ASA 5520 - LU allocate xlate failed - Failover unit reloads
We just had an issue with our failover unit reloading. In perusing the logs there were a number of %ASA-3-210007: LU allocate xlate failed, errors prior to the reload. These units had just had their OS upgraded to fix a DOS issue a few weeks ago. I have not seen the error since it reloaded. However, I was asked to report the issue just in case it is a bug in the new version of the OS.Two units in failover.
Cisco Adaptive Security Appliance Software Version 8.0(5)9
Device Manager Version 6.0(2)
Compiled on Mon 01-Feb-10 10:36 by builders
System image file is "disk0:/asa805-9-k8.bin"
Config file at boot was "startup-config"
CP-ASA up 17 days 21 hours
failover cluster up 17 days 22 hours
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 0025.45d7.6e62, irq 9
1: Ext: GigabitEthernet0/1 : address is 0025.45d7.6e63, irq 9
2: Ext: GigabitEthernet0/2 : address is 0025.45d7.6e64, irq 9
3: Ext: GigabitEthernet0/3 : address is 0025.45d7.6e65, irq 9
4: Ext: Management0/0 : address is 0025.45d7.6e66, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license.
I noted a report on errors with verison 7 and a conflict between nat(0) and static commands. I don't show nat(0) being used on these units.
nat (public) 0 access-list NO_NAT
nat (public) 1 10.190.16.64 255.255.255.192
nat (public) 1 172.16.22.0 255.255.255.0
nat (dmz) 0 access-list NO_NAT
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (csacelb) 0 access-list NO_NAT
nat (csacelb) 1 0.0.0.0 0.0.0.0
nat (app) 0 access-list NO_NAT
nat (app) 1 0.0.0.0 0.0.0.0
nat (db) 0 access-list NO_NAT
nat (db) 1 0.0.0.0 0.0.0.0
nat (internal) 0 access-list NO_NAT
nat (internal) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list NO_NAT
nat (management) 1 0.0.0.0 0.0.0.0
no crypto isakmp nat-traversal
static (app,dmz) 10.190.15.0 10.190.15.0 netmask 255.255.255.192
static (csacelb,public) 999.999.999.999 10.190.14.70 netmask 255.255.255.255 (The external address was replaced with 999.999.999.999 intentionally for this forum)
static (db,app) 10.190.16.0 10.190.16.0 netmask 255.255.255.192
Do you have any solution ? we have the same problem.
Thanks .
Similar Messages
-
ASA %ASA-3-210007: LU allocate xlate failed
I have a client that keeps receiving the following syslog error:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
ASA %ASA-3-210007: LU allocate xlate failed
It has been identified in bug report:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
CSCsi65122 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsi65122)
This bug report states the following:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
Overlapping static with NAT exemption causes xlate errors on standby
Symptom:
"%ASA-3-210007: LU allocate xlate failed" appearing on standby unit
Conditions:
- Stateful failover enabled.
- Overlap between a static NAT rule and the NAT exemption.
-the "alias" command is used to rewrite destination ip address
Workaround:
in the nat exemption access-list deny specifically the traffic matching the source of the traffic with destination the alias'd ip address.
I looked at this bug report and it says the error was first found in 7.0/7.2. However, the client is running 8.4(1) on the ASA's. When this problem initially came to light, my co-worker found this bug report:
CSCth74844
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCth74844&from=summary
This made sense since at the time they were running 8.32 and upgrading to a newer code seemed to be how to fix it according to this article:
http://www.techbloc.net/archives/31
However, even after the upgrade to 8.4(1), the problem still exists. Do we need to roll them back to the unreleased code that the above article mentions? Or should this problem have been fixed in the 8.4(1) release?
TIA for any ideas/suggestions. A call to TAC may be in order for this problem, especially since the workaround doesn't seem to be the best solution.Deyster,
To troubleshoot this issue, we first need to verify whether thios error message is cosmetic or are we really hitting into any known issue, to identify it, we need to fisrt verify whether the xlate tables on both the firewalls is approximate;y same or not.(you can do this by using show xlate commandf on the firewalls). If it is same and still we are getting these messages, then it is a cvosmetic issue(which does not affect the traffic).
This particukar message appears if the xlate tables are not correctly replicated between the active and standby unit in failover.
I would request you to provide the below debugs:
debug nat 5
debug fover fail
This would further help is in identifying the issue.
Hope this helps.
