Admin TACACS+ access fails ASA in Active/Standby Configuration
We have two ASA 5510 with version 8.2(1) in Active/Standby configuration, the failover works fine, but when the primary ASA comes back it remains standby , so we manually change it to active with the failover active command, then we try to access the device using a TACACS+ account , it doesnt work , just the local account works; after a period of time (15min) , the TACACS+ access start to work.
I'm not sure about your configuration but when in timed mode, a server that is declared "failed" will once again
be made available after 30 seconds. Unlike reactivation mode, it is not
necessary for all of the servers to fail before any can be reactivated.
On possible source of confusion to be aware of in timed mode:
The "show aaa-server" command will continue to show the server as FAILED
until the server is needed to authenticate a connection.
depletion
Reactivates failed servers only after all of the servers in the group are inactive.
timed
Reactivates failed servers after 30 seconds of down time.
Please tweak reactivation mode.
Regards,
~JG
Do rate helpful posts
Similar Messages
-
How to Uninstall SQL instance on active-passive SQL server , which failed during Cluster Setup (Error-Failed at Validate Active Directory Configuration)
active-passive SQL server cluster setup failed due to some steps missed in initial cluster setup,
now i have unistall sql instance from nodes,
Your help will higly appriciated.
Regards,
Anish
AsandeenHello,
Please refer to the following link about remove a node of SQL Server Failover Cluster Instance:
http://msdn.microsoft.com/en-us/library/ms191545.aspx#Remove
Regards,
Fanny Liu
Fanny Liu
TechNet Community Support -
Replacement of primary unit failed! (ASA5510 active/standby)
Hi all,
I have an issue bringing up my RMA'd primary ASA unit.
So what happened so far:
1. primary unit failed
2. secondary took over and is now secondary - active (as per sh fail)
2. requested RMA at Cisco
3. got ASA and checked that Lic (SSL), OS (8.2.2) and ASDM are at the same level as the secondary
4. issued wr erase and reloaded
5. copied the following commands to the new (RMA) primary unit:
failover lan unit primary
failover lan interface Failover Ethernet3
failover interface ip Failover 172.x.x.9 255.255.255.248 standby 172.x.x.10
int eth3
no shut
failover
wr mem
6. installed primary unit into rack
7. plugged-in all cables (network, failover, console and power)
8. fired up the primary unit
9. expected that the unit shows:
Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
10. but nothing happened on primary unit
So can anyone give me assistance on what is a valid and viable approach in replacing a failed primary unit? Is there a missing step that hinders me to successfully replicate the secondary - active config to the primary - standby unit.
I was looking for help on the net but unfortunately I was not able to find anything related to ASA55xx primary unit replacement with a clear guideline or step by step instructions.
Any comments or suggestions are appreciated, and might help others who are in the same situation.
Thanks,
NicoHi Varun,
Thanks for catching-up this thread.
Here you go:
sh run fail on secondary - active:
failover
failover lan unit secondary
failover lan interface Failover Ethernet0/3
failover key *****
failover link Failover Ethernet0/3
failover interface ip Failover 172.x.x.9 255.255.255.248 standby 172.x.x.10
sh fail hist on secondary - active:
asa1# sh fail hist
==========================================================================
From State To State Reason
==========================================================================
23:47:15 CEST Feb 19 2011
Not Detected Negotiation No Error
23:47:19 CEST Feb 19 2011
Negotiation Cold Standby Detected an Active mate
23:47:21 CEST Feb 19 2011
Cold Standby Sync Config Detected an Active mate
23:47:36 CEST Feb 19 2011
Sync Config Sync File System Detected an Active mate
23:47:36 CEST Feb 19 2011
Sync File System Bulk Sync Detected an Active mate
23:47:50 CEST Feb 19 2011
Bulk Sync Standby Ready Detected an Active mate
10:34:09 CEDT Sep 3 2011
Standby Ready Just Active HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Just Active Active Drain HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Active Drain Active Applying Config HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Active Applying Config Active Config Applied HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Active Config Applied Active HELLO not heard from mate
==========================================================================
sh fail on secondary - active
asa1# show fail
Failover On
Failover unit Secondary
Failover LAN Interface: Failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 10:34:09 CEDT Sep 3 2011
This host: Secondary - Active
Active time: 441832 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Outside (x.x.x.14): Normal (Waiting)
Interface Inside (x.x.x.11): Normal (Waiting)
slot 1: empty
Other host: Primary - Failed
Active time: 40497504 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(2)) status (Unknown/Unknown)
Interface Outside (x.x.x.15): Unknown
Interface Inside (x.x.x.12): Unknown
slot 1: empty
Stateful Failover Logical Update Statistics
Link : Failover Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 2250212 0 64800624 309
sys cmd 2250212 0 2249932 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 46402635 309
UDP conn 0 0 21248 0
ARP tbl 0 0 15921639 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 0 0 96977 0
VPN IPSEC upd 0 0 108174 0
VPN CTCP upd 0 0 19 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 203259096
Xmit Q: 0 1 2250212
show ver on secondary - active
asa1# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)53
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
asa1 up 200 days 12 hours
failover cluster up 1 year 108 days
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 64MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 0022.55cf.7420, irq 9
1: Ext: Ethernet0/1 : address is 0022.55cf.7421, irq 9
2: Ext: Ethernet0/2 : address is 0022.55cf.7422, irq 9
3: Ext: Ethernet0/3 : address is 0022.55cf.7423, irq 9
4: Ext: Management0/0 : address is 0022.55cf.741f, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 10
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5510 Security Plus license.
