).
I am trying to setup Active/Standby using the High Availability Wizard. I have interfaces on each device setup with just an IP address and subnet mask. Primary is 10.1.70.1/24 and secondary is 10.1.70.2/24. The interfaces are connected to a switch and these interfaces are the only nodes on this switch. When I run the Wizard on the primary, configure for Active/Standby, enter the peer IP of 10.1.70.2 and I get an error message saying that the peer test failed, followed by an error saying ASDM is temporarily unable to connect to the firewall.
I tried this using a crossover cable to connect the interfaces directly with the same result.
Any ideas?
Thanks.
DanThe command Varun is right.
Since you want to know a little bit more about this stuff, here goes a bit. Every interface will have a secondary IP and a Primary IP where the Active/Standby pair will exchange hello packes. If the hellos are not heard from mate, the the unit is delcare failed.
In case the primary is the one that gets an interface down, it will failover to the other unit, if it is the standby that has the problem, the active unit will declare the other Unit "standby failed). You will know that everything is alright when you do a show failover and the standby pair shows "Standby Ready".
For configuring it, just put a secondary IP on every interface to be monitored (If by any chance you dont have an available secondary IP for one of the interfaces you can avoid monitoring the given interface using the command no "monitor-interface nameif" where the nameif is the name of the interface without the secondary IP.
Then put the commands for failover and stateful link, the stateful link will copy the connections table (among other things) to avoid downtime while passing from One unit to another, This link should have at least the same speed as the regular data interfaces.
You can configure the failover link and the stateful link in just one interface, by just using the same name for the link, remember that this link will have a totally sepparate subnet from the ones already used in firewall.
This is the configuration
failover lan unit primary
failover lan interface failover gig0/3
failover link failover gig0/3
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
failover lan unit secondary
failover lan interface failover gig0/3
failover link failover gig0/3
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
Make sure that you can ping each other secondary/primary IP and then put the command
failover first on the primary and then on the secondary.
That would fine.
Let me know if you have further doubts.
Link for reference
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml
Mike -
Active/Standby And failover link configuration mode
Hi everyone,
When config failover link of ASA in Active Standby mode.
When we config failover int say gi0/1
config t
int gi0/1
failover lan int gi0/1
Need to confirm we do this from interface config mode only or we can do this from global config also ????????
Whe we assign IP to this int we do that from global config mode ????
Regards
Mahesh
Message was edited by: mahesh parmar
Message was edited by: mahesh parmarHi,
Actually the ASA lets you insert a lot of command what ever mode you are under.
In the output you posted is a very important thing to notice
configure mode commands/options:
WORD Specify the interface name
As you can see, the output lists only one option and before that it mentions that this is a "configure mode" command
So even if you entered the command under the interface configuration mode, it would still be entered as a global/configure command mode.
Take the following thing for example
I want to check what configuration options I have with the command "failover"
So I enter the following to my ASA
ASA(config)# failover ?
configure mode commands/options:
interface Configure the IP address to be used for failover and/or
stateful update information
interface-policy Set the policy for failover due to interface failures
key Configure the failover shared secret or key
lan Specify the unit as primary or secondary or configure the
interface and vlan to be used for failover communication
mac Specify the virtual mac address for a dynamic interface
polltime Configure failover poll interval
timeout Specify the failover reconnect timeout value for
asymmetrically routed sessions
exec mode commands/options:
active Make this system to be the active unit of the failover pair
exec Execute command on the designated unit
reload-standby Force standby unit to reboot
reset Force a unit or failover group to an unfailed state
As you can see, the ASA tells us that there are different additional command parameters after the "failover" command that can be used. Some of them can be used either in Exec or Configuration mode.
- Jouni -
How to tell if Active/active or Active/Standby mode is configured?
Folks:
I am still learning the output of my running config, but how do I tell if my firewall is set to Actve/Active or Active/Standby mode?
In addition, how do I tell if it uses regular or stateful failover mode?
Thank youI wanted to provide this as well, since I found it and it also helped me answering my question.