Thanks,
Varun -
I have two ASA5510 firewalls
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 6.4(9)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
failover mode is A/S
The standby firewall always appears these logs
Apr 18 2014 16:21:53: %ASA-3-210007: LU allocate xlate failed
Apr 18 2014 16:22:08: %ASA-3-210007: LU allocate xlate failed
Apr 18 2014 16:22:23: %ASA-3-210007: LU allocate xlate failed
Apr 18 2014 16:22:38: %ASA-3-210007: LU allocate xlate failed
Apr 18 2014 16:22:53: %ASA-3-210007: LU allocate xlate failed
Apr 18 2014 16:23:08: %ASA-3-210007: LU allocate xlate failed
Apr 18 2014 16:23:23: %ASA-3-210007: LU allocate xlate failed
Apr 18 2014 16:23:38: %ASA-3-210007: LU allocate xlate failed
Apr 18 2014 16:24:08: %ASA-3-210007: LU allocate xlate failed
Apr 18 2014 16:24:23: %ASA-3-210007: LU allocate xlate failed
Apr 18 2014 16:25:39: %ASA-3-210007: LU allocate xlate failed
Apr 18 2014 16:26:24: %ASA-3-210007: LU allocate xlate failed
Apr 18 2014 16:27:09: %ASA-3-210007: LU allocate xlate failed
Datecenter's ASA5520 has the same problem
I don't know the reason whyI'm sorry i did not reply immediately !
i had checked the memory.
The result show me that not only primary but also secondary both of them have enough memory
Paimary firewall
JP-FW# sh memory
Free memory: 754458944 bytes (70%)
Used memory: 319282880 bytes (30%)
Total memory: 1073741824 bytes (100%)
Secoundary firewall
JP-FW# sh memory
Free memory: 763603096 bytes (71%)
Used memory: 310138728 bytes (29%)
Total memory: 1073741824 bytes (100%)
I had vpn configuration so I use static nat and nat exemption at one time.
but i don't know whether it was overlap or not
following is my configuration
Static NAT
object network 70.77
nat (inside,outside) static 82.100 service tcp www www
object network 70.80
nat (inside,outside) static 82.100 service tcp 2302 2302
object network 70.80_3306
nat (inside,outside) static 82.100 service tcp 3306 3306
OBJECT
object network local-lan
subnet 10.192.64.0 255.255.248.0
object network ssl
subnet 10.10.10.0 255.255.255.0
object network narita
subnet 10.192.72.0 255.255.248.0
object network asakusa
subnet 10.192.1.0 255.255.255.0
object network nogedaira
subnet 10.192.128.0 255.255.255.0
object network hangyou
subnet 192.168.0.0 255.255.0.0
NAT EXEMPTION
nat (inside,outside) source static local-lan local-lan destination static ssl ssl
nat (inside,outside) source static local-lan local-lan destination static narita narita
nat (inside,outside) source static local-lan local-lan destination static asakusa asakusa
nat (inside,outside) source static local-lan local-lan destination static hangyou hangyou
nat (inside,outside) source static local-lan local-lan destination static nogedaira nogedaira -
Asa 5520 "loosing" code after code has been put in and operating
Sorry to ask this if it has all ready been covered. We have an asa 5520 running 8.3.2(1) code. Three times now I have entered code and rules in our asa and had things working, only to have the code "dissapear" and thus things stop working. We upgraded to 8.3.2(1) back in January of 2011, and have not had this problem until the last month. I was wondering if there is a bug with 8.3.2(1) code that has decided to show itself for whatever reason now. We have also had some other things relating to the VPN that were "working" and at some point just stopped working. We do have a second asa 5520 that is the failover/standby. We also have two 6509 with firewall services modules, one primary and the other standby. Just wondering how to troubleshoot something like this. I have putty logs of me putting the code in and doing a write mem saving the changes, yet on three occations those things stopped working, and I had to put the code in again.
**update** as I was typing this, we realised there was a problem with the two ASA's. For some reason, failover had stopped working, and both ASA's were trying to be the primary and causing issues. After several reboots, we wound up turning failover back on on the second ASA, and things seem to be normal now. No idea what would have caused the failover to break. Not sure how long this had been going on, it may have had to do with my code seeming to dissapear?Here is the output of the show ver. I removed the serial number.
ACH-2nd-EXT-ASA01#sh ver
Cisco Adaptive Security Appliance Software Version 8.3(2)1
Device Manager Version 6.4(7)
Compiled on Wed 04-Aug-10 21:41 by builders
System image file is "disk0:/asa832-1-k8.bin"
Config file at boot was "startup-config"
ACH-2nd-EXT-ASA01 up 4 days 22 hours
failover cluster up 4 days 22 hours
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
0: Ext: GigabitEthernet0/0 : address is 001d.a298.c41c, irq 9
1: Ext: GigabitEthernet0/1 : address is 001d.a298.c41d, irq 9
2: Ext: GigabitEthernet0/2 : address is 001d.a298.c41e, irq 9
3: Ext: GigabitEthernet0/3 : address is 001d.a298.c41f, irq 9
4: Ext: Management0/0 : address is 001d.a298.c420, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
SSL VPN Peers : 10 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
AnyConnect Essentials : Enabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
GTP/GPRS : Disabled perpetual
SSL VPN Peers : 20 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
AnyConnect Essentials : Enabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 4 perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: xxxxxxxxxxx
Running Permanent Activation Key: 0xf730cf7a 0x0449cabf 0xc922e5d4 0xc7bc5cb0 0x851ed6bb
Configuration register is 0x1
Configuration has not been modified since last system restart.