Serial Number: xxx
Running Activation Key:xxxx
Configuration register is 0x1
Configuration last modified by enable_1 at 10:05:32.149 CEDT Fri Jul 15 2011 -
IPS modules in Cisco ASA 5510 Active/Standby pair.
All, I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?
Sent from Cisco Technical Support iPad AppOk, that is what I needed to know. The purpose of us having an active/standby ASA is to keep the business up and going for the very rare times there could be an active ASA failure. The purpose for the IPS would be to help protect and inspect traffic and is not necessary to keep the business running. If we implement IPS I am not worried at all if during the times when the primary ASA is down (hasn't been down for over three years now) we lose the IPS funcationality. This is not worth the $1000 extra per year to us.
Thanks for the responses though. That answers my questions. -
Single AIP-SSM in Cisco ASA Failover Active / Standby Mode
Hi,
I can add single AIP-SSM on Cisco ASA in failover active / standby mode?No, both units need the same hardware, that includes the installed modules.
Sent from Cisco Technical Support iPad App -
ASA 5550 Transparent Active/Standby Configuration
Hello guys!
I am in the process of adding a new ASA 5550 as a standby box to an existing ASA 5550 running on transparent mode. Both are on version ASA 8.0(4) and ASDM 6.2(1). I have set the new ASA 5550 to transparent mode. The configurations are the following for the HA:
Primary ASA:
interface GigabitEthernet1/3
description LAN Failover Interface
media-type sfp
failover
failover lan unit primary
failover lan interface failover GigabitEthernet1/3
failover interface ip failover 192.168.1.1 255.255.255.0 standby 192.168.1.2
Secondary ASA:
interface GigabitEthernet1/3
description LAN Failover Interface
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet1/3
failover interface ip failover 192.168.1.1 255.255.255.0 standby 192.168.1.2
My questions are the following:
1. The management ip address is different than the ip used for the failover link. Since the firewalls are on transparent mode, does the failover ip needs to be the same as the management ip address?
2. Does any other additional config is needed for HA to work for basic active/stand-by failover?
3. Wich is the best method to add the second box without disrupting the active box?
Thanks in advance guys!Hi Nephtali,
1. The aswer is no, it can be different.
2. You can optionaly add statefull failover config.
3. Issue the failover command on the primary device first, and then issue it on the secondary device. After you issue the failover command on the secondary device, the secondary device immediately pulls the configuration from the primary device and sets itself as standby. The primary ASA stays up and passes traffic normally and marks itself as the active device. From that point on, whenever a failure occurs on the active device, the standby device comes up as active.
Link to a config example:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aefd11.shtml#Reg
Regards
Mariusz -
Active/Standby Configuration in CWLMS
Hi,
I have 2 LMS Server's in my LAN. I want 1 server will be Master & the other will be in Standby mode.
Whether, such type of configuration is possible in CWLMS??
I am using CWLMS version: 3.1
Rgds,
ParthaI don't think that LMS has a feature for HA installation.
You will find that in the document
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/ps7196/prod_white_paper0900aecd80695cad.pdf
on page 20 in chapter "7.1 Redundant-Server Scenario".
But there is an solution with two identical servers, one as master and the other as slave.
Details you will find in the document. -
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
This topic has been beat to death, but I did not see a real answer. Here is configuration:
1) 2 x ASA 5520, running 8.2
2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
In any case, any experts out there that can answer question? TIA!Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
Thanks much,
Mike -
Best practice for ASA Active/Standby failover
Hi,
I have configured a pair of Cisco ASA in Active/ Standby mode (see attached). What can be done to allow traffic to go from R1 to R2 via ASA2 when ASA1 inside or outside interface is down?
