Active/Standby Failover with pair of 5510s and redundant L2 links
Hi
I just got two ASA5510-SEC-BUN-K9 and I'm wondering is it possible to implement an Active/Standby Failover configuration (Routed mode) with two ASA5510 and redundant pair of switches from both inside and outside interfaces? In other words, I would like to have two L2 links from each ASA (in pair od ASAa) to each L2 switch (in pair of redundant L2 Switches). The configuration I would like to achive is just like one in Cisco Security Appliance Command Line Configuration Guide, page B-23, figure B-8, with only difference that I wouldn't go with multiple security contexts (I want Active/Standby failover).
Thanks in advance
Zoran Milenkovic
Hello Zoran,
Absolutely. You can have 2 ASAs configured in Active/Standby mode. For reference, here is a link which has a network connectivity diagram based on PIX, however, connectivity would still be same with ASAs-
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1053462
The difference is that on ASA, you can only have LAN-Based failover, hence you'll need to use one additional interface on both ASAs for failover-link. You can connect these two failover-link interfaces directly using a cross cable.
Apart from this, please refer to following link on how to go with configuration of Lan-based Active/Standby failover-
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1064158
Also make sure that both ASAs have required hardware/software/license based on following link-
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1047269
Hope this helps.
Regards,
Vibhor.
Similar Messages
-
Cisco ASA Active standby failover problem
We have configured ASA Active standby failover with ASA5505 . When primary unit power off, secondary unit became active. when primary unit power on, then primary unit is becoming active again. i think for active standby setup there is no preemption. The real issue is when primary ASA became active after power on all the external connectivity getting down. Please see the below config,
ASA01# show run
ASA01# show running-config
: Saved
ASA Version 8.2(5)
hostname ASA01
enable password PVSASRJovmamnVkD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.1 MPLS_Router description MPLS_Router
name 192.168.2.1 SCADA_Router description SCADA_Router
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 2
interface Ethernet0/3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.8 255.255.255.0 standby 192.168.3.9
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.8 255.255.255.0 standby 192.168.1.9
interface Vlan3
description LAN Failover Interface
ftp mode passive
clock timezone AST 3
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any host MPLS_Router
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface FAILOVER Vlan3
failover key *****
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route-map Route_Out permit 1
match ip address inside_access_in outside_access_in
match interface inside
route outside 0.0.0.0 0.0.0.0 MPLS_Router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http authentication-certificate inside
http authentication-certificate outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password eY/fQXw7Ure8Qrz7 encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1a8e46a787aa78502ffd881ab62d1c31
: endI suggest removing the failover configuration on both units and then re-add them, and then test.
Primary
failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit primary
failover key KEY
failover
Secondary
failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit secondary
failover key KEY
failover
Please remember to select a correct answer and rate helpful posts -
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
This topic has been beat to death, but I did not see a real answer. Here is configuration:
1) 2 x ASA 5520, running 8.2
2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
In any case, any experts out there that can answer question? TIA!Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
Thanks much,
Mike -
Active/Standby failover automatic primary active
I have 2 ASAs 5510 with same physical configuration and running ok with active/standby failover mode. Like we have PREEMPT command in active/active failover to get back primary active after its been rebooted from failed mode. This command makes primary back to active and makes secondary firewall standby automatically.
Need help to know any such command for active/standby failover for automatic primary active. Currently we have to use command FAILOVER ACTIVE on primary to make it active manually.Remember, failover in ASA works differently than HSRP. ASA does NOT use
HSRP. Furthermore, there is NO HSRP ip address in ASA either. You are
talking about two different technologies.
Think of it this way. HSRP technology works very similar to VRRP and
Juniper NSRP. All of these technologies use virtual IP address. If you
have two devices, you will have an Virtual IP address, in addition
to the physical ip addresses of the two devices. ASA does not use the
extra VIP. -
About stateful active/standby failover
Hello guys.