This output shows Active/Active failover output.
**Note** it says PIX; however, I beleive it will be the same output for ASA.
PIX1(config-subif)#show failover
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: LANFailover Ethernet3 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.2(2), Mate 7.2(2)
Group 1 last failover at: 06:12:45 UTC Apr 16 2007
Group 2 last failover at: 06:12:43 UTC Apr 16 2007
This host: Primary
Group 1 State: Active
Active time: 359610 (sec)
Group 2 State: Standby Ready
Active time: 3165 (sec)
context1 Interface inside (192.168.1.1): Normal
context1 Interface outside (172.16.1.1): Normal
context2 Interface inside (192.168.2.2): Normal
context2 Interface outside (172.16.2.2): Normal
Other host: Secondary
Group 1 State: Standby Ready
Active time: 0 (sec)
Group 2 State: Active
Active time: 3900 (sec)
context1 Interface inside (192.168.1.2): Normal
context1 Interface outside (172.16.1.2): Normal
context2 Interface inside (192.168.2.1): Normal
context2 Interface outside (172.16.2.1): Normal -
Configuration setup for active-standby and active-active
Hi
Having two sites separated by WAN and want to distribute the load between those two sites as Active-Active setup. want to whether it can be possible to have a active-standby pair at each site if not what is the work around to setup.I would suggest the following setup as 'best practice' for this requirement.
At site A have a TimesTen A/S pair hosting data in range 'A' - 'M'. This provides local HA for this dataset. Remote readonly subscriber of this A/S pair located at site B. This provides read access to data 'A' - 'M' at site 'B'. in the event of a total failure of site A this remote subscriber can be converted into the active of a new A/S pair (located at site B).
Same setup in reverse for site B.
If the hardware is adequate you only need two machines at each site since you can host the readonly subscriber on the same machine as one of the local A/S pair datastores and if you need to do a site level failover you could host both A?S pair on a single pair of machines. Of course availability will be higher with 4 machines at each site. It is a cost/benefit trade off.
This is really the only viable/supported setup to have both sites active if using IMDB cache.
Chris -
FWSM Active/Standby in VSS mode
hello,
i do have two 6500 in VSS mode , and one FWSM module on each 6500, i want to configure these modules as Active/Standby, how do i start , should i follow this (not in VSS mode):
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html
or are there other things should i do to make it work,
thanksup!
-
11.2.0.3 RAC ASM Pri with Normal FileSys Active Standby Post Failover
The architecture consist of two node rac asm primary and one normal filesystem active standby all on Oracle 11gR2 11.2.0.3. With basic Broker Configuration.
Performed a managed broker switchover and not the Normal Filesystem has the primary role and the standby consist of the two node asm rac. I want to switchback, i.e., Former Primary -> Primary Role and Former Standby -> Standby Role.
However my broker contains the following:
DGMGRL> show configuration verbose;
Configuration - DG_PRI_CFG
Protection Mode: MaxPerformance
Databases:
STANDBY - Primary database
Warning: ORA-16829: fast-start failover configuration is lagging
KEMETRAC - (*) Physical standby database
Error: ORA-16810: multiple errors or warnings detected for the database
(*) Fast-Start Failover target
Properties:
FastStartFailoverThreshold = '95'
OperationTimeout = '30'
FastStartFailoverLagLimit = '95'
CommunicationTimeout = '180'
FastStartFailoverAutoReinstate = 'TRUE'
FastStartFailoverPmyShutdown = 'TRUE'
BystandersFollowRoleChange = 'ALL'
Fast-Start Failover: ENABLED
Threshold: 95 seconds
Target: KEMETRAC
Observer: emcc.respecti.com
Lag Limit: 95 seconds
Shutdown Primary: TRUE
Auto-reinstate: TRUE
Configuration Status:
ERROR
I've found a recommendation to increase the value of FastStartFailoverThreshold='90';
Though I continue to encounter the above configuration error.
Recommendations are appreciated!