Currently this happens only when ASA1 is down (shutdown). Is there any recommended best practice for such network redundancy? Thanks in advanced!Hi Vibhor,
I test ping from R1 to R2 and ping drop when I shutdown either inside (g1) or outside (g0) interface of the Active ASA. Below is the ASA 'show' failover' and 'show run',
ASSA1# conf t
ASSA1(config)# int g1
ASSA1(config-if)# shut
ASSA1(config-if)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:20:00 SGT Nov 18 2014
This host: Primary - Active
Active time: 7862 (sec)
Interface outside (100.100.100.1): Normal (Monitored)
Interface inside (192.168.1.1): Link Down (Monitored)
Interface mgmt (10.101.50.100): Normal (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (100.100.100.2): Normal (Monitored)
Interface inside (192.168.1.2): Link Down (Monitored)
Interface mgmt (0.0.0.0): Normal (Waiting)
Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet2 (up)
Stateful Obj xmit xerr rcv rerr
General 1053 0 1045 0
sys cmd 1045 0 1045 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 5 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 1045
Xmit Q: 0 30 10226
ASSA1(config-if)#
ASSA1# sh run
: Saved
ASA Version 8.4(2)
hostname ASSA1
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0
nameif outside
security-level 0
ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet2
description LAN/STATE Failover Interface
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet4
nameif mgmt
security-level 0
ip address 10.101.50.100 255.255.255.0
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
clock timezone SGT 8
access-list OUTSIDE_ACCESS_IN extended permit icmp any any
pager lines 24
logging timestamp
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet2
failover link FAILOVER GigabitEthernet2
failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
access-group OUTSIDE_ACCESS_IN in interface outside
router ospf 10
network 100.100.100.0 255.255.255.0 area 1
network 192.168.1.0 255.255.255.0 area 0
area 0 authentication message-digest
area 1 authentication message-digest
log-adj-changes
default-information originate always
route outside 0.0.0.0 0.0.0.0 100.100.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.101.50.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.101.50.0 255.255.255.0 mgmt
ssh timeout 5
console timeout 0
tls-proxy maximum-session 10000
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:fafd8a885033aeac12a2f682260f57e9
: end
ASSA1# -
ASA failover with 1 AIP SSM in Active/Standby?
I have a customer with two ASAs; in Active/Standby. They want to purchase one AIP. Will failover (without the AIP functionality) to the Standby work if the AIP is configured for Promiscuous mode? Thanks, Bob
The only connection to the SSM that can be done internally through the ASA is a "session". This is an internal telnet to the SSM and can be used to access the SSM's CLI.
This is very usefull when you manage your SSM directly through the CLI.
However, most customers prefer to use a graphics based tool like IDM, ASDM, or CSM for managing the configuration of the SSM, and prefer to use a graphics based tool like IEV or CS MARS for monitoring of the alerts from the SSM.
All of these graphics based tools need network access to the SSM through a web port (https on port 443 by default). Access to this port is not allowed internally through the ASA direct to the SSM.
All web connections must be made to the External Management interface of the SSM.
If you are not using all 4 of your ASA interfaces you could choose to wire the External SSM interface directly to one of your ASA interfaces, and create a small subnet for the ASA and IPS IP Addresses. So then all external connections to the SSM would be routed into the ASA, then out of the ASA, and into the external port of the SSM.
That subnet of just the ASA and SSM could be made using a network reserved for local IPs (like a 10, or 172, or 192 network) and then use NAT/PAT for translation on the other network interfaces of the ASA.
But it does still require that wire connected to the external port of the SSM. -
Active/standby in multiple context mode
is active/standby configuration possible in multilple context mode? i cannot find an article regarding this matter.
Hello John,
It is available
Actually the ones you need are the regular ones (documents) as the ASA will trigger failover if one of the context fail
Important Notes
For multiple context mode, the ASA can fail over the entire unit (including all contexts) but cannot fail over individual contexts separately.
. Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover.
VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for
Active/Standby Failover configurations in single context configurations.
With this I think you are ready to start configuring it:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml
Julio -
Active/Standby Failover Config change
Hi everyone,
This weekend we are doing some change on ASA in Active/Standby mode.
We will power off standby ASA.
Do some changes on Active ASA save the changes and reboot it.
Power up the Active ASA and will test the connectivity if it is working or not .
In case Active ASA is not working as expected after the change i will power it off.
Power up Standby ASA then it will become active as expected.
Now if i Power up other ASA where changes were made will it synchnorize to old config from Standby ASA or not?
