ARP collision on failover interface of ASA5510
Seeing a funny problem. Whenver the secondary ASA is rebooted, there is complaint of an ARP conflict on the failover interface:
Received ARP request collision from 169.254.0.1/1cdf.0f2e.e8b6 on interface FAILOVER with existing ARP entry 169.254.0.1/1cdf.0f2e.e0b0
169.254.0.1 is the primary ASA's failover interface, and the physical interface has MAC address 1cdf.0f2e.e0b0
169.254.0.2 is the secondary ASA's failover interface, and the physical interface has MAC address 1cdf.0f2e.e8b6
Failover IPs should remain constant even as roles change, so I'm very puzzled why the secondary would take the primary's IP.
Both are single context running 9.0(3)
Hi Johnny,
The Ip addresses that we assign in failover are for active and standby unit, they are not assigned as primary and secondary units.
So as the role of a unit in the failover pair changes the IP addresses and the MAC also changes accrodingly.
So what you are seeing is normal.
further the same is documented as well:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#acti
Hope this helps,
Cheers,
Naveen
Similar Messages
-
Hi,
I have 2 ASA 5520 firewall configured with HA(Failover). but some time my primary firewall goes down standby firewall doesnt come active. i found below log from primary firewall..what is the reason & what is the mining of reason code of 4...
Nov 30 2012 14:07:47: %ASA-1-105002: (ASA) Enabling failover.
Nov 30 2012 14:08:43: %ASA-1-105043: (Primary) Failover interface failed
Nov 30 2012 14:08:56: %ASA-1-103001: (Primary) No response from other firewall (reason code = 4).
After i hard reboot my standby firewall below log had been generated..
Nov 30 2012 15:51:57: %ASA-1-105042: (Primary) Failover interface OK
Nov 30 2012 15:52:02: %ASA-1-709003: (Primary) Beginning configuration replication: Send to mate.
Nov 30 2012 15:52:15: %ASA-1-709004: (Primary) End Configuration Replication (ACT)
Please assist....
Regards
SuhasHi,
The explanation for that can be found in the ASAs syslog messages document.
Here it is
103001 Error Message %ASA-1-103001: (Primary) No response from other firewall (reason
code = code).
Explanation This is a failover message, which is displayed if the primary unit is unable to communicate with the secondary unit over the failover cable. (Primary) can also be listed as (Secondary). for the secondary unit. Table 1-2 lists the reason codes and the descriptions to determine why the failover occurred.
Table 1-2 Reason Codes
Reason Code
Description
1
The local unit is not receiving the hello packet on the failover LAN interface when LAN failover occurs or on the serial failover cable when serial failover occurs, and declares that the peer is down.
2
An interface did not pass one of the four failover tests, which are as follows: 1) Link Up, 2) Monitor for Network Traffic, 3) ARP, and 4) Broadcast Ping.
3
No proper ACK for 15+ seconds after a command was sent on the serial cable.
4
The local unit is not receiving the hello packet on the failover LAN and other data interfaces and it is declaring that the peer is down.
5
The failover LAN interface is down, and other data interfaces are not responding to additional interface testing. In addition, the local unit is declaring that the peer is down.
Recommended Action Verify that the failover cable is connected correctly and both units have the same hardware, software, and configuration. If the problem persists, contact the Cisco TAC.
Are you saying that the Primary ASA loses all connectivity to the Secondary ASA (looking at the log messages). Judging by the above Cisco description it would mean the Primary ASA isnt getting Failover Hellos through any of the monitored interfaces which again would make it seem like the Secondary Firewall is expriencing some problems.
- Jouni -
Cisco ASA 5580 Arp Collision Errors
Dears,
I am receiving allot of Errors "%ASA-4-405001: received ARP collision from IP/MAC on interface dmz1 with existing ARP Entry IP/MAC
When i checked this MAC address in the same firewall it shows too many IP Addresses.
What could be the reason ?
Thanks...Hello Richard,
My first though is why is the ASA receiving this traffic is this is traffic that should not reach the default-gateway.
Anyway try the following
same-security-traffic permit intra-interface
Let me know how it goes
Julio -
CSM error message on ASA Failover interface
Hello
We use CSM 4.4 to manage our ASA firewalls.
One of them is a failover pair. CSM now always creates a warning message when approving an activity, stating:
FWSVC Access Rules Warnings -> The following interfaces GigabitEthernet0/3,management, are not bound to any Access Rules and remain wide open for traffic to lower security level interfaces
Is there a way to surpress those messages?
Or is it required to configure an access-list to the lan-based failover interface?
