ASA 5505 ISP Failover (PPPoE/DHCP)
Hello,
I have 2 WAN uplinks:
The primary is VDSL (PPPoE) - very fast, and I have a static IP + /29 subnet 'assigned' to me.
The secondary is DSL (DHCP) - slower
What I'm trying to do is setup ISP failover on my ASA 5505 with security plus licence... and the way I have it currently setup 'half-works'. If the primary goes down - the primary route is removed from the routing table and the secondary route is 'inserted'. I have the NATs setup so I have internet access and all seems well. The problem however is when the primary ISP comes online again, the ASA doesn't switch back over. It maintains the backup route until I manually switch it (by temporarily disabling the backup ISP switch port).
This is what I did to configure it:
config t
sla monitor 10
type echo protocol ipicmpecho x.x.x.x interface outside-primary
frequency 5
exit
sla monitor schedule 10 life forever start-time now
track 1 rtr 10 reachability
route outside-primary 0 0 x.x.x.x 1 track 1
route outside-backup 0 0 y.y.y.y 2
nat (inside,outside-primary) after-auto source dynamic any interface
nat (inside,outside-backup) after-auto source dynamic any interface
Have I missed anything? Is there a better way to set this up? I noticed in the ADSM if you edit an interface there seems to be the ability to set tracker IDs, SLA IDs, etc - but couldn't really find anything on google that helped.
Any assistance would be greatly appreciated.
Thanks!
Robert
Hi Robert,
you need this command:
no ip verify reverse-path interface outside_primary
Problem:
SLA monitoring does not work after the ASA is upgrade to version 8.0.
Solution:
The problem is possibly be due to the IP Reverse-Path command configured in the OUTSIDE interface. Remove the command in ASA and try to check the SLA Monitoring.
For reference:
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/70559-pix-dual-isp.html
https://supportforums.cisco.com/blog/150001
HTH
"Plz don't forget to choose correct answer and rate help full answer "
Similar Messages
-
Want to configure BACKUP VPN in asa 5505 for failover link
Hi,
Current i'm having 2 isps one tata and another one reliance iwant to configure the backup vpn for reliance ip for same peer ip which tata vpn had configured
i mandatory to configure same SA,ENCRPTION,IPSEC POLICY,KEY,LIFETIME...etc for failover vpn also.Hi michael,
First of thanks for reply.
Can we do it by public certificate or DNS entry e.g. both ISP Public ip address entry will be in DNS and user will hit particular DNS name. You r right that once link down so user will disconnect but when he will retry then he will connect via another link.
Is it possible??
Ashish -
X3500 wont work in Bridge mode with ASA 5505
Hi Everyone, I am currently running Linksys X3500 v1.0.0 and plan to use ASA 5505 as a PPPoE client. While PPPoE connection is working fine when i configure the linksys for PPoE, but When I configure the ASA 5505 to act as PPPoE client I'm unable to get the Linksys get the Internet up and running. I have opened support ticket with Cisco and per them X3500 is unable to provide PPPoE details in bridge mode. Cisco Ticket # 62968611 (PPPoE connection not working) The error on Cisco console is - asa5505# PPPoE: send_padiSnd) Dest:ffff.ffff.ffff Src:c8b3.735d.4e13 Type:0x8863=PPPoE-Discovery PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12 PPPoE: Type:0101VCNAME-Service Name Len:0 PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4 PPPoE: 00000002 PPPoE: padi timer expired Can Linksys help.. What's the issue. Regards, Sumit
Hi! I'm not so familiar with the Cisco ASA 5505 device. If you set your X3500 to a Bridge Mode, it will not give any PPPoE mode details and vice versa. Which of the two devices would you like to connect to the ISP's connection, is it the X3500 or the ASA 5505?
-
2 ISP link failover in ASA 5505
Hi,
I have ASA 5505, want to configure the 2 ISP link Tata and Airtel with failover.
I want to configure the WebVPN with failover, so that user don't need to change the public address when one link goes down.
thanks with regards
Ashish KumarHi michael,
First of thanks for reply.
Can we do it by public certificate or DNS entry e.g. both ISP Public ip address entry will be in DNS and user will hit particular DNS name. You r right that once link down so user will disconnect but when he will retry then he will connect via another link.