Last week we did some changes on Active ASA and it did not work as expected so we have to undo our change.
Need to make sure our backup plan is working?
Regards
MaheshIn your fall back scenario you would have to tell what was the secondary ASA that it is now the primary
change
failover lan unit secondary
to
failover lan unit primary
and vice-versa on the now primary ASA.
change
failover lan unit primary
to
failover lan unit secondary
Hope it helps -
Active/Standby And failover link configuration mode
Hi everyone,
When config failover link of ASA in Active Standby mode.
When we config failover int say gi0/1
config t
int gi0/1
failover lan int gi0/1
Need to confirm we do this from interface config mode only or we can do this from global config also ????????
Whe we assign IP to this int we do that from global config mode ????
Regards
Mahesh
Message was edited by: mahesh parmar
Message was edited by: mahesh parmarHi,
Actually the ASA lets you insert a lot of command what ever mode you are under.
In the output you posted is a very important thing to notice
configure mode commands/options:
WORD Specify the interface name
As you can see, the output lists only one option and before that it mentions that this is a "configure mode" command
So even if you entered the command under the interface configuration mode, it would still be entered as a global/configure command mode.
Take the following thing for example
I want to check what configuration options I have with the command "failover"
So I enter the following to my ASA
ASA(config)# failover ?
configure mode commands/options:
interface Configure the IP address to be used for failover and/or
stateful update information
interface-policy Set the policy for failover due to interface failures
key Configure the failover shared secret or key
lan Specify the unit as primary or secondary or configure the
interface and vlan to be used for failover communication
mac Specify the virtual mac address for a dynamic interface
polltime Configure failover poll interval
timeout Specify the failover reconnect timeout value for
asymmetrically routed sessions
exec mode commands/options:
active Make this system to be the active unit of the failover pair
exec Execute command on the designated unit
reload-standby Force standby unit to reboot
reset Force a unit or failover group to an unfailed state
As you can see, the ASA tells us that there are different additional command parameters after the "failover" command that can be used. Some of them can be used either in Exec or Configuration mode.
- Jouni -
Required help on ASA basic setup and configuration
Hi,
I am very very new to Security/Firewall domain, As I have gone through lot of documents and understood there must be one outside interface and atleast one or multiple inside interfaces depends on the requirement. I have attached a high level design, it shows how ASAs tobe connected to Aggre/Dist. Switches and how DMZ are conneccted to ASA via L2 Switches. Could any one help me on this how to configure and what are basic configuration required to eastablish the network and it works. I need two inside networks one is for dmz servers and another one is other servers to be advertise to outside DC.When you say NK501 that it is a typo and that it should be N5K01 (for nexus 5000 switch 1?)
So if these are nexus switches, and I assume you are looking for active/standby configuration on the ASA for HA. Your configuration would be something like the following if you want full redundancy.
N5K01
feature vpc
vpc domain 1
role priority 1000
system-priority 1
peer-keepalive destination 169.254.111.1 source 169.254.111.2 vrf default
auto-recovery
interface Ethernet1/19
description ASA01
switchport mode trunk
channel-group 2 mode active
interface Ethernet1/21
description ASA01
switchport mode trunk
channel-group 2 mode active
interface Ethernet1/22
description vpc-keepalive
no switchport
ip address 169.254.111.1/16
no shutdown
interface Ethernet1/23
description vpc-peerlink
channel-group 1
no shutdown
interface Ethernet1/24
description vpc-peerlink
channel-group 1
no shutdown
interface port-channel1
description vpc-peerlink
vpc peer-link
interface port-channel2
description ASA
switchport mode trunk
vpc 1
N5K02
feature vpc
vpc domain 1
role priority 65535
system-priority 1
peer-keepalive destination 169.254.111.2 source 169.254.111.1 vrf default
auto-recovery
interface Ethernet1/19
description ASA02
switchport mode trunk
channel-group 2 mode active
interface Ethernet1/21
description ASA02
switchport mode trunk
channel-group 2 mode active
interface Ethernet1/22
description vpc-keepalive
no switchport
ip address 169.254.111.2/16
no shutdown
interface Ethernet1/23
description vpc-peerlink
channel-group 1
no shutdown
interface Ethernet1/24
description vpc-peerlink
channel-group 1
no shutdown
interface port-channel1
description vpc-peerlink
vpc peer-link
interface port-channel2
description ASA
switchport mode trunk
vpc 1
ASA01
interface TenGigabitEthernet0/6
description N5K01
channel-group 2 mode active
interface TenGigabitEthernet0/7
description N5K01
channel-group 2 mode active
interface TenGigabitEthernet0/8
description Failover
channel-group 3
interface TenGigabitEthernet0/9
description Failover
channel-group 3