Edited by: 783527 on Mar 12, 2012 7:41 PM03/13/2012 13:13:22
Data Guard Broker Status Summary:
Type Name Severity Status
Configuration DG_PRI_CFG Warning ORA-16607
Primary Database STANDBY Warning ORA-16829
Physical Standby Database KEMETRAC Error ORA-16810
03/13/2012 13:14:22
Data Guard Broker Status Summary:
Type Name Severity Status
Configuration DG_PRI_CFG Warning ORA-16607
Primary Database STANDBY Warning ORA-16829
Physical Standby Database KEMETRAC Error ORA-16810
03/13/2012 13:15:22
Data Guard Broker Status Summary:
Type Name Severity Status
Configuration DG_PRI_CFG Warning ORA-16607
Primary Database STANDBY Warning ORA-16829
Physical Standby Database KEMETRAC Error ORA-16810
03/13/2012 13:16:22
Data Guard Broker Status Summary:
Type Name Severity Status
Configuration DG_PRI_CFG Warning ORA-16607
Primary Database STANDBY Warning ORA-16829
Physical Standby Database KEMETRAC Error ORA-16810
03/13/2012 13:17:22
Data Guard Broker Status Summary:
Type Name Severity Status
Configuration DG_PRI_CFG Warning ORA-16607
Primary Database STANDBY Warning ORA-16829
Physical Standby Database KEMETRAC Error ORA-16810
03/13/2012 13:18:22 -
About stateful active/standby failover
Hello guys.
I have two ASA's, same model and hardware. Asa have configured stateful active/standby failover by someone, few years ago. It was working normally until recently and no one have changed this configuration. Then Secondary unit is failed. Ping between 2 interfaces is ok. Please help me to resolve this problem.
on Primary site
interface Management0/0
description STATE Failover Interface
management-only
interface GigabitEthernet1/1
description LAN Failover Interface
failover
failover lan unit primary
failover lan interface failover GigabitEthernet1/1
failover link state Management0/0
failover interface ip failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
failover interface ip state 172.16.0.1 255.255.255.0 standby 172.16.0.2
on Secondary site
interface Management0/0
description STATE Failover Interface
management-only
interface GigabitEthernet1/1
description LAN Failover Interface
output of show failover on PRIMARY
show run failover
failover
failover lan unit primary
failover lan interface failover GigabitEthernet1/1
failover link state Management0/0
failover interface ip failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
failover interface ip state 172.16.0.1 255.255.255.0 standby 172.16.0.2
F1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet1/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 256 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 08:03:11 ULAST Jan 1 2003
This host: Primary - Active
Active time: 5755203 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (10.2.5.1): Normal (Waiting)
Interface Internet (202.131.225.90): No Link (Waiting)
Interface Backup1 (10.3.5.1): Normal (Waiting)
Interface Server (192.168.227.1): Normal (Waiting)
Interface Bank (10.20.1.1): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (0.0.0.0): No Link (Waiting)
Interface Internet (0.0.0.0): No Link (Waiting)
Interface Backup1 (0.0.0.0): Normal (Waiting)
Interface Server (0.0.0.0): Normal (Waiting)
Interface Bank (0.0.0.0): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : state Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 76184539 0 767513 6
sys cmd 767328 0 767326 1
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 25878669 0 11 5
UDP conn 40545710 0 40 0
ARP tbl 8987688 0 136 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 1140 0 0 0
VPN IPSEC upd 4004 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 7 6522961
Xmit Q: 0 34 106685671
output of show failover on SECONDARY
F1# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet1/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 256 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 03:36:23 ULAST Dec 15 2013
This host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (0.0.0.0): No Link (Waiting)
Interface Internet (0.0.0.0): No Link (Waiting)
Interface Backup1 (0.0.0.0): Normal (Waiting)
Interface Server (0.0.0.0): Normal (Waiting)
Interface Bank (0.0.0.0): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Primary - Active
Active time: 5743217 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (10.2.5.1): Normal (Waiting)
Interface Internet (202.131.225.90): No Link (Waiting)
Interface Backup1 (10.3.5.1): Normal (Waiting)
Interface Server (192.168.227.1): Normal (Waiting)
Interface Bank (10.20.1.1): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : state Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 765518 0 35843181 874
sys cmd 765518 0 765516 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 12671303 80
UDP conn 0 0 13432853 133
ARP tbl 0 0 8968384 661
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 0 0 1137 0
VPN IPSEC upd 0 0 3988 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 72011189
Xmit Q: 0 1 765518- ping is ok between 172.16.1.1 and 172.16.1.2, 172.16.0.1 and 172.16.0.2
- ASA that shows as failed the ASA that didn't use to be the primary , it used to be secondary.