Thanks
PatrickHi Bro
Yes, there is a way to suppress these error messages by issuing the command "no logging message " in that particular context but I wouldn't advise to do so.
Perhaps, this could indicate a legitimate error on your part. If you could paste the show run output here, that would be great. We could advice your accordingly.
Regards,
Ram -
Does the ASA's failover interface work at 1000/Full Duplex?
I was once told that the speed had to be set to 100Mbs on the Failover link when using LAN based failover on a Gig switchport.
I am running Active/Passive on my ASAs right now, this is the only configuration that I needed on my primary unit for the FO interface, I never had to set the interface link speed.
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
failover
failover lan unit primary
failover lan interface FOLink GigabitEthernet0/3
failover replication http
failover link FOLink GigabitEthernet0/3
failover interface ip FOLink 192.168.100.1 255.255.255.0 standby 192.168.100.2 -
Failover setup between ASA5510-AIP10SP-K9 and ASA5510-SEC-BUN-K9
Not sure if we can setup Active/standby failover between ASA5510-AIP10SP-K9 and ASA5510-SEC-BUN-K9 at all?
If anyone could advice please, that would be grateful. Thanks a lotYou would need the module on both appliances to setup failover.
Regards
Farrukh -
Hi,
Is it possible to include (bridge) 2 or more interfaces in a VLAN and give that VLAN an IP address with ASA? (simililar with a L3 switch)
If it's not possible, is there a workaround for this (besides using a switch)?
Thanks.
Gabriel GearipYou can use Subinterfaces which divide a physical interface into multiple logical interfaces that are tagged with different VLAN IDs. Because VLANs allow you to keep traffic separate on a given physical interface, you can increase the number of interfaces available to your network without adding additional physical interfaces or security appliances. This feature is particularly useful in multiple context mode so you can assign unique interfaces to each context.
-
Need to "move" failover to different interface/port
Sorry if this is the wrong area, we have so seldom had questions that were not otherwise handled I don't frequent this area.
How difficult is it to change the interface used for active/standby failover? It's a working, already configured pair with standby, but I need to move the crossover cable and tell them to use a different interface.
ASA 5510 pair, already set up and working with failover that was originally configured on Ethernet port 0/3 by the senior network admin. It appears that from his use of interfaces or ports he used things straight out of examples on the web, including the interfaces used.
The senior network admin retired last spring and left me "in charge", gee, thanks.
I need to make some changes and need an Ethernet port for a new important project.
The Management 0/0 interface is unused and shutdown. We manage via inside interface from a specific subnet inside so don't need the dedicated management interface.
I want to move failover FROM Ethernet 0/3 TO Management 0/0
*This is the current setup:
Result of the command: "sh run failover"
failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover link failover Ethernet0/3
failover interface ip failover 169.254.255.1 255.255.255.252 standby 169.254.255.2
*And this is the current interface configuration for 0/3 and Management:
interface Ethernet0/3
description LAN/STATE Failover Interface
interface Management0/0
speed 100
duplex full
shutdown
nameif management
security-level 0
no ip address
ospf cost 10
I know it can run on the Management 0/0 interface because I see a lot of "how to configure" as if the ASA is brand new and several examples out there indeed show it being setup on Management.
I'm looking for how to take an ASA pair that is currently configured and has a working functional failover configuration and simply "move failover" to a different hole or change the interfaces used for the "heartbeat" as it were.
I assume it's not hard - but I also assume there's a specific sequence of events that must take place to prevent the pair from going into failover and switching lead roles...........
For example - would I shut off or turn off failover, and if so how, and on which ASA (frankly, I'm not sure how to access the secondary or standby if this must be done from or on the standby unit as I've never done that "deep" a config before)
CLI is fine - I'd be just as comfortable in either ASDM or cli.
I sure hope this makes sense - I'm more of a troubleshooter and fixer than a designer or network engineer....
And many many thanks - getting this moved will free up the interface I need and can really make a big dent in my project list while the supervisor is on vacation this week! I'd love to have this done and working before his return.
Oh, in case it does matter as I've been told, this is the Currently running license and versions shown here:
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 6.4(7)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
VRDSMFW1 up 141 days 4 hours
failover cluster up 141 days 4 hours
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: Ethernet0/0 : address is 0024.972b.e020, irq 9
1: Ext: Ethernet0/1 : address is 0024.972b.e021, irq 9
2: Ext: Ethernet0/2 : address is 0024.972b.e022, irq 9
3: Ext: Ethernet0/3 : address is 0024.972b.e023, irq 9
4: Ext: Management0/0 : address is 0024.972b.e01f, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 250 perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5510 Security Plus license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : 250 perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 4 perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5510 Security Plus license.