Is it possible??
Ashish -
Cisco ASA 5505 and DHCP Client Problems
Hi, i have a problem. I've connected my ASA appliance to an ADSL modem, and i dont get an DHCP address on the outside interface (e0/0). I use the asa-722-19.bin firmware.
I turned on the debugging for the DHCP client and could see that the ASA device was sending out broadcasts but a reply never came. Instead I connected the device to my internal network where the ASA got an address instantly.
I read somewhere that if I was to use ?ip address dhcp client-id fastethernet 0″, then I got an address from the ISP.
I tried looking for a similar command on the ASA5505 but I couldn?t find anything. I did however find a page on the Cisco site confirming my suspicions. It said some ISP?s require the client-id field of the DHCPDISCOVER request to be filled.
I've also read that this issue has beed fixed since a few weeks, now they have released version 7.2(2).22 where you can define ?dhcp-client client-id interface outside? in global configuration mode. Im running 7.2(2).19 and i cannot find any command like that in my appaiance. How do i fix my problem ? Or how do i get about recieving the 7.2(2).22 firmware update.
Regards !
LeifHi again! I thought I should share the solution that worked for me. I use software version 7.2(2) on this device. ASDM 5.2(2). In ASDM open configuration / Interfaces. Click in outside (my case 0/0) and press Edit. Then open the tab Advanced and set the correct Active Mac address. Fore some reason its empty by default and the ISP/modem don't like that. You will find the correct MAC address under the help menu / "About ASA". Im sure there is some another way to do this but this is a simple "how-to" that works with Swedens biggest ISP and their standard DSL modem.
When I used a Linksys DSL modem in bridge mode without the MAC address set I got an inside IP adress (192.168.x.x) from the modem to the ASA. After setting the MAC address I just had to do a renew and got the outside address right away. /Bjorn
(future users searchwords: no ip from isp, ASA 5505 and cable modem). -
I am working with a client that currently has an ASA 5505 with two ISPs for failover using a tracked interface. I would like to configure logging so that the ASA will email us when the Primary ISP goes down and fails over to the backup. Here is what I have so far...
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 12
interface Ethernet0/2
speed 100
duplex full
interface Ethernet0/3
switchport access vlan 22
speed 100
duplex full
interface Ethernet0/4
switchport access vlan 22
interface Ethernet0/5
switchport access vlan 22
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 50.76.252.33 255.255.255.248
interface Vlan12
nameif backup
security-level 0
ip address 168.93.174.130 255.255.255.248
interface Vlan22
nameif Phones
security-level 100
ip address 192.168.3.1 255.255.255.0
logging enable
logging buffered warnings
logging asdm warnings
logging from-address [email protected]
logging recipient-address [email protected] level errors
route outside 0.0.0.0 0.0.0.0 DG-Commcast 128 track 1
route backup 0.0.0.0 0.0.0.0 DG-FirstCom 255
sla monitor 123
type echo protocol ipIcmpEcho 73.120.130.1 interface outside
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
Let me know if you need any more info from the config; it's quite long and not sure what all is needed...
The primary interface is Outside and the backup is obviously Backup
Thanks!
TonyHi Tony,
As long as the event covered under 'errors' list - inaddition to the above config, you need to add..
loging mail errors
smtp-server
Check the below link for more information on ASA message logging..
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml
hth
MS -
ASA 5505 VPN with dhcp at endpoint
I have a new customer that I installed an ASA 5505 to replace a Linksys VPN router. They have a main office with a static IP address, 3 branch offices with static IP addresses and 2 branches that are doing DHCP from the ISP for their router address. I have no problem getting the static VPNs up and running. My problem is with the VPN connections that are doing DHCP. I can go in and determine what IP they are currently using and setup a connection and it works fine. The problem is of course when their IP address from the ISP changes, which seems to happen at least daily. What is the proper way to setup a connection that is using DHCP? Also, can you setup multiple connections this way? Currently the 2 locations have different passwords setup in their routers.
I need help ASAP as this customer is getting frustrated quickly. I do not want to lose a customer that I just got over this.