ACH-2nd-EXT-ASA01# -
Hi All
Im preparing a lab and I have 2 ASA 5520's. I have configured them for failover so the Primarys config will replicate over to the Secondary. They are connected via a 3560 switch. the switch ports are configured as access ports on vlan 1. Spanning-tree portfast is enabled
Firewall (Primary)
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.1(2)
Compiled on Wed 28-Nov-12 10:38 by builders
System image file is "disk0:/asa911-k8.bin"
Config file at boot was "startup-config"
DEO-FW-01 up 5 hours 1 min
failover cluster up 5 hours 1 min
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.08
Number of accelerators: 1
0: Ext: GigabitEthernet0/0 : address is 001e.f762.bc44, irq 9
1: Ext: GigabitEthernet0/1 : address is 001e.f762.bc45, irq 9
2: Ext: GigabitEthernet0/2 : address is 001e.f762.bc46, irq 9
3: Ext: GigabitEthernet0/3 : address is 001e.f762.bc47, irq 9
4: Ext: Management0/0 : address is 001e.f762.bc43, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Here is the failover config
failover
failover lan unit primary
failover lan interface SFO GigabitEthernet0/3
failover replication http
failover link SFO GigabitEthernet0/3
failover interface ip SFO 10.10.16.25 255.255.255.248 standby 10.10.16.26
Here is the Show failover output
Failover On
Failover unit Primary
Failover LAN Interface: SFO GigabitEthernet0/3 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
failover replication http
Version: Ours 9.1(1), Mate Unknown
Last Failover at: 12:53:27 UTC Mar 14 2013
This host: Primary - Active
Active time: 18059 (sec)
slot 0: ASA5520 hw/sw rev (2.0/9.1(1)) status (Up Sys)
Interface inside (10.10.16.1): No Link (Waiting)
Interface corporate_network_traffic (10.10.16.21): Unknown (Waiting)
Interface outside (193.158.46.130): Unknown (Waiting)
slot 1: empty
Other host: Secondary - Not Detected
Active time: 0 (sec)
Interface inside (10.10.16.2): Unknown (Waiting)
Interface corporate_network_traffic (10.10.16.22): Unknown (Waiting)
Interface outside (193.158.46.131): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : SFO GigabitEthernet0/3 (Failed)
Here is the output for the secondary firewall
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 6.2(5)
Compiled on Wed 28-Nov-12 10:38 by builders
System image file is "disk0:/asa911-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 1 hour 1 min
failover cluster up 1 hour 1 min
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.08
Number of accelerators: 1
0: Ext: GigabitEthernet0/0 : address is 0023.0477.12e4, irq 9
1: Ext: GigabitEthernet0/1 : address is 0023.0477.12e5, irq 9
2: Ext: GigabitEthernet0/2 : address is 0023.0477.12e6, irq 9
3: Ext: GigabitEthernet0/3 : address is 0023.0477.12e7, irq 9
4: Ext: Management0/0 : address is 0023.0477.12e3, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Here is the failover config
failover
failover lan unit secondary
failover lan interface SFO GigabitEthernet0/3
failover replication http
failover link SFO GigabitEthernet0/3
failover interface ip SFO 10.10.16.26 255.255.255.248 standby 10.10.16.25
Here is the Show failover output
failover
failover lan unit secondary
failover lan interface SFO GigabitEthernet0/3
failover replication http
failover link SFO GigabitEthernet0/3
failover interface ip SFO 10.10.16.26 255.255.255.248 standby 10.10.16.25
Failover On
Failover unit Secondary
Failover LAN Interface: SFO GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 160 maximum
failover replication http
Version: Ours 9.1(1), Mate Unknown
Last Failover at: 12:58:31 UTC Mar 14 2013
This host: Secondary - Active
Active time: 3630 (sec)
slot 0: ASA5520 hw/sw rev (2.0/9.1(1)) status (Up Sys)
slot 1: empty
Other host: Primary - Not Detected
Active time: 0 (sec)
Stateful Failover Logical Update Statistics
Link : SFO GigabitEthernet0/3 (up)
interface g0/3 on both are up via the No shutdown command. However I get the following error No Active mate detected
please could someone help.