Serial Number: ABC12345678
Running Permanent Activation Key: eieioandapartridgeinapeartree
Configuration register is 0x1
Configuration last modified by me at 15:03:07.132 CDT Mon Sep 15 2014If there was a "smack-self-on-forehead" icon here I'd use it now.
Of course, totally logical - if you disconnect a monitored connection on the standby it's not about to take over as primary because it's had a failure and can't do the job, forcing the primary or active to remain that way. There's the key that would allow all other changes.
Since the settings or config lines are in place already, then if I'm correct it's a matter of then just modifying what's there, and of course removing the name of the Management interface (no nameif) and making sure it's not shut down (no shutdown), etc.
You are a handy person to have around. Thanks.
By the way, *thanks to prior answers received here* and reading responses to others who had questions I can say I've set a record for this agency and done what no one else had been able to do - I've taken a troublesome LAN-to-LAN connection and made it trouble-free with a solid connection that is just 7.5 hours away from being up 90 days with no interruption, no collapse of any SA and improved performance. I have 2 others out of our 34 that aren't too far behind that. The boss has recognized this after seeing his monthly up-time reports.
Once I get this done failover change made I will be setting up a "DMZ" of sorts and trying out my hand at telling the 5510s to forward specific traffic aimed at a specific public IP address to a specific server. (But that's another topic............) -
Link outage in Etherchannel causes interface down and failover Secondary Faild
Hi,
I have configured port-channel Firewall ASA5515-X and stacking switch WS-3750X. Also firewall configured as failover mode. Problem is that my active firewall connected switch port show green and working but standby firewall connected switch port shows orange color. When i inpute show failover command on firewall, secondary is faild. Please assist. Here is the below show command.
mdbl-int-fw-01# sho port-channel 10
Ports: 2 Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ active
Minimum Links: 1
Maximum Bundle: 8
Load balance: src-dst-ip
mdbl-int-fw-01# sho interface port-channel 10
Interface Port-channel10 "inside", is up, line protocol is up
Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: *** Connected to CORE-SW ***
MAC address 4c00.821d.511f, MTU 1500
IP address 10.98.8.97, subnet mask 255.255.255.248
Traffic Statistics for "inside":
56859 packets input, 3419130 bytes
148709 packets output, 16063580 bytes
56858 packets dropped
1 minute input rate 0 pkts/sec, 46 bytes/sec
1 minute output rate 2 pkts/sec, 216 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 46 bytes/sec
5 minute output rate 2 pkts/sec, 216 bytes/sec
5 minute drop rate, 0 pkts/sec
Members in this channel:
Active: Gi0/1 Gi0/2
mdbl-int-fw-01# sho port
mdbl-int-fw-01# sho port-channel sum
mdbl-int-fw-01# sho port-channel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
U - in use N - not in use, no aggregation/nameif
M - not in use, no aggregation due to minimum links not met
w - waiting to be aggregated
Number of channel-groups in use: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
10 Po10(U) LACP Gi0/1(P) Gi0/2(P)
mdbl-int-fw-01#
mdbl-int-fw-01# sho port-channel ?
<1-48> Channel group number
brief Brief information
detail Detail information
port Port information
protocol protocol enabled
summary One-line summary per channel-group
| Output modifiers
<cr>
mdbl-int-fw-01# sho port-channel bri
mdbl-int-fw-01# sho port-channel brief
Channel-group listing:
Group: 10
Ports: 2 Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ active
Minimum Links: 1
Maximum Bundle: 8
Load balance: src-dst-ip
mdbl-int-fw-01# sho port-channel ?
<1-48> Channel group number
brief Brief information
detail Detail information
port Port information
protocol protocol enabled
summary One-line summary per channel-group
| Output modifiers
<cr>
mdbl-int-fw-01# sho port-channel pro
mdbl-int-fw-01# sho port-channel protocol
Channel-group listing:
Group: 10
Protocol: LACP
mdbl-int-fw-01# sho port-channel ?
<1-48> Channel group number
brief Brief information
detail Detail information
port Port information
protocol protocol enabled
summary One-line summary per channel-group
| Output modifiers
<cr>
mdbl-int-fw-01# sho port-channel det
mdbl-int-fw-01# sho port-channel detail
Channel-group listing:
Group: 10
Ports: 2 Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ active
Minimum Links: 1
Maximum Bundle: 8
Load balance: src-dst-ip
Ports in the group:
Port: Gi0/1
Port state = bndl
Channel group = 10 Mode = LACP/ active
Port-channel = Po10
Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.
Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi0/1 SA bndl 32768 0xa 0xa 0x2 0x3d
Partner's information:
Partner Partner LACP Partner Partner Partner Partner Partner
Port Flags State Port Priority Admin Key Oper Key Port Number Port State
Gi0/1 SA bndl 32768 0x0 0xa 0x118 0x3d
Port: Gi0/2
Port state = bndl
Channel group = 10 Mode = LACP/ active
Port-channel = Po10
Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.
Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi0/2 SA bndl 32768 0xa 0xa 0x3 0x3d
Partner's information:
Partner Partner LACP Partner Partner Partner Partner Partner
Port Flags State Port Priority Admin Key Oper Key Port Number Port State
Gi0/2 SA bndl 32768 0x0 0xa 0x119 0x3d
mdbl-int-fw-01#
mdbl-int-fw-01#
mdbl-int-fw-01#
mdbl-int-fw-01#
mdbl-int-fw-01# sho port-channel ?
<1-48> Channel group number
brief Brief information
detail Detail information
port Port information
protocol protocol enabled
summary One-line summary per channel-group
| Output modifiers
<cr>
mdbl-int-fw-01# sho fail
mdbl-int-fw-01# sho failover st
mdbl-int-fw-01# sho failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Ifc Failure 22:03:03 UTC Jan 8 2014
outside: No Link
dmz: No Link
mgt: No Link
inside: No Link
====Configuration State===
Sync Done
====Communication State===
Mac set
mdbl-int-fw-01#
mdbl-int-fw-01#
mdbl-int-fw-01#
mdbl-int-fw-01# sho failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
failover replication http
Version: Ours 8.6(1)2, Mate 8.6(1)2
Last Failover at: 02:16:48 UTC Jan 8 2014
This host: Primary - Active
Active time: 74479 (sec)
slot 0: ASA5515 hw/sw rev (1.0/8.6(1)2) status (Up Sys)
Interface outside (118.179.139.4): No Link (Waiting)
Interface dmz (10.98.56.3): No Link (Waiting)
Interface mgt (10.10.11.1): Unknown (Waiting)
Interface inside (10.98.8.97): Normal (Waiting)
slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
IPS, 7.1(4)E4, Up
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5515 hw/sw rev (1.0/8.6(1)2) status (Up Sys)
Interface outside (118.179.139.6): No Link (Waiting)
Interface dmz (10.98.56.2): No Link (Waiting)
Interface mgt (0.0.0.0): No Link (Waiting)
Interface inside (10.98.8.98): No Link (Waiting)
slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
IPS, 7.1(4)E4, Up
Stateful Failover Logical Update Statistics
Link : failover GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 12665 0 9929 0
sys cmd 9929 0 9929 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2735 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 7 9930
Xmit Q: 0 30 99581
mdbl-int-fw-01#
mdbl-int-fw-01#
mdbl-int-fw-01# sho failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Ifc Failure 22:03:03 UTC Jan 8 2014
outside: No Link
dmz: No Link
mgt: No Link
inside: No Link
====Configuration State===
Sync Done
====Communication State===
Mac set
mdbl-int-fw-01# sho failover ?
descriptor Show failover interface descriptors. Two numbers are shown for
each interface. When exchanging information regarding a
particular interface, this unit uses the first number in messages
it sends to its peer. And it expects the second number in
messages it receives from its peer. For trouble shooting, collect
the show output from both units and verify that the numbers
match.