Thanks in advance,
SteveGo to this link and scroll down to Site to Site VPN (L2L) with IOS and Site to Site VPN (L2L) with ASA, you can use the links example depicting your scenario requirements, where one end is dynamic and other static for Ipsec L2L IOS-to-ASA or ASA-to-IOS.
The best solution obiosly is having static IP addressing, make that clear with your client , but these exmaples are very good solution for your problem.
Keep in mind that the DHCP dynamic side will always be the initiator to bring up the tunnel , not the static side.
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
Regards -
Cisco ASA 5505 - problem with negotiating IP address from PPPoE
Hi all,
I have problem with negotiating IP address from PPPoE. There is following design: ISP providing vDSL ending on VDSL modem in bridge mode. Behind brigde modem is ASA 5505 terminting PPPoE on OUTSIDE. Everything works fine except negotiating IP address from PPPoE server.
I have configured ASA 5505 with (ASA Version 9.2(2)4) for PPPoE like this [1.]. But If i try to "show" IP address on OUTSIDE interface a get this [2.], ok strange but let's continue. If list "show vpdn pppinterface id 1" i get this [3.]. Seems that I got public IP addres what was right, but this IP address was not associated with interface OUTSIDE?
Well, if I set IP address manually like this [4.] and also set a default route everything works fine but what will happen when ISP change reservation for my IP address or default gateway.
I have tried different version of ASA OS like 8.4, 9.1 but without luck.
Can anybody help me. Thanks a lot.
Regards
Karel
[1.]
interface Vlan100
description >>VLAN pro pripojeni do internetu<<
nameif OUTSIDE
security-level 0
pppoe client vpdn group O2
ip address pppoe setroute
vpdn group O2 request dialout pppoe
vpdn group O2 localname O2
vpdn group O2 ppp authentication chap
vpdn username O2 password *****
interface Ethernet0/0
description >>uplink O2 vDSL<<
switchport access vlan 100
[2.]
ciscoasa(config-if)# show ip address vlan 100 pppoe
ciscoasa(config-if)# 0.0.0.0 255.255.255.255 on Interface: OUTSIDE
ciscoasa(config-if)# show interface vlan 100 detail
Interface Vlan2 "OUTSIDE", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
Description: >>VLAN pro pripojeni do internetu<<
MAC address f44e.05d0.6c17, MTU 1492
IP address unassigned
Traffic Statistics for "OUTSIDE":
28 packets input, 1307 bytes
31 packets output, 721 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 3 bytes/sec
1 minute output rate 0 pkts/sec, 1 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 15
Interface config status is active
Interface state is active
[3.]
ciscoasa(config-if)# show vpdn pppinterface id 1
PPP virtual interface id = 1
PPP authentication protocol is CHAP
Server ip address is 88.103.200.41
Our ip address is 85.71.188.158
Transmitted Pkts: 20, Received Pkts: 16, Error Pkts: 0
MPPE key strength is None
MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0
MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0
Rcvd_Out_Of_Seq_MPPE_Pkts: 0
ciscoasa(config-if)# show vpdn session state
%No active L2TP tunnels
%No active PPTP tunnels
PPPoE Session Information (Total tunnels=1 sessions=1)
SessID TunID Intf State Last Chg
22298 2 OUTSIDE SESSION_UP 561 secs
[4.]
interface Vlan100
description >>VLAN pro pripojeni do internetu<<
nameif OUTSIDE
security-level 0
pppoe client vpdn group O2
ip address 85.71.188.158 255.255.255.255 pppoe setroute
route OUTSIDE 0.0.0.0 0.0.0.0 88.103.200.41 1You're right that the ACL should not affect otherwise allowed communications to the interface address.
Try disabling the ip audit feature on your outside interface.
no ip audit interface OUTSIDE AP_OUTSIDE_INFO
no ip audit interface OUTSIDE AP_OUTSIDE_ATTACK -
Cisco ASA 5505 Dual-ISP Backup VPN
I am trying to create a backup tunnel from an ASA 5505 to a pix 501 in the case of the Main ISP failing. The Pix external side will stay the same, but not quite sure how I can create a new crypto map and have it use the Backup ISP interface without bringing down the main tunnel.