Many thanksHello James,
You have configured the IPs on the interfaces incorrectly.
Let me point it out
failover
failover lan unit primary
failover lan interface SFO GigabitEthernet0/3
failover replication http
failover link SFO GigabitEthernet0/3
failover interface ip SFO 10.10.16.25 255.255.255.248 standby 10.10.16.26
You are telling the Primary device use IP address 10.10.16.25 and the secondary firewall will be 10.10.26.26
Now let's see the configuration on the Secondary Unit?
failover
failover lan unit secondary
failover lan interface SFO GigabitEthernet0/3
failover replication http
failover link SFO GigabitEthernet0/3
failover interface ip SFO 10.10.16.26 255.255.255.248 standby 10.10.16.25
On the secondary you are saying the primary IP will be 10.10.16.26 and the secondary will be 10.10.16.25
You have it backwards and based on the output I would say you configured it on all of the interfaces like that
So please change it and make it the same on all of the interfaces so both devices know the same thing ( which IP they should use when they are primary and secondary, this HAVE to match )
Hope that I could help
Julio Carvajal -
ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
This topic has been beat to death, but I did not see a real answer. Here is configuration:
1) 2 x ASA 5520, running 8.2
2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
In any case, any experts out there that can answer question? TIA!Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
Thanks much,
Mike -
Cisco ASA 5520 Failover with DMZ
I have a pair of Cisco ASA 5520s running as a primary/standby. Everything is working properly with the primary ASA, however when I trigger a failover, everything works except for the DMZ interface on the standby ASA. I've poured over the configs, but perhaps I have been staring at them too long because I am just not seeing anything.
Below is the output of the sh run failover, sh failover, and sh run interface commands for each unit...
PRIMARY ASA
Primary-ASA# sh run failover
failover
failover lan unit primary
failover lan interface stateful1 GigabitEthernet0/3
failover key *****
failover link stateful1 GigabitEthernet0/3
failover interface ip stateful1 192.168.216.1 255.255.255.0 standby 192.168.216.2
Primary-ASA# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: stateful1 GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 20:39:23 CDT Sep 3 2013
This host: Primary - Active
Active time: 69648 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (184.61.38.254): Normal
Interface inside (192.168.218.252): Normal
Interface dmz (192.168.215.254): Normal (Waiting)
Interface management (192.168.1.1): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Other host: Secondary - Standby Ready
Active time: 2119 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (184.61.38.253): Normal
Interface inside (192.168.218.253): Normal
Interface dmz (192.168.215.252): Normal (Waiting)
Interface management (192.168.1.2): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Primary-ASA# sh run interface
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 184.61.38.254 255.255.255.128 standby 184.61.38.253
ospf cost 10
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.218.252 255.255.255.0 standby 192.168.218.253
ospf cost 10
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.215.254 255.255.255.0 standby 192.168.215.252
ospf cost 10
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf cost 10
management-only
STANDBY ASA
Standby-ASA# sh run failover
failover
failover lan unit secondary
failover lan interface stateful1 GigabitEthernet0/3
failover key *****
failover link stateful1 GigabitEthernet0/3
failover interface ip stateful1 192.168.216.1 255.255.255.0 standby 192.168.216.2
Standby-ASA# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: stateful1 GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 20:39:23 CDT Sep 3 2013
This host: Secondary - Standby Ready
Active time: 2119 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (184.61.38.253): Normal
Interface inside (192.168.218.253): Normal
Interface dmz (192.168.215.252): Normal (Waiting)
Interface management (192.168.1.2): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Other host: Primary - Active
Active time: 70110 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (184.61.38.254): Normal
Interface inside (192.168.218.252): Normal
Interface dmz (192.168.215.254): Normal (Waiting)
Interface management (192.168.1.1): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Standby-ASA# sh run interface
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 184.61.38.254 255.255.255.128 standby 184.61.38.253
ospf cost 10
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.218.252 255.255.255.0 standby 192.168.218.253
ospf cost 10
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.215.254 255.255.255.0 standby 192.168.215.252
ospf cost 10
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf cost 10
management-only
Does anyone see something I might be missing? I am at a loss...I'll just answer my own question...the configs are correct, but it the interface on the standby ASA was plugged into an improperly configured switchport. That'll do it everytime.