exec Show failover command execution information
history Show failover switching history
interface Show failover command interface information
state Show failover internal state information
statistics Show failover command interface statistics information
| Output modifiers
<cr>
mdbl-int-fw-01# sho failover inter
mdbl-int-fw-01# sho failover interface
interface failover GigabitEthernet0/3
System IP Address: 10.98.8.89 255.255.255.248
My IP Address : 10.98.8.89
Other IP Address : 10.98.8.90
mdbl-int-fw-01# sho failover stati
mdbl-int-fw-01# sho failover statistics
tx:995725
rx:980617
mdbl-int-fw-01# sho failover hi
mdbl-int-fw-01# sho failover history
==========================================================================
From State To State Reason
==========================================================================
02:16:40 UTC Jan 8 2014
Not Detected Negotiation No Error
02:16:48 UTC Jan 8 2014
Negotiation Just Active No Active unit found
02:16:48 UTC Jan 8 2014
Just Active Active Drain No Active unit found
02:16:48 UTC Jan 8 2014
Active Drain Active Applying Config No Active unit found
02:16:48 UTC Jan 8 2014
Active Applying Config Active Config Applied No Active unit found
02:16:48 UTC Jan 8 2014
Active Config Applied Active No Active unit found
==========================================================================
mdbl-int-fw-01# sho failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
failover replication http
Version: Ours 8.6(1)2, Mate 8.6(1)2
Last Failover at: 02:16:48 UTC Jan 8 2014
This host: Primary - Active
Active time: 74554 (sec)
slot 0: ASA5515 hw/sw rev (1.0/8.6(1)2) status (Up Sys)
Interface outside (118.179.139.4): No Link (Waiting)
Interface dmz (10.98.56.3): No Link (Waiting)
Interface mgt (10.10.11.1): Unknown (Waiting)
Interface inside (10.98.8.97): Normal (Waiting)
slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
IPS, 7.1(4)E4, Up
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5515 hw/sw rev (1.0/8.6(1)2) status (Up Sys)
Interface outside (118.179.139.6): No Link (Waiting)
Interface dmz (10.98.56.2): No Link (Waiting)
Interface mgt (0.0.0.0): No Link (Waiting)
Interface inside (10.98.8.98): No Link (Waiting)
slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
IPS, 7.1(4)E4, Up
Stateful Failover Logical Update Statistics
Link : failover GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 12676 0 9938 0
sys cmd 9938 0 9938 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2737 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 7 9940
Xmit Q: 0 30 99677Hi Ganesan,
I am proposing a design like this. You can have the STP in pvst mode and have a different priority set for the core switch to make it core a as root bridge. There is nothing wrong with your design you have made you core switch which will be physically down to your firewall... but in real it comes on the top of your firewall as well... But spanning tree conf should be done properly to achieve this... I have proposed my design which is pretty simple but easy for troubleshoot....
You can have your firewalls connected to core switch on the down and can directly connected to router on outside... always core a -->py fw--rtra will be the primary path... if anything goes wrong then secondary line will come in to picture....
make sure that your hsrp will have high priority to ur core a vlan conf for the access switches.....
Please do rate for the helpful posts.
By
Karthik -
Trying to set up a stateful failover with two. asa5510
Here is what I have so far, tell me if this looks right. The ip address are set to 0.0.0.0 only for this discussion.
Config Primary Firewall:
config t
interface management 0/0 ip address 0.0.0.0 255.255.255.252 standby 0.0.0.0
interface eth 0/0
ip address 0.0.0.0 255.255.255.224 standby 0.0.0.0
exit
interface eth 0/1
ip address 0.0.0.0 255.255.255.0 standby 0.0.0.0
exit
interface eth 0/2
ip address 0.0.0.0 255.255.255.248 standby 0.0.0.0
exit
interface eth 0/3
no ip address
exit
failover lan primary
failover lan interface failover eth 0/3
failover link statelink management 0/0
failover lan enable
failover replication http
failover mac address eth 0/0 mac primary (fo mac eth 0)
failover mac address eth 0/1 mac primary (fo mac eth 1)
failover mac address eth 0/2 mac primary (Fo mac eth 2)
failover link failover eth 0/3
failover interface ip failover 0.0.0.0 255.255.255.252 standby 0.0.0.0
failover
CONFIG OF SECONDARY (FAILOVER DEVICE)
config t
interface eth 0/3
no shut
exit
interface management 0/0
no shut
exit
failover lan unit secondary
failover lan interface failover eth 0/3
failover lan enable
failover interface ip failover 0.0.0.0 255.255.255.252 standby 0.0.0.0
failoverThe above commands work great aside for the commands for the mangement interface. I could not configure the stateful link, it kept giving me an error. so i gave up to finish the config. See readout below.(again ips changed to 0 for this discussion). Any suggestions?
asa5510# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 16:02:56 EDT May 10 2012
This host: Primary - Active
Active time: 516535 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface outside1 (0.0.0.0): Normal (Not-Monitored)
Interface inside1 (0.0.0.0): Normal
Interface outside2 (0.0.0.0): Normal (Not-Monitored)
Interface management (0.0.0.0): Normal
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 1574 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface outside1 (0.0.0.0): Normal (Not-Monitored)
Interface inside1 (0.0.0.0): Normal
Interface outside2 (0.0.0.0): Normal (Not-Monitored)
Interface management (0.0.0.0): Normal
slot 1: empty
Stateful Failover Logical Update Statistics
Link : Unconfigured.
asa5510# wr mem
Building configuration...