I have two ASA's, same model and hardware. Asa have configured stateful active/standby failover by someone, few years ago. It was working normally until recently and no one have changed this configuration. Then Secondary unit is failed. Ping between 2 interfaces is ok. Please help me to resolve this problem.
on Primary site
interface Management0/0
description STATE Failover Interface
management-only
interface GigabitEthernet1/1
description LAN Failover Interface
failover
failover lan unit primary
failover lan interface failover GigabitEthernet1/1
failover link state Management0/0
failover interface ip failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
failover interface ip state 172.16.0.1 255.255.255.0 standby 172.16.0.2
on Secondary site
interface Management0/0
description STATE Failover Interface
management-only
interface GigabitEthernet1/1
description LAN Failover Interface
output of show failover on PRIMARY
show run failover
failover
failover lan unit primary
failover lan interface failover GigabitEthernet1/1
failover link state Management0/0
failover interface ip failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
failover interface ip state 172.16.0.1 255.255.255.0 standby 172.16.0.2
F1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet1/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 256 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 08:03:11 ULAST Jan 1 2003
This host: Primary - Active
Active time: 5755203 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (10.2.5.1): Normal (Waiting)
Interface Internet (202.131.225.90): No Link (Waiting)
Interface Backup1 (10.3.5.1): Normal (Waiting)
Interface Server (192.168.227.1): Normal (Waiting)
Interface Bank (10.20.1.1): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (0.0.0.0): No Link (Waiting)
Interface Internet (0.0.0.0): No Link (Waiting)
Interface Backup1 (0.0.0.0): Normal (Waiting)
Interface Server (0.0.0.0): Normal (Waiting)
Interface Bank (0.0.0.0): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : state Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 76184539 0 767513 6
sys cmd 767328 0 767326 1
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 25878669 0 11 5
UDP conn 40545710 0 40 0
ARP tbl 8987688 0 136 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 1140 0 0 0
VPN IPSEC upd 4004 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 7 6522961
Xmit Q: 0 34 106685671
output of show failover on SECONDARY
F1# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet1/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 256 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 03:36:23 ULAST Dec 15 2013
This host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (0.0.0.0): No Link (Waiting)
Interface Internet (0.0.0.0): No Link (Waiting)
Interface Backup1 (0.0.0.0): Normal (Waiting)
Interface Server (0.0.0.0): Normal (Waiting)
Interface Bank (0.0.0.0): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Primary - Active
Active time: 5743217 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (10.2.5.1): Normal (Waiting)
Interface Internet (202.131.225.90): No Link (Waiting)
Interface Backup1 (10.3.5.1): Normal (Waiting)
Interface Server (192.168.227.1): Normal (Waiting)
Interface Bank (10.20.1.1): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : state Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 765518 0 35843181 874
sys cmd 765518 0 765516 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 12671303 80
UDP conn 0 0 13432853 133
ARP tbl 0 0 8968384 661
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 0 0 1137 0
VPN IPSEC upd 0 0 3988 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 72011189
Xmit Q: 0 1 765518- ping is ok between 172.16.1.1 and 172.16.1.2, 172.16.0.1 and 172.16.0.2
- ASA that shows as failed the ASA that didn't use to be the primary , it used to be secondary.
- Yes, i logged via console on both ASAs and checked status of the ASAs. Primary is active and Secondary is failed.
- I have changed cable. Primary ASA indicates below as soon as cable changed.
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Then output of SHOW FAILOVER on PRIMARY ASA :
F1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet1/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 256 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 08:03:11 ULAST Jan 1 2003
This host: Primary - Active
Active time: 5812656 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (10.2.5.1): Normal (Waiting)
Interface Internet (202.131.225.90): No Link (Waiting)
Interface Backup1 (10.3.5.1): Normal (Waiting)
Interface Server (192.168.227.1): Normal (Waiting)
Interface Bank (10.20.1.1): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Secondary - Standby Ready
Active time: 9 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (0.0.0.0): No Link (Waiting)
Interface Internet (0.0.0.0): No Link (Waiting)
Interface Backup1 (0.0.0.0): Normal (Waiting)
Interface Server (0.0.0.0): Normal (Waiting)
Interface Bank (0.0.0.0): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : state Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 76940782 0 775168 6
sys cmd 774983 0 774981 1
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 26125140 0 11 5
UDP conn 40971274 0 40 0
ARP tbl 9064174 0 136 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 1155 0 0 0
VPN IPSEC upd 4056 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 7 6588043
Xmit Q: 0 34 107757911
But few seconds later Secondary ASA become FAILED.