- Yes, i logged via console on both ASAs and checked status of the ASAs. Primary is active and Secondary is failed.
- I have changed cable. Primary ASA indicates below as soon as cable changed.
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Then output of SHOW FAILOVER on PRIMARY ASA :
F1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet1/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 256 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 08:03:11 ULAST Jan 1 2003
This host: Primary - Active
Active time: 5812656 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (10.2.5.1): Normal (Waiting)
Interface Internet (202.131.225.90): No Link (Waiting)
Interface Backup1 (10.3.5.1): Normal (Waiting)
Interface Server (192.168.227.1): Normal (Waiting)
Interface Bank (10.20.1.1): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Secondary - Standby Ready
Active time: 9 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (0.0.0.0): No Link (Waiting)
Interface Internet (0.0.0.0): No Link (Waiting)
Interface Backup1 (0.0.0.0): Normal (Waiting)
Interface Server (0.0.0.0): Normal (Waiting)
Interface Bank (0.0.0.0): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : state Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 76940782 0 775168 6
sys cmd 774983 0 774981 1
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 26125140 0 11 5
UDP conn 40971274 0 40 0
ARP tbl 9064174 0 136 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 1155 0 0 0
VPN IPSEC upd 4056 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 7 6588043
Xmit Q: 0 34 107757911
But few seconds later Secondary ASA become FAILED.
And i also did FAILOVER RESET command. After this command, secondary ASA became Standby Ready then few seconds later it became Failed again. Why does it become Failed again ? -
Cisco ASA Active standby failover problem
We have configured ASA Active standby failover with ASA5505 . When primary unit power off, secondary unit became active. when primary unit power on, then primary unit is becoming active again. i think for active standby setup there is no preemption. The real issue is when primary ASA became active after power on all the external connectivity getting down. Please see the below config,
ASA01# show run
ASA01# show running-config
: Saved
ASA Version 8.2(5)
hostname ASA01
enable password PVSASRJovmamnVkD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.1 MPLS_Router description MPLS_Router
name 192.168.2.1 SCADA_Router description SCADA_Router
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 2
interface Ethernet0/3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.8 255.255.255.0 standby 192.168.3.9
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.8 255.255.255.0 standby 192.168.1.9
interface Vlan3
description LAN Failover Interface
ftp mode passive
clock timezone AST 3
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any host MPLS_Router
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface FAILOVER Vlan3
failover key *****
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route-map Route_Out permit 1
match ip address inside_access_in outside_access_in
match interface inside
route outside 0.0.0.0 0.0.0.0 MPLS_Router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http authentication-certificate inside
http authentication-certificate outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password eY/fQXw7Ure8Qrz7 encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1a8e46a787aa78502ffd881ab62d1c31
: endI suggest removing the failover configuration on both units and then re-add them, and then test.
Primary
failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit primary
failover key KEY
failover
Secondary
failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit secondary
failover key KEY
failover
Please remember to select a correct answer and rate helpful posts -
Best practice for ASA Active/Standby failover
Hi,
I have configured a pair of Cisco ASA in Active/ Standby mode (see attached). What can be done to allow traffic to go from R1 to R2 via ASA2 when ASA1 inside or outside interface is down?