-
ASA 5520 Anyconnect License on Active/Standby Failover pair
Hi
Our customer has purchased 2 x L-ASA-AC-E-5520= Anyconnect Essentials VPN Licenses (750 Users)
Ive installed both activated licenses as per the cisco guides, I didnt get any errors on the install. I did a reload on both, they are both back up and running as active/standby but when I do a sh ver the license still shows "ASA 5520 VPN Plus License"
Am I being dumb and has this worked successfully or should it not now display Anyconnect when I do a sh ver
Any help would be much appreciated on this one please
Regards
GrahamThanks Marvin
Below is the show ver, but I was kind of expecting there to be a mention of Anyconnect if I had activated the license
We previously had the VPN Plus License, and it still shows VPN Plus
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license. -
Patch: CSCun25809, AnyConnect Password Management Fails with SMS Passcode for ASA 5520
Patch: CSCun25809, AnyConnect Password Management Fails with SMS Passcode for ASA 5520
Will this patch be installed in a version which I can use on ASA5520, if I understand the documentation correct, this patch is only installed in versions which are running on -X models of the ASA. 9.2, 9.3Once the ASA has dynamic NAT enabled to an outside interface, routing between same security level will not work.
You need to add route exempt the inside interfaces to all private subnet. -
VPN clients not able to ping Remote PCs & Servers : ASA 5520
VPN is connected successfully. But not able to ping any remote ip or fqdn from client pc. But able to ping ASA 5520 firewalls inside interface. Also some clients able to access, some clients not able to access. I new to these firewalls. I tried most of ways from internet, please any one can help asap.
Remote ip section : 192.168.1.0/24
VPN IP Pool : 192.168.5.0/24
Running Config :
ip address 192.168.1.2 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
passwd z40TgSyhcLKQc3n1 encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone GST 4
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 213.42.20.20
domain-name default.domain.invalid
access-list outtoin extended permit tcp any host 83.111.113.114 eq 3389
access-list outtoin extended permit tcp any host 83.111.113.113 eq https
access-list outtoin extended permit tcp any host 83.111.113.114 eq smtp
access-list outtoin extended permit tcp any host 83.111.113.114 eq https
access-list outtoin extended permit tcp any host 83.111.113.114 eq www
access-list outtoin extended permit tcp any host 83.111.113.115 eq https
access-list outtoin extended permit tcp any host 94.56.148.98 eq 3389
access-list outtoin extended permit tcp any host 83.111.113.117 eq ssh
access-list fualavpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0
92.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 1
2.168.5.0 255.255.255.0
access-list inet_in extended permit icmp any any time-exceeded
access-list inet_in extended permit icmp any any unreachable
access-list inet_in extended permit icmp any any echo-reply
access-list inet_in extended permit icmp any any echo
pager lines 24
logging enable
logging asdm informational
logging from-address [email protected]
logging recipient-address [email protected] level errors
logging recipient-address [email protected] level emergencies
logging recipient-address [email protected] level errors
mtu outside 1500
mtu inside 1500
ip local pool fualapool 192.168.5.10-192.168.5.50 mask 255.255.255.0
ip local pool VPNPool 192.168.5.51-192.168.5.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 94.56.148.98 192.168.1.11 netmask 255.255.255.255
static (inside,outside) 83.111.113.114 192.168.1.111 netmask 255.255.255.255
access-group inet_in in interface outside
route outside 0.0.0.0 0.0.0.0 83.111.113.116 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have no
been met or due to some specific group policy, you do not have permission to u
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy fualavpn internal
group-policy fualavpn attributes
dns-server value 192.168.1.111 192.168.1.100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value fualavpn_splitTunnelAcl
username test password I7ZgrgChfw4FV2AW encrypted privilege 0
username Mohamed password Vqmmt8cR/.Qu7LhU encrypted privilege 0
username Moghazi password GMr7xgdqmGEQ2SVR encrypted privilege 0
username Moghazi attributes
password-storage enable
username fualauaq password E6CgvoOpTKphiM2U encrypted privilege 0
username fualauaq attributes
password-storage enable
username fuala password IFtijSYb7LAOV/IW encrypted privilege 15
username Basher password Djf15nXIJXmayfjY encrypted privilege 0
username Basher attributes
password-storage enable
username fualafac password VGC/7cKXW1A6eyXS encrypted privilege 0
username fualafac attributes
password-storage enable
username fualaab password ONTH8opuP4RKgRXD encrypted privilege 0
username fualaab attributes
password-storage enable
username fualaadh2 password mNEgLxzPBeF4SyDb encrypted privilege 0
username fualaadh2 attributes
password-storage enable
username fualaain2 password LSKk6slwsVn4pxqr encrypted privilege 0
username fualaain2 attributes
password-storage enable
username fualafj2 password lE4Wu7.5s7VXwCqv encrypted privilege 0
username fualafj2 attributes
password-storage enable
username fualakf2 password 38oMUuwKyShs4Iid encrypted privilege 0