Cryptochecksum: cbd18ba4 e9f555d7 401182a2 cc4a5f11
20547 bytes copied in 3.700 secs (6849 bytes/sec)
[OK]
asa5510# -
What is mean by display collisions numbers on interface of ASA Firewall?
Thanks in advance..Hi Abhinay,
If you are looking for what are collisions in the show interface output on ASA, they occur when the ASA and the connected device try sending traffic at the same time. Please check the following link for more information :
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015bfd6.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml
Thanks. -
MAC addresses of redundant interfaces on failover pair of CSS.
Helo all, I wanted to know what happens to the MAC addresses of the failover interfaces on the two CSS devices configured as a failover pair when a failover occurs?
Also what happens in a failover event in general? Can anyone point me to some documents describing the failover process.
Thank you,
Dmitry.Hi Dimitry,
Here is the URL for the configuration for the Configuring VIP and Virtual IP Interface Redundancy follow the configuration guide which may help you
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/VIPRedun.html
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/ASR.html
Configuring Box to box redundancy:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/Redndncy.html
CSS 11500 Active-Active Stateful Failover ASR in One-Armed Mode Configuration Example
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00802206a3.shtml
Box-to-Box Redundancy on the CSS 11xxx Configuration Example - Ciscowiki
http://supportwiki.cisco.com/ViewWiki/index.php/Box-to-Box_Redundancy_on_the_CSS_11xxx_Configuration_Example
Kindly find full range of configuration examples on CSS here :
Cisco CSS 11500 Series Content Services Switches
Configuration Examples and TechNotes
http://www.cisco.com/en/US/products/hw/contnetw/ps792/prod_configuration_examples_list.html
Cisco CSS 11500 Series Content Services Switches
http://supportwiki.cisco.com/ViewWiki/index.php/Category:Cisco_CSS_11500_Series_Content_Services_Switches
Kindly see URL given below for my other articles
http://boardreader.com/fp/Cisco_Systems_Networking_Profe_309110/Application_Networking_543840.html#hot_threads
If possible plz rate sothat I can be helpful to other people also as it will enhance my credibility.
Sachinga.hcl -
Replacement of primary unit failed! (ASA5510 active/standby)
Hi all,
I have an issue bringing up my RMA'd primary ASA unit.
So what happened so far:
1. primary unit failed
2. secondary took over and is now secondary - active (as per sh fail)
2. requested RMA at Cisco
3. got ASA and checked that Lic (SSL), OS (8.2.2) and ASDM are at the same level as the secondary
4. issued wr erase and reloaded
5. copied the following commands to the new (RMA) primary unit:
failover lan unit primary
failover lan interface Failover Ethernet3
failover interface ip Failover 172.x.x.9 255.255.255.248 standby 172.x.x.10
int eth3
no shut
failover
wr mem
6. installed primary unit into rack
7. plugged-in all cables (network, failover, console and power)
8. fired up the primary unit
9. expected that the unit shows:
Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
10. but nothing happened on primary unit
So can anyone give me assistance on what is a valid and viable approach in replacing a failed primary unit? Is there a missing step that hinders me to successfully replicate the secondary - active config to the primary - standby unit.
I was looking for help on the net but unfortunately I was not able to find anything related to ASA55xx primary unit replacement with a clear guideline or step by step instructions.
Any comments or suggestions are appreciated, and might help others who are in the same situation.
Thanks,
NicoHi Varun,
Thanks for catching-up this thread.