Currently this happens only when ASA1 is down (shutdown). Is there any recommended best practice for such network redundancy? Thanks in advanced!Hi Vibhor,
I test ping from R1 to R2 and ping drop when I shutdown either inside (g1) or outside (g0) interface of the Active ASA. Below is the ASA 'show' failover' and 'show run',
ASSA1# conf t
ASSA1(config)# int g1
ASSA1(config-if)# shut
ASSA1(config-if)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:20:00 SGT Nov 18 2014
This host: Primary - Active
Active time: 7862 (sec)
Interface outside (100.100.100.1): Normal (Monitored)
Interface inside (192.168.1.1): Link Down (Monitored)
Interface mgmt (10.101.50.100): Normal (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (100.100.100.2): Normal (Monitored)
Interface inside (192.168.1.2): Link Down (Monitored)
Interface mgmt (0.0.0.0): Normal (Waiting)
Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet2 (up)
Stateful Obj xmit xerr rcv rerr
General 1053 0 1045 0
sys cmd 1045 0 1045 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 5 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 1045
Xmit Q: 0 30 10226
ASSA1(config-if)#
ASSA1# sh run
: Saved
ASA Version 8.4(2)
hostname ASSA1
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0
nameif outside
security-level 0
ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet2
description LAN/STATE Failover Interface
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet4
nameif mgmt
security-level 0
ip address 10.101.50.100 255.255.255.0
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
clock timezone SGT 8
access-list OUTSIDE_ACCESS_IN extended permit icmp any any
pager lines 24
logging timestamp
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet2
failover link FAILOVER GigabitEthernet2
failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
access-group OUTSIDE_ACCESS_IN in interface outside
router ospf 10
network 100.100.100.0 255.255.255.0 area 1
network 192.168.1.0 255.255.255.0 area 0
area 0 authentication message-digest
area 1 authentication message-digest
log-adj-changes
default-information originate always
route outside 0.0.0.0 0.0.0.0 100.100.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.101.50.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.101.50.0 255.255.255.0 mgmt
ssh timeout 5
console timeout 0
tls-proxy maximum-session 10000
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:fafd8a885033aeac12a2f682260f57e9
: end
ASSA1# -
Step to prep CSC SSM on ASA Active/Standby mode
Hi all,
I am trying to setup Active/Standby HA mode for my site.
Currently the site was installed with one unit ASA firewall with CSC-SSM module, the second unit is the new unit ready to be setup.
My question:
01. My concern is second unit CSC-SSM, what is the proper procedure or step need to prep it?
Is it need to prep the CSC-SSM before the ASA in HA mode Or it will auto propagate the configuration when both unit in HA mode?
What else need to concern? am i need to setup different IP for the CSC-SSM management interface?
Thanks
NoelHello Yong,
Configuration related to the CSC or SSM modules will never get propagated so you will basically need to configure it manually.
Also it's not like if the Config on both modules is different failover will fail but ofcourse you wanna have the same one
IP addresses for each of the modules will be dedicated ones. Remember that failover will fail if one box has the CSC and the other not.
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
Maybe you are looking for
-
I run PrPro CS 4 on Windows XP (after the system crashed too often on VISTA), but admit that I have still to install the latest updates (which might have a fix for my problem). When opening an exisiting project, it happens at times that a window appe
-
I was recently asked to help create a query at my company to search for date gaps in employment status history. My table data looks similar to this employee_id employment_status beg_date end_date 1 Active 1990-01-01
-
Gemalto TOP GX4 cards - does they support Shareable interface?
Hello. I am trying to implement SIO in my applet. There is an interface package persistentStorage; import javacard.framework.*; public interface DataReadWriteInterface extends Shareable { public byte readByte(short address); public void wri
-
I'm having some trouble trying to understand the differences between static and non-static members. I've read a few online information about static members, but I don't understand the purpose of static members. Can someone try to explain the main poi
-
What happened to CS6 upgrade for Mac? and what think of subscription?
It was usually $200 or so on Amazon and now it's gone. What do people think of this subscription thing? It seems just like a way for Adobe to extract more money out of us. Am I wrong?