username fualakf2 attributes
password-storage enable
username fualaklb password .3AMGUZ1NWU1zzIp encrypted privilege 0
username fualaklb attributes
password-storage enable
username fualastr password RDXSdBgMaJxNLnaH encrypted privilege 0
username fualastr attributes
password-storage enable
username fualauaq2 password HnjodvZocYhDKrED encrypted privilege 0
username fualauaq2 attributes
password-storage enable
username fualastore password wWDVHfUu9pdM9jGj encrypted privilege 0
username fualastore attributes
password-storage enable
username fualadhd password GK8k1MkMlIDluqF4 encrypted privilege 0
username fualadhd attributes
password-storage enable
username fualaabi password eYL0j16kscNhhci4 encrypted privilege 0
username fualaabi attributes
password-storage enable
username fualaadh password GTs/9BVCAU0TRUQE encrypted privilege 0
username fualaadh attributes
password-storage enable
username fualajuh password b9QGJ1GHhR88reM1 encrypted privilege 0
username fualajuh attributes
password-storage enable
username fualadah password JwVlqQNIellNgxnZ encrypted privilege 0
username fualadah attributes
password-storage enable
username fualarak password UE41e9hpvcMeChqx encrypted privilege 0
username fualarak attributes
password-storage enable
username fualasnk password ZwZ7fVglexrCWFUH encrypted privilege 0
username fualasnk attributes
password-storage enable
username rais password HrvvrIw5tEuam/M8 encrypted privilege 0
username rais attributes
password-storage enable
username fualafuj password yY2jRMPqmNGS.3zb encrypted privilege 0
username fualafuj attributes
password-storage enable
username fualamaz password U1YUfQzFYrsatEzC encrypted privilege 0
username fualamaz attributes
password-storage enable
username fualashj password gN4AXk/oGBTEkelQ encrypted privilege 0
username fualashj attributes
password-storage enable
username fualabdz password tg.pB7RXJx2CWKWi encrypted privilege 0
username fualabdz attributes
password-storage enable
username fualamam password uwLjc0cV7LENI17Y encrypted privilege 0
username fualamam attributes
password-storage enable
username fualaajm password u3yLk0Pz0U1n.Q0c encrypted privilege 0
username fualaajm attributes
password-storage enable
username fualagrm password mUt3A60gLJ8N5HVr encrypted privilege 0
username fualagrm attributes
password-storage enable
username fualakfn password ceTa6jmvnzOFNSgF encrypted privilege 0
username fualakfn attributes
password-storage enable
username Fualaain password Yyhr.dlc6/J7WvF0 encrypted privilege 0
username Fualaain attributes
password-storage enable
username fualaban password RCJKLGTrh7VM2EBW encrypted privilege 0
username John password D9xGV1o/ONPM9YNW encrypted privilege 15
username John attributes
password-storage disable
username wrkshopuaq password cFKpS5e6Whp0A7TZ encrypted privilege 0
username wrkshopuaq attributes
password-storage enable
username Talha password 3VoAABwXxVonLmWi encrypted privilege 0
username Houssam password Cj/uHUqsj36xUv/R encrypted privilege 0
username Faraj password w2qYfE3DkYvS/oPq encrypted privilege 0
username Faraj attributes
password-storage enable
username gowth password HQhALLeiQXuIzptCnTv1rA== nt-encrypted privilege 15
username Hameed password 0Kr0N1VRmLuWdoDE encrypted privilege 0
username Hameed attributes
password-storage enable
username Hassan password Uy4ASuiNyEd70LCw encrypted privilege 0
username cisco password IPVBkPI1GLlHurPD encrypted privilege 15
username Karim password 5iOtm58EKMyvruZA encrypted privilege 0
username Shakir password BESX2bAvlbqbDha/ encrypted privilege 0
username Riad password iB.miiOF7qMESlCL encrypted privilege 0
username Azeem password 0zAqiCG8dmLyRQ8f encrypted privilege 15
username Azeem attributes
password-storage disable
username Osama password xu66er.7duIVaP79 encrypted privilege 0
username Osama attributes
password-storage enable
username Mahmoud password bonjr0B19aOQSpud encrypted privilege 0
username alpha password x8WO0aiHL3pVFy2E encrypted privilege 15
username Wissam password SctmeK/qKVNLh/Vv encrypted privilege 0
username Wissam attributes
password-storage enable
username Nabil password m4fMvkTgVwK/O3Ms encrypted privilege 0
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.4 255.255.255.255 inside
http 192.168.1.100 255.255.255.255 inside
http 192.168.1.111 255.255.255.255 inside
http 192.168.1.200 255.255.255.255 inside
http 83.111.113.117 255.255.255.255 outside
http 192.168.1.17 255.255.255.255 inside
http 192.168.1.16 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group fualavpn type ipsec-ra
tunnel-group fualavpn type ipsec-ra
tunnel-group fualavpn general-attributes
address-pool fualapool
address-pool VPNPool
default-group-policy fualavpn
tunnel-group fualavpn ipsec-attributes
pre-shared-key *
tunnel-group fualavpn ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
Cryptochecksum:38e41e83465d37f69542355df734db35
: endHi,
What about translating the traffic on the local ASA (Active unit) for traffic received from the VPN tunnel to the internal interface IP address? You can try something like nat (outside,inside) source dynamic obj-VpnRemoteTraffic interface destination static StandbyIP StandbyIP
Regards, -
ASA 5520 upgrade from 8.4.6 to 9.1.2
Dear All,
I am having ASA 5520 in Active Standby failover configuration . I want to know if I can upgrade it from 8.4.6 to 9.1.2 using the zero downtime upgrade process mentioned on cisco site .