Here you go:
sh run fail on secondary - active:
failover
failover lan unit secondary
failover lan interface Failover Ethernet0/3
failover key *****
failover link Failover Ethernet0/3
failover interface ip Failover 172.x.x.9 255.255.255.248 standby 172.x.x.10
sh fail hist on secondary - active:
asa1# sh fail hist
==========================================================================
From State To State Reason
==========================================================================
23:47:15 CEST Feb 19 2011
Not Detected Negotiation No Error
23:47:19 CEST Feb 19 2011
Negotiation Cold Standby Detected an Active mate
23:47:21 CEST Feb 19 2011
Cold Standby Sync Config Detected an Active mate
23:47:36 CEST Feb 19 2011
Sync Config Sync File System Detected an Active mate
23:47:36 CEST Feb 19 2011
Sync File System Bulk Sync Detected an Active mate
23:47:50 CEST Feb 19 2011
Bulk Sync Standby Ready Detected an Active mate
10:34:09 CEDT Sep 3 2011
Standby Ready Just Active HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Just Active Active Drain HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Active Drain Active Applying Config HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Active Applying Config Active Config Applied HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Active Config Applied Active HELLO not heard from mate
==========================================================================
sh fail on secondary - active
asa1# show fail
Failover On
Failover unit Secondary
Failover LAN Interface: Failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 10:34:09 CEDT Sep 3 2011
This host: Secondary - Active
Active time: 441832 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Outside (x.x.x.14): Normal (Waiting)
Interface Inside (x.x.x.11): Normal (Waiting)
slot 1: empty
Other host: Primary - Failed
Active time: 40497504 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(2)) status (Unknown/Unknown)
Interface Outside (x.x.x.15): Unknown
Interface Inside (x.x.x.12): Unknown
slot 1: empty
Stateful Failover Logical Update Statistics
Link : Failover Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 2250212 0 64800624 309
sys cmd 2250212 0 2249932 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 46402635 309
UDP conn 0 0 21248 0
ARP tbl 0 0 15921639 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 0 0 96977 0
VPN IPSEC upd 0 0 108174 0
VPN CTCP upd 0 0 19 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 203259096
Xmit Q: 0 1 2250212
show ver on secondary - active
asa1# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)53
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
asa1 up 200 days 12 hours
failover cluster up 1 year 108 days
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 64MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 0022.55cf.7420, irq 9
1: Ext: Ethernet0/1 : address is 0022.55cf.7421, irq 9
2: Ext: Ethernet0/2 : address is 0022.55cf.7422, irq 9
3: Ext: Ethernet0/3 : address is 0022.55cf.7423, irq 9
4: Ext: Management0/0 : address is 0022.55cf.741f, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 10
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5510 Security Plus license.
Serial Number: xxx
Running Activation Key:xxxx
Configuration register is 0x1
Configuration last modified by enable_1 at 10:05:32.149 CEDT Fri Jul 15 2011 -
About stateful active/standby failover
Hello guys.
I have two ASA's, same model and hardware. Asa have configured stateful active/standby failover by someone, few years ago. It was working normally until recently and no one have changed this configuration. Then Secondary unit is failed. Ping between 2 interfaces is ok. Please help me to resolve this problem.
on Primary site
interface Management0/0
description STATE Failover Interface
management-only
interface GigabitEthernet1/1
description LAN Failover Interface
failover
failover lan unit primary
failover lan interface failover GigabitEthernet1/1
failover link state Management0/0
failover interface ip failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
failover interface ip state 172.16.0.1 255.255.255.0 standby 172.16.0.2
on Secondary site
interface Management0/0
description STATE Failover Interface
management-only
interface GigabitEthernet1/1
description LAN Failover Interface
output of show failover on PRIMARY
show run failover
failover
failover lan unit primary
failover lan interface failover GigabitEthernet1/1
failover link state Management0/0
failover interface ip failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
failover interface ip state 172.16.0.1 255.255.255.0 standby 172.16.0.2
F1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet1/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 256 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 08:03:11 ULAST Jan 1 2003
This host: Primary - Active
Active time: 5755203 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (10.2.5.1): Normal (Waiting)
Interface Internet (202.131.225.90): No Link (Waiting)
Interface Backup1 (10.3.5.1): Normal (Waiting)
Interface Server (192.168.227.1): Normal (Waiting)
Interface Bank (10.20.1.1): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (0.0.0.0): No Link (Waiting)
Interface Internet (0.0.0.0): No Link (Waiting)
Interface Backup1 (0.0.0.0): Normal (Waiting)
Interface Server (0.0.0.0): Normal (Waiting)
Interface Bank (0.0.0.0): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : state Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 76184539 0 767513 6
sys cmd 767328 0 767326 1
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 25878669 0 11 5
UDP conn 40545710 0 40 0
ARP tbl 8987688 0 136 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 1140 0 0 0
VPN IPSEC upd 4004 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 7 6522961
Xmit Q: 0 34 106685671
output of show failover on SECONDARY
F1# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet1/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 256 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 03:36:23 ULAST Dec 15 2013
This host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (0.0.0.0): No Link (Waiting)
Interface Internet (0.0.0.0): No Link (Waiting)
Interface Backup1 (0.0.0.0): Normal (Waiting)
Interface Server (0.0.0.0): Normal (Waiting)
Interface Bank (0.0.0.0): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Primary - Active
Active time: 5743217 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (10.2.5.1): Normal (Waiting)
Interface Internet (202.131.225.90): No Link (Waiting)
Interface Backup1 (10.3.5.1): Normal (Waiting)
Interface Server (192.168.227.1): Normal (Waiting)
Interface Bank (10.20.1.1): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : state Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 765518 0 35843181 874
sys cmd 765518 0 765516 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 12671303 80
UDP conn 0 0 13432853 133
ARP tbl 0 0 8968384 661
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 0 0 1137 0
VPN IPSEC upd 0 0 3988 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 72011189
Xmit Q: 0 1 765518- ping is ok between 172.16.1.1 and 172.16.1.2, 172.16.0.1 and 172.16.0.2
- ASA that shows as failed the ASA that didn't use to be the primary , it used to be secondary.