And i also did FAILOVER RESET command. After this command, secondary ASA became Standby Ready then few seconds later it became Failed again. Why does it become Failed again ? -
ASA 5520 Anyconnect License on Active/Standby Failover pair
Hi
Our customer has purchased 2 x L-ASA-AC-E-5520= Anyconnect Essentials VPN Licenses (750 Users)
Ive installed both activated licenses as per the cisco guides, I didnt get any errors on the install. I did a reload on both, they are both back up and running as active/standby but when I do a sh ver the license still shows "ASA 5520 VPN Plus License"
Am I being dumb and has this worked successfully or should it not now display Anyconnect when I do a sh ver
Any help would be much appreciated on this one please
Regards
GrahamThanks Marvin
Below is the show ver, but I was kind of expecting there to be a mention of Anyconnect if I had activated the license
We previously had the VPN Plus License, and it still shows VPN Plus
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license. -
Best practice for ASA Active/Standby failover
Hi,
I have configured a pair of Cisco ASA in Active/ Standby mode (see attached). What can be done to allow traffic to go from R1 to R2 via ASA2 when ASA1 inside or outside interface is down?
Currently this happens only when ASA1 is down (shutdown). Is there any recommended best practice for such network redundancy? Thanks in advanced!Hi Vibhor,
I test ping from R1 to R2 and ping drop when I shutdown either inside (g1) or outside (g0) interface of the Active ASA. Below is the ASA 'show' failover' and 'show run',
ASSA1# conf t
ASSA1(config)# int g1
ASSA1(config-if)# shut
ASSA1(config-if)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:20:00 SGT Nov 18 2014
This host: Primary - Active
Active time: 7862 (sec)
Interface outside (100.100.100.1): Normal (Monitored)
Interface inside (192.168.1.1): Link Down (Monitored)
Interface mgmt (10.101.50.100): Normal (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (100.100.100.2): Normal (Monitored)
Interface inside (192.168.1.2): Link Down (Monitored)
Interface mgmt (0.0.0.0): Normal (Waiting)
Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet2 (up)
Stateful Obj xmit xerr rcv rerr
General 1053 0 1045 0
sys cmd 1045 0 1045 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 5 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 1045
Xmit Q: 0 30 10226
ASSA1(config-if)#
ASSA1# sh run
: Saved
ASA Version 8.4(2)
hostname ASSA1
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0
nameif outside
security-level 0
ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet2
description LAN/STATE Failover Interface
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet4
nameif mgmt
security-level 0
ip address 10.101.50.100 255.255.255.0
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
clock timezone SGT 8
access-list OUTSIDE_ACCESS_IN extended permit icmp any any
pager lines 24
logging timestamp
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet2
failover link FAILOVER GigabitEthernet2
failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
access-group OUTSIDE_ACCESS_IN in interface outside
router ospf 10
network 100.100.100.0 255.255.255.0 area 1
network 192.168.1.0 255.255.255.0 area 0
area 0 authentication message-digest
area 1 authentication message-digest
log-adj-changes
default-information originate always
route outside 0.0.0.0 0.0.0.0 100.100.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.101.50.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.101.50.0 255.255.255.0 mgmt
ssh timeout 5
console timeout 0
tls-proxy maximum-session 10000
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:fafd8a885033aeac12a2f682260f57e9
: end
ASSA1# -
Active/Standby Failover Config change
Hi everyone,
This weekend we are doing some change on ASA in Active/Standby mode.
We will power off standby ASA.
Do some changes on Active ASA save the changes and reboot it.
Power up the Active ASA and will test the connectivity if it is working or not .
In case Active ASA is not working as expected after the change i will power it off.
Power up Standby ASA then it will become active as expected.
Now if i Power up other ASA where changes were made will it synchnorize to old config from Standby ASA or not?
Last week we did some changes on Active ASA and it did not work as expected so we have to undo our change.
Need to make sure our backup plan is working?
Regards
MaheshIn your fall back scenario you would have to tell what was the secondary ASA that it is now the primary
change
failover lan unit secondary
to
failover lan unit primary
and vice-versa on the now primary ASA.
change
failover lan unit primary
to
failover lan unit secondary
Hope it helps -
How can i active my iphones with one app id and using find my iphone apps
hi
i want to register 2 iphones with one app id ,and using find my iphone apps in my iphones ,
how can i do it ?
please help methis will not work for "find my iPhone". It is always a good idea to have two seperate Apple ID's anyway
-
Any one please respond.