Below is the process :
Upgrade an Active/Standby Failover Configuration
Complete these steps in order to upgrade two units in an Active/Standby failover configuration:
Download the new software to both units, and specify the new image to load with the boot system command.
Refer to Upgrade a Software Image and ASDM Image using CLI for more information.
Reload the standby unit to boot the new image by entering the failover reload-standby command on the active unit as shown below:
active#failover reload-standby
When the standby unit has finished reloading and is in the Standby Ready state, force the active unit to fail over to the standby unit by entering the no failover active command on the active unit.
active#no failover active
Note: Use the show failover command in order to verify that the standby unit is in the Standby Ready state.
Reload the former active unit (now the new standby unit) by entering the reload command:
newstandby#reload
When the new standby unit has finished reloading and is in the Standby Ready state, return the original active unit to active status by entering the failover active command:
newstandby#failover active
This completes the process of upgrading an Active/Standby Failover pair.
Also after upgrade are there any changes required after IOS migration ( i.e are there any changes in the command line of 8.4.6 and 9.1.2 )
It is mentioned on cisco site that
Major Release
—You can upgrade from the last minor release of the previous version to the next major release. For example, you can upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x release.Hi Tushar,
The steps you mentioned are perfectly fine. There is no major difference in the commands of the 2 versions, it's just that in access-rule from 9.1 you have to any4 instead of any for ipv4 and any6 for ipv6. During conversion it will get convert automatically.
Also, please refer to the following document (release notes of 9.1.2) for viewing the new features added in that version:
http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp685480
- Prateek Verma -
ASA 5520: Configuring Active/Standby High Availability
Hi,
I am new to Cisco firewalls. We are moving from a different vendor to Cisco ASA 5520s.
I have two ASA 5520s running ASA 8.2(5). I am managing them with ASDM 6.4(5).
I am trying to setup Active/Standby using the High Availability Wizard. I have interfaces on each device setup with just an IP address and subnet mask. Primary is 10.1.70.1/24 and secondary is 10.1.70.2/24. The interfaces are connected to a switch and these interfaces are the only nodes on this switch. When I run the Wizard on the primary, configure for Active/Standby, enter the peer IP of 10.1.70.2 and I get an error message saying that the peer test failed, followed by an error saying ASDM is temporarily unable to connect to the firewall.
I tried this using a crossover cable to connect the interfaces directly with the same result.
Any ideas?
Thanks.
DanThe command Varun is right.
Since you want to know a little bit more about this stuff, here goes a bit. Every interface will have a secondary IP and a Primary IP where the Active/Standby pair will exchange hello packes. If the hellos are not heard from mate, the the unit is delcare failed.
In case the primary is the one that gets an interface down, it will failover to the other unit, if it is the standby that has the problem, the active unit will declare the other Unit "standby failed). You will know that everything is alright when you do a show failover and the standby pair shows "Standby Ready".
For configuring it, just put a secondary IP on every interface to be monitored (If by any chance you dont have an available secondary IP for one of the interfaces you can avoid monitoring the given interface using the command no "monitor-interface nameif" where the nameif is the name of the interface without the secondary IP.
Then put the commands for failover and stateful link, the stateful link will copy the connections table (among other things) to avoid downtime while passing from One unit to another, This link should have at least the same speed as the regular data interfaces.
You can configure the failover link and the stateful link in just one interface, by just using the same name for the link, remember that this link will have a totally sepparate subnet from the ones already used in firewall.
This is the configuration
failover lan unit primary
failover lan interface failover gig0/3
failover link failover gig0/3
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
failover lan unit secondary
failover lan interface failover gig0/3
failover link failover gig0/3
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
Make sure that you can ping each other secondary/primary IP and then put the command
failover first on the primary and then on the secondary.
That would fine.
Let me know if you have further doubts.