interface Port-channel2
description N5K01
nameif NAME
security-level 60
ip address 10.10.10.1 255.255.255.240 standby 10.10.10.2
interface Port-channel3
description Failover link
interface Port-channel3.10
description State link
vlan 10
interface Port-channel3.20
description STATE Failover Interface
vlan 20
failover
failover lan unit primary
failover lan interface Failover_Link Port-channel3.10
failover key PASSWORD
failover replication http
failover link Stateful_Failover_Link Port-channel3.20
failover interface ip Failover_Link 10.8.4.145 255.255.255.240 standby 10.8.4.146
failover interface ip Stateful_Failover_Link 10.8.4.161 255.255.255.240 standby 10.8.4.162
ASA02
interface TenGigabitEthernet0/6
description N5K01
channel-group 2 mode active
interface TenGigabitEthernet0/7
description N5K01
channel-group 2 mode active
interface TenGigabitEthernet0/8
description Failover
channel-group 3
interface TenGigabitEthernet0/9
description Failover
channel-group 3
interface Port-channel2
description N5K01
nameif NAME
security-level 60
ip address 10.10.10.1 255.255.255.240 standby 10.10.10.2
interface Port-channel3
description STATE Failover Interface
interface Port-channel3.10
description Failover link
vlan 10
interface Port-channel3.20
description State link
vlan 20
failover
failover lan unit primary
failover lan interface Failover_Link Port-channel3.10
failover key PASSWORD
failover replication http
failover link Stateful_Failover_Link Port-channel3.20
failover interface ip Failover_Link 10.8.4.145 255.255.255.240 standby 10.8.4.146
failover interface ip Stateful_Failover_Link 10.8.4.161 255.255.255.240 standby 10.8.4.162
Please remember to rate and select a correct answer -
Cisco ASA Active standby failover problem
We have configured ASA Active standby failover with ASA5505 . When primary unit power off, secondary unit became active. when primary unit power on, then primary unit is becoming active again. i think for active standby setup there is no preemption. The real issue is when primary ASA became active after power on all the external connectivity getting down. Please see the below config,
ASA01# show run
ASA01# show running-config
: Saved
ASA Version 8.2(5)
hostname ASA01
enable password PVSASRJovmamnVkD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.1 MPLS_Router description MPLS_Router
name 192.168.2.1 SCADA_Router description SCADA_Router
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 2
interface Ethernet0/3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.8 255.255.255.0 standby 192.168.3.9
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.8 255.255.255.0 standby 192.168.1.9
interface Vlan3
description LAN Failover Interface
ftp mode passive
clock timezone AST 3
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any host MPLS_Router
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface FAILOVER Vlan3
failover key *****
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route-map Route_Out permit 1
match ip address inside_access_in outside_access_in
match interface inside
route outside 0.0.0.0 0.0.0.0 MPLS_Router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http authentication-certificate inside
http authentication-certificate outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password eY/fQXw7Ure8Qrz7 encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1a8e46a787aa78502ffd881ab62d1c31
: endI suggest removing the failover configuration on both units and then re-add them, and then test.
Primary
failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit primary
failover key KEY
failover
Secondary
failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit secondary
failover key KEY
failover
Please remember to select a correct answer and rate helpful posts
Maybe you are looking for
-
Jumanji web browser very slow when trying to open a new website
Duckduckgo and pwmt.org work just fine but everything else I tried just does not open. What can be the couse of this issue? Why would one website work just fine and another just refuse to open at all? Last edited by khajvah (2014-11-10 19:55:25)
-
I recently purchased an old iMac G3 Macintosh. I was wondering, is there a way where I can update it without using an external disc? I've seen the newer Apple products with the dock, if I update my iMac G3, will it have that, and if so, how can I do
-
Computer is shutting down right in the middle of things rop
It was doing this about a month ago. Just completely shutting down in the middle of the internet, iphoto,etc. and it wouldn't go to sleep, but kick off. I took it to the apple store and they said it was the power supply and fixed it. Then yesterday,
-
NetWeaver install on Windows - Import Monitor failing to import packages
Following are the errors in import_monitor.log during installation. The errors are due to sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline. 7 out of 28 packages imported fine. What is the fix? TRACE: 2009-11-24 12:07:32 com.sap.inst.m
-
Help me with this caching issue
I have a JSP page where the user can make some changes and press a submit button to update the changes. After that the control is back in the same page. If the user clicks the browser back button at this time , the previous page without the changes i