I've been working on creating a windows server 2008 R2 cluster for about a month now and I keep getting an error whenever I try to add a 2nd node. I keep
getting The cluster node is not reachable. However, when I validate the configuration, everything goes through success. I created and destroyed the cluster a couple of times, but no luck. I even re-installed Windows Server 2008 R2 on both servers, re-configured
the iSCSI, and the same warning keeps coming up.
I installed a new a new SQL Server 2008R2 Named Instance on an exisiting SQL Server cluster node (Node 1 &Node2). When I try to manually fail
over
the Services and applications to another node (Node1 to node2) using Failover Cluster Manager, I get the errors
The cluster has these Events:
Event ID
1069: Cluster resource 'IP Address xx.xx.xx.xx' in clustered service or application 'ClusterDtc' failed.
Event ID 1205:The Cluster service failed to bring clustered service or application 'ClusterDtc' completely online
or offline. One or more resources may be in a failed state. This may impact the availability of the clustered service or application..
Why the cloud server doesn’t move to node2? you can see screen shorts below.
1.
in system configuration-
3. in
system configuration---->warning--->Validate All Drivers Signed
after creating cluster I got below errors.
Any info you might know would be really helpful.Dear Ravikumar
From clone support they given reply mail...
mail from Ramu...
That would be a typical work around in this situation. But what we intend to do cannot be accomplished through this work around as we need the validations to complete successfully.
We are looking for an option either to get the driver signed or use a different signed adapter for the same. Could you please suggest us something on that line.
Mail from Support....
Hello,
Unfortunately this is not something that we would be able to do in a virtual environment; You are welcome to try different drivers however we would not be able to provide any support
for untrusted drivers. The only true solution would be to upgrade from a VM to a dedicated server where you would have control of all the drivers as there is no virtualization layer to
contend with. Stepping into the territory of untested drivers for a custom configuration in a virtual environment will certainly prove to be an uphill battle.
I would advise contacting Microsoft's support for additional assistance as they will be able to provide the most accurate information regarding this concern.
Regards
Systems Administrator -
I am using Ethernet cable to connect Apple TV. I have connected to Cable TV box as directed by cable provider. I have connected the HDMI cable from TV back to the Apple TV box. Power cord is connected. What am I doing wrong? Remote and Apple TV are not connecting....
Thanks for sending the link.....unfortunately we are a home without wireless...My phone and iPad use 3G and our TV and Mac computers are connected via Ethernet ....
That said, my new Apple TV is using Ethernet and I cannot use the app without wireless.
Thanks for your effort to assist! -
FWSM 4.0: switch from active/standby to active/active failover mode
Hello,
I have a pair of FWSM's running version 4.0 currently in active/standby failover mode, and I'd like to switch them to be active/active. Is there a documented procedure for doing this? What are the implications for any contexts switched to be primary on the FWSM that is currently acting as a standby (i.e., what kind of outage time can we expect)?
Thanks in advance,
MikeHi Bro
Thanks for the update, but still you'll need to create 2 contexts, each context will be ACTIVE on different Cisco ASA FW units. Hence, there will be some cut, copy and paste effort, not forgetting recabling, if that's needed. Here's a Cisco document to configure ACTIVE/ACTIVE for those who can't seem to find this document http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#req
Conclusion: There will be some network downtime. I'm guessing 15min, if it was me :-)
P/S: If you think this comment is helpful, please do rate it nicely :-) -
Monitor interface vlan with ASA 5505 in HA Active/Standby Deployment
Hi,
I doing HA Active/Standby Deployment with two ASA 5505. ASA documents mention that it will monitor all physical interfaces itself to decide a failover. But in my case I configure vlan interface instead of physical interface. My inside interfaces in each ASA connect to two diferent Switches. My question is if one inside physical interface (lead to one switch) down, does the failover occur? I suspect it does not, but I would like to make sure before doing HA.