Link for reference
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml
Mike -
I have two ASA 5520s. One has an IDS card and one doesn't. This makes the high availability wizard fail. Can I manually setup the high availability. I don't really need two ASA-SSM-20s. I just want to have one ASA in Standby mode. Is this possible. Anybody have a configuration similar to this?
Thanks,
Alex PfeilHi,
Let me first say that I have not configure a Failover pair where the units dont have matching hardware. So I kind of wonder even if the ASA accepts the configurations, will the failover act normally.
Usually if I configure basic configurations for some ASA Failover pair I first configure all the basic configurations on the ASA and make sure that each interface on the ASA has the "ip address x.x.x.1 255.255.255.0 standby x.x.x.2" configuration under the interfaces
I then configure the existing ASA with a basic Failover configuration such as
failover
failover replication http
failover lan unit primary
failover lan interface failover Management0/0
failover key
failover link failover Management0/0
failover interface ip failover 255.255.255.0 standby
I then prepare a blank ASA and finally configure its Failover too
failover
failover replication http
failover lan unit secondary
failover lan interface failover Management0/0
failover key
failover link failover Management0/0
failover interface ip failover 255.255.255.0 standby
I will then attach the Secondary unit to the network and finally attach the Failover link between the ASAs and let the Primary unit replicate all the configurations to the Secondary unit.
Naturally this is something that would probably be best done during a separate scheduled maintanance break along with configuration backups etc just to be on the safe side.
- Jouni -
HA between a Cisco ASA 5520 and a Cisco ASA 5525-X
Hi all!
we have a couple of Cisco ASA 5520 running 8.4(3) software, and we want to improve throughput changing them with a couple of Cisco ASA 5525-X. Since software is theorically compatible, we are not going to upgrade it right now.
We don't want to stop service, so we are thinking about switching off backup 5520 firewall, change it with a 5525-X and balance service to that one while we change the other 5520 fw. So the question is, has someone tried to make an active-pasive cluster with both technologies, Cisco ASA an Cisco ASA-X firewalls? We were said that it should be theorically compatible, but we'd like to know if someone tried before.
Best regards for all,You cannot make a 5520 establish failover with the mate being a 5525-X.
1. The configuration guide (here) states:
The two units in a failover configuration must be the same model, have the same number and types of interfaces, the same SSMs installed (if any), and the same RAM installed.
2. A 5525-X requires 8.6 software. 8.6 does not support non-X series ASAs. (Reference) Even if you wait until 9.0 is available (next month) for both you still fail on the model and RAM (X series has much more than the 5520) checks noted above. -
ASA 5520 Upgrade From 8.2 to 9.1
To All Pro's Out There,
I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
I appreciate all the help in advance.Hi,
My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
What you can basically do is
Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
https://supportforums.cisco.com/docs/DOC-31116
My personal approach when starting to convert NAT configurations for the upgrade is
Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
Divide NAT configurations based on type
Dynamic NAT/PAT
Static NAT
Static PAT
NAT0
All Policy Dynamic/Static NAT/PAT
Learn the basic configuration format for each type of NAT configuration
Start by converting the easiest NAT configurations
Dynamic NAT/PAT
Static NAT/PAT
Next convert the NAT0 configurations
And finally go through the Policy NAT/PAT configurations
Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
For example
static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
So to summarize
Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
Learn the new NAT configuration format
Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
Convert the configurations manually
Lab/test the configurations on an test ASA
During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
Will add more later if anything comes to mind as its getting quite late here
Hope this helps
- Jouni
Maybe you are looking for
-
Adobe Creative Cloud App does not show downloaded apps and shows "download error"
I am not a full paying member just yet, and have been using Photoshop on trial for my graphic design courses. With the app, instead of showing me that my 30 day trial is over, I get a download error and contact customer support message. I have comple
-
Hi, When I am trying to post the accounting document in VF02 while releasing the billing document generated I am getting the error "u201CNo account is specified in item 0000001002 Message no. F5670 Diagnosis No account was specified for account type
-
New iOS 4.1 is a battery KiLLER!
As i bought my iPhone 3Gs I used the normal 3. ... iOS versions .Some weeks later i updated the iOS 4. Ok! nothing to say. But with 4.1 my battery is down on 55% after play 40 minutes, 30 minutes of music and 5 min at 3G internet. Also on Standby Mod
-
1st time, bought audiobook from iTunes store - how do I get it on the iPod?
Just to try it, I bought Hemmingway's 'Old Man And The Sea' I've never read, just to see if I could try it on the iPod in my car as I spend so many hours in traffic. The book downloaded, it is in the 'audiobooks' tab in my iTunes, but when I plug in
-
HT1727 i lost all that i paid cash for..... computer crashed now on a differant computer
i had a laptop that crashed.i am now on a differant laptop but using same itune account and it will not bring up any music or apps the i paid for