My first thought was to add the following crypto map to the configuration below:
crypto map outside_map 2 match address outside_1_cryptomap
crypto map outside_map 2 set peer 9.3.21.13
crypto map outside_map 2 set transform-set ESP-DES-MD5
crypto map outside_map interface backupisp -->but this would break the current tunnel.
NYASA# sh run
: Saved
ASA Version 7.2(4)
hostname NYASA
domain-name girls.org
enable password CHwdJ2WMUcjxIIm8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 9.17.5.8 255.255.255.240
interface Vlan3
description Backup ISP
nameif backupisp
security-level 0
ip address 6.27.9.5 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list 150 extended permit ip any host 10.1.2.27
access-list 150 extended permit ip host 10.1.2.27 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backupisp 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (backupisp) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 9.17.5.7 1 track 1
route backupisp 0.0.0.0 0.0.0.0 6.27.9.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 10
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
timeout 1000
frequency 3
sla monitor schedule 10 life forever start-time now
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 9.3.21.13
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
track 1 rtr 10 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
username ptiadmin password BtOLil2gR0VaUjfX encrypted privilege 15
tunnel-group 9.4.21.13 type ipsec-l2l
tunnel-group 9.4.21.13 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:22bb60b07c4c1805b89eb2376683f861
: end
NYASA#
Thanks in advance.In that case is the PIX who needs two peers (to the ASA).
The ASA will requiere the crypto map to be applied to the backup interface as well (as you mentioned)
crypto map outside_map interface backupisp -->but this would break the current tunnel.
The above command should not break the current tunnel (if the route to reach the other end goes out via the primary interface).
Additionally you need IP SLA configured in the ASA to allow it to use the primary connection and fallback to the backup connection to build-up the tunnel (as well to use again the primary interface when it recovers).
Federico. -
Cisco ASA 5505 - 2 PPPoE connection
Hi,
Please I would be very pleased if someone could give me a hand in this matter.
I have a Cisco ASA 5505 9.0(2), 2 dial-up connection (ADSL) with fix IP from the same ISP. I have 2 Linksys router (each dial-up has a router) as well. Both Linksys are connected directly to ASA configured in bridge mode.
I set up one dial-up on interface called “outside” with PPPoE configuration which is, in fact, up and running. I’m able to get my fix public IP.
My problem come from when I try to set up the second dial-up on interface called “outside-other”. I configure properly all PPPoE parameters however I’m not able to get my second fix public IP. Somehow, it’s not able to establish a connection with the ISP. (PPPoE session has not been established yet)
This could be useful information: the PPPoE Username is the same in both dial-up connection (given by my ISP).
I hope someone can shed light on this issue.
Thanks in advance,
Apologies for my lack of awareness.
AntonioHi,
This is my schema:
connection A ( interface outside) --> DSL --> Router Linksys mode bridge --> Cisco ASA , up and running with IP fix.
connection B ( interface outside-other) --> DSL --> Router Linksys mode bridge --> Cisco ASA, down : Status PADR_SENT
I tried to use two different VPDN_groups for the two connections A and B. However, B is still not working. Just one of them is able to get IP from ISP, connection A.
When I set up the Linksys router (connection B) in PPPoE, the connection works and get an IP fix from ISP.
What I want to do is set up a VPN on connection B so I need to configure this second dial-up on Cisco ASA. I cannot use connection A due to security reasons.
Thanks -
Having trouble getting a public IP on the outside interface.
ASA 5505 running 8.0(2)
Westell E90610030-06 DSL box running current firmware.
Service provider is AT&T (Bellsouth)
DSL modem is in bridge mode.
Outside interface of 5505 is set to PPPoE with known good credentials.
I've tried CHAP and PAP authentication.
Last attempt, using MAC cloning, showed a PPPoE address of 0.0.0.0 255.255.255.255 in the client monitor in ASDM. Authentication is still set to CHAP.
I've read that AT&T does a 2-hour IP lease, so my next step is to shut down the DSL router for 2 hours and try again.
I believe PPPoE debug is still broken in this ASA version, unfortunately.