Any replies will be appreciated.Hi, I usually instead of doing a cross-connect on the inside leave it to something like A-to-A and B-to-B if the switches are not doing VSS or VPC. So I would just connect eth0/7 from ASA-A to SW-A and similar on ASA-B. This makes it cleaner.
You can then control if you want to failover if the PO goes down or any 1 of the 2 interfaces in the PO go down.
I am not saying that your above design is invalid, but I have usually done this in the past. -
ASA Active/Standby mode and Hello messages
Hi Everyone,
On ASA Active/Standby mode i know thatsay inside or any other interface of active and standby ASA should connect to same switch and vlan.
When we assign say ip address to inside interface of both ASA like
ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2 255.255.255.0
Need to know if these inside interface talk to each other or not?
Do they send hello messages?
Thanks
MAheshHi Mahesh,
The ASA Active/Standby Failover pair uses both the dedicated Failover interface and the actual Data interfaces to monitor the "health" of the Failover pair.
The units send Failover hello messages and wait for a reply to determine if the other unit is alive or not.
By default all Physical interfaces are automatically monitored. To my understanding Logical interfaces such as Trunk interfaces are NOT monitored by default. You will have to configure monitoring for each subinterface of the Trunk that you want to be monitored.
You would use the command
monitor-interface
Check the Command Reference section for this
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2123112
I would also suggest reading the following section of the Configuration Guide
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1079010
It has information of the Unit and Interface health monitoring of the Failover pair.
If you want to debug Failover activity you could use the command
debug fover
It has multiple additional parameter after that command
Here is the Command Reference section for the debug command
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/d1.html#wp2093011
You can even attach a computer on the switch between the ASAs and capture the packets between them an you can see the Failover messages etc from the ASAs
- Jouni -
Active/Standby ASA 5520 + SSM-10=Failures
Greetings,
We have two ASA5520s, both at 7.2(2) running in active/standby failover. Each of the ASA's have an AIP-SSM-10 in them running 6.0(3)E1. The configuration is in promiscuous mode assign to global policy, all traffic.
The primary will be running fine until it transitions to the secondary with a message: Module in slot slot experienced a data channel communication failure, data channel is DOWN. When I go to the SSM it will not let us in by ASDM, I can telnet and it will allow us to log in, shows the disclaimer info but never gives a cli prompt. The secondary will be running for a while, then it exhibits the same behavior and its SSM become unresponsive. The ASA transition again regardless if the SSM is back online or not. If it is it operates normally.
If it were 1 SSM I'd say it was the problem but both of them are doing it which leads me to consider configuration or is there something else I am missing somewhere.
We want to put these SSM-10's inline but not with there current instability.
Any suggestion at this point would be most helpfull.
Jim Collin
Maui Land and Pineapple Company Inc.
[email protected]I've got the exact same problem. I opened a TAC case and was told too much traffic was being redirected to the AIP module, overflowing a queue, causing the failure. We were using the modules for a couple of months before we began experiencing this issue. It got so bad I had to completely disable redirection to the module. We're not inspecting ESMTP traffic, but I'm going to try disabling protocol inspection entirely and apply the service-policy to see if it could be one of the other defaults that is the culprit. That makes more sense to me than volume because our traffic volume didn't changed considerably. Need approval so it may be awhile.
Maybe you are looking for
-
I'm designing a form in LiveCycle Designer ES version 8. I have specified that it should be able to be filled in by people using Adobe Reader 6 and above. When I open it using Adobe Reader 7, The following error comes up: Bad value: 'designer__defaul
-
Switching R/3 source systems
Hi SDN gurus, We have a scenario where we sould like to change a test R/3 source system in our BI7 box. Currently there are lots of flows from QA1 (old style datasources/transfer rules etc), if a new R/3 system QA2 is created and connected, is there
-
File extention and default application
When i open a .doc file it's open the wrong application. How can i set the default application i want to open. thanks
-
Filter bar no longer displays metadata
For the last few days the filter bar in LR5 is not showing metadata. It says loading when you click on the metadata tab for a split second, but then nothing appears. I've shutdown LR and my PC several times. Any suggestions on how to fix this?
-
Hi, everyone. I've been using Dreamweaver for quite a while now, but I'm still rough around the edges on some parts. Specifically, my problem is that I want to insert images for the tab headers; ones will change when the mouse hovers over them, and f