- Yes, i logged via console on both ASAs and checked status of the ASAs. Primary is active and Secondary is failed.
- I have changed cable. Primary ASA indicates below as soon as cable changed.
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Then output of SHOW FAILOVER on PRIMARY ASA :
F1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet1/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 256 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 08:03:11 ULAST Jan 1 2003
This host: Primary - Active
Active time: 5812656 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (10.2.5.1): Normal (Waiting)
Interface Internet (202.131.225.90): No Link (Waiting)
Interface Backup1 (10.3.5.1): Normal (Waiting)
Interface Server (192.168.227.1): Normal (Waiting)
Interface Bank (10.20.1.1): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Secondary - Standby Ready
Active time: 9 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (0.0.0.0): No Link (Waiting)
Interface Internet (0.0.0.0): No Link (Waiting)
Interface Backup1 (0.0.0.0): Normal (Waiting)
Interface Server (0.0.0.0): Normal (Waiting)
Interface Bank (0.0.0.0): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : state Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 76940782 0 775168 6
sys cmd 774983 0 774981 1
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 26125140 0 11 5
UDP conn 40971274 0 40 0
ARP tbl 9064174 0 136 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 1155 0 0 0
VPN IPSEC upd 4056 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 7 6588043
Xmit Q: 0 34 107757911
But few seconds later Secondary ASA become FAILED.
And i also did FAILOVER RESET command. After this command, secondary ASA became Standby Ready then few seconds later it became Failed again. Why does it become Failed again ? -
Cisco ASA Active standby failover problem
We have configured ASA Active standby failover with ASA5505 . When primary unit power off, secondary unit became active. when primary unit power on, then primary unit is becoming active again. i think for active standby setup there is no preemption. The real issue is when primary ASA became active after power on all the external connectivity getting down. Please see the below config,
ASA01# show run
ASA01# show running-config
: Saved
ASA Version 8.2(5)
hostname ASA01
enable password PVSASRJovmamnVkD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.1 MPLS_Router description MPLS_Router
name 192.168.2.1 SCADA_Router description SCADA_Router
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 2
interface Ethernet0/3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.8 255.255.255.0 standby 192.168.3.9
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.8 255.255.255.0 standby 192.168.1.9
interface Vlan3
description LAN Failover Interface
ftp mode passive
clock timezone AST 3
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any host MPLS_Router
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface FAILOVER Vlan3
failover key *****
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route-map Route_Out permit 1
match ip address inside_access_in outside_access_in
match interface inside
route outside 0.0.0.0 0.0.0.0 MPLS_Router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http authentication-certificate inside
http authentication-certificate outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password eY/fQXw7Ure8Qrz7 encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1a8e46a787aa78502ffd881ab62d1c31
: endI suggest removing the failover configuration on both units and then re-add them, and then test.
Primary
failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit primary
failover key KEY
failover
Secondary
failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit secondary
failover key KEY
failover
Please remember to select a correct answer and rate helpful posts
Maybe you are looking for
-
I'm trying to download an automatic update from ITunes but when I click on "Update" it comes up with the message, "You have updates available for other accounts" an tells me to sign in to my husband's account, even though the MacBook is registered in
-
In Messages, underscore displaying instead of contact's name
In Messages, for some reason recently some of my more frequent contacts are now displaying as underscores instead of their contact names. These same contacts still appear completely normal in the Address Book. In an attempt to rectify the situation,
-
Hi All, In SPRO transaction Time Management-->Web Applications->leave request(new)-> node text not found I am not able to find all the three subnodes under the node leave request (new) It is displayed as node text not found .whenever we execute these
-
About the end of BI and the beginning of BO
Hi Gurus, i got many doubts about this new tool called BO, in the current client which work with BI 7.0, they work with a large number of analytical and operational reporting, today a seller came to sell this tool BO, which looks very promising, I d
-
SLD Crash - Customer w/o backup
At a customerproject no backup procedure was implemented ( not my call ) for the central SLD (implemented on a Solution manager system 7.00 ) As one could expect the system crashed and the SLD could not be restored, but all sw components and tech.sy