TIAinterface Ethernet0/0
nameif Outside
security-level 0
pppoe client vpdn group
ip address pppoe setroute
<--->
vpdn group request dialout pppoe
vpdn group localname
vpdn group ppp authentication chap
vpdn username password ******** store-local -
ASA-5505 failover, cant choose interface
Hi
I am trying to configure two ASA-5505 as a failover pair.
Software 8.2.5 and ASDM 6.4.5.206
Using the wizard i get to step3 .. then nothing happenes.
Trying direct in asdm but the only interface i can choose is "--None Unnamed-"
How do i get any further ?
/PerSolved this by configuring the failocer interface by cli
-
Hi. I have an ASA 5505 configured for Transparent Mode. The Outside interface connects to a router (RV042). The router manages DHCP. With the 5505 in the system, all computers can connect to the internet and to each other, except for a few. The problem computers can be made to work if they are set to a specific address, rather than automatically assigned by the router. Some of the iPads work correctly, some do not. At least one Apple Notebook cannot connect even if I enter a static address.
Consulting the documentation, I found that DHCP traffic (UPD Port 67 and 68) needed to be enabled via rules for the Inside and Outside interfaces. I did that in ASDM but now nothing works.
I have pulled the 5505 out of the system and restored it to the configuration that worked for most of the computers.
Any suggestions would be appreciated. I can pull a "show" run from CLI if it is useful.
Thanks...Understood. I tried adding the "inside_out extended permit ip any any" command, but it made no difference. Because the implicit rule (permit ip traffic to any less secure interface) is still in the access list table, it would seem the additional extended rule is not needed.
When I first received the 5505, it had an older version of firmware. At the time, when I entered any rule in ASDM it deleted the "less secure" implicit rule, which then broke the system since there was no path for internet traffic from inside to outside, as you have stated. With the newest firmware release, however, when I enter a rule, the "less secure" implicit rule does not go away.
So, with help from the folks here I have made progress. Right now the issue is that when the 5505 in Transparent Mode is between the router and user computers, the computers cannot reliably get addresses that are auto-assigned by the router.
Looking through the logs displayed on ASDM, I noticed the following curious statement:
"6 Mar 31 2014 07:16:42 fe80::1131:41c2:3627:8339 63575 ff02::1:3 5355 No management IP address configured for transparent firewall. Dropping protocol UDP packet from outside:fe80::1131:41c2:3627:8339/63575 to inside:ff02::1:3/5355"
However, I have configured a management IP address, and it is listed in the "show" document that I posted yesterday:
interface BVI1
ip address 192.168.1.10 255.255.255.0
So, I am confused.
I appreciate the help. I am new to the 5505, although I participated as a "friendly" in the ASA program some years ago. I recall a similar problem with that setup. Regrettably, I can't remember how we fixed it...
Regards... -
Cisco ASA 5505 Failover issue..
Hi,
I am having two firewalls (cisco ASA 5505) which is configured as active/standby Mode.It was running smoothly for more than an year,but last week the secondary firewall got failed and It made my whole network down.then I just removed the connectivity of the secondary firewall and run only the primary one.when I login by console i found out that the failover has been disabled .So again I connected to the Network and enabled the firewall.After a couple of days same issue happen.This time I take down the Secondary firewall erased the Flash.Reloaded the IOS image.Configured the failover and connected to the primary for the replication of configs.It found out the Active Mate.Replicated the configs and got synced...But after sync the same thing happened,The whole network gone down .I juz done the same thing removed the secondary firewall.Network came up.I feel there is some thing with failover thing ,but couldnt fin out :( .And the firewalls are in Router Mode.Please find the logs...
Secondary Firewall While Sync..
cisco-asa(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 06:01:10 GMT Apr 29 2015
This host: Secondary - Sync Config
Active time: 55 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): No Link (Waiting)
Interface inside (10.11.0.20): No Link (Waiting)
Interface mgmt (10.11.200.21): No Link (Waiting)
slot 1: empty
Other host: Primary - Active
Active time: 177303 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
=======================================================================================
Secondary Firewall Just after Sync ,Active (primary Firewall got rebootted)
cisco-asa# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate Unknown
Last Failover at: 06:06:12 GMT Apr 29 2015
This host: Secondary - Active
Active time: 44 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): Normal (Waiting)
Interface inside (10.11.0.20): No Link (Waiting)
Interface mgmt (10.11.200.21): No Link (Waiting)
slot 1: empty
Other host: Primary - Not Detected
Active time: 0 (sec)
slot 0: empty
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
==========================================================================================
After Active firewall got rebootted failover off,whole network gone down.
cisco-asa# sh failover
Failover Off
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
===========================================================================================
Primary Firewall after rebootting
cisco-asa# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: e0/7 Vlan3 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate Unknown
Last Failover at: 06:17:29 GMT Apr 29 2015
This host: Primary - Active
Active time: 24707 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): Normal (Waiting)
Interface inside (10.11.0.20): Normal (Waiting)
Interface mgmt (10.11.200.21): Normal (Waiting)
slot 1: empty
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: empty
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
cisco-asa# sh failover history
==========================================================================
From State To State Reason
==========================================================================
06:16:43 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:29 GMT Apr 29 2015
Negotiation Just Active No Active unit found
06:17:29 GMT Apr 29 2015
Just Active Active Drain No Active unit found
06:17:29 GMT Apr 29 2015
Active Drain Active Applying Config No Active unit found
06:17:29 GMT Apr 29 2015
Active Applying Config Active Config Applied No Active unit found
06:17:29 GMT Apr 29 2015
Active Config Applied Active No Active unit found
==========================================================================
cisco-asa#
cisco-asa# sh failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Comm Failure 06:17:43 GMT Apr 29 2015
====Configuration State===
====Communication State===
==================================================================================
Secondary Firewall
cisc-asa# sh failover h
==========================================================================
From State To State Reason
==========================================================================
06:16:32 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:05 GMT Apr 29 2015
Negotiation Disabled Set by the config command
==========================================================================
cisco-asa# sh failover
Failover Off
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (down)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
ecs-pune-fw-01# sh failover h
==========================================================================
From State To State Reason
==========================================================================
06:16:32 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:05 GMT Apr 29 2015
Negotiation Disabled Set by the config command
==========================================================================
cisco-asa# sh failover state
State Last Failure Reason Date/Time
This host - Secondary
Disabled None
Other host - Primary
Not Detected None
====Configuration State===
====Communication State===
Thanks... -
I have two web server and I want to configure ASA 5505 in such a way that it forward all incoming request to ServerA. In case if ServerA is down or failed ASA 5505 automatically forward all incoming request to ServerB.
I am new to ASA 5505.
Thanks in advance.You can do that if the web server are in two different subnet. So one web server is on a interface and the other web server is on other interface. You must configure ip sla as below :
interface Ethernet0/0.1239
vlan 1239
nameif OUTSIDE
security-level 0
ip address 94.125.239.251 255.255.255.0
interface Ethernet0/0.1240
vlan 1240
nameif OUTSIDE-BACKUP
security-level 0
ip address 94.138.42.43 255.255.255.248
route OUTSIDE 0.0.0.0 0.0.0.0 94.125.239.252 1 track 1
route OUTSIDE-BACKUP 0.0.0.0 0.0.0.0 94.138.42.41 254
sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface OUTSIDE
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
For the web server A if is down, you must check it with a script that is executing on a server in the same subnet of web server A
Maybe you are looking for
-
Transfer phone purchase to computer?
I've tried home sharing on the new iTunes with my computer and phone (both turned on and logged into correct account), I've tried finding the file from my phone itself, and many other things, and I still can't get these 2 song purchases transfered fr
-
in a serachable dictionnary ( old greek-English) in pdf format the search function works when entering English words but not when entering greek words using the polytonic Greek keyboard from Windows. Why ? Is there a solution to search for Greek word
-
We upgraded from webdb 2.3 to new portal. After upgradation, I try to run the report which is based on parameter called as Region. There is a lov created and attached to this parmeter also. At the run time, when I come to region paramter it does show
-
Movie rental time limit: 24 hours not enough?
If I am in the middle of watching a movie and the 24 hour limit is up, does the movie just quit or will it keep playing until it's finished? And is it just me, or is 24 hours not long enough? Suppose at 7:00 I decide to rent Cinderella for the kids,
-
When you install flash player doesn't it install for all sites?
Please help. Flash player installed yesterday is not viable today for all sites.