ASA Active/Standby mode and Hello messages
Hi Everyone,
On ASA Active/Standby mode i know thatsay inside or any other interface of active and standby ASA should connect to same switch and vlan.
When we assign say ip address to inside interface of both ASA like
ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2 255.255.255.0
Need to know if these inside interface talk to each other or not?
Do they send hello messages?
Thanks
MAhesh
Hi Mahesh,
The ASA Active/Standby Failover pair uses both the dedicated Failover interface and the actual Data interfaces to monitor the "health" of the Failover pair.
The units send Failover hello messages and wait for a reply to determine if the other unit is alive or not.
By default all Physical interfaces are automatically monitored. To my understanding Logical interfaces such as Trunk interfaces are NOT monitored by default. You will have to configure monitoring for each subinterface of the Trunk that you want to be monitored.
You would use the command
monitor-interface
Check the Command Reference section for this
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2123112
I would also suggest reading the following section of the Configuration Guide
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1079010
It has information of the Unit and Interface health monitoring of the Failover pair.
If you want to debug Failover activity you could use the command
debug fover
It has multiple additional parameter after that command
Here is the Command Reference section for the debug command
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/d1.html#wp2093011
You can even attach a computer on the switch between the ASAs and capture the packets between them an you can see the Failover messages etc from the ASAs
- Jouni
Similar Messages
-
Step to prep CSC SSM on ASA Active/Standby mode
Hi all,
I am trying to setup Active/Standby HA mode for my site.
Currently the site was installed with one unit ASA firewall with CSC-SSM module, the second unit is the new unit ready to be setup.
My question:
01. My concern is second unit CSC-SSM, what is the proper procedure or step need to prep it?
Is it need to prep the CSC-SSM before the ASA in HA mode Or it will auto propagate the configuration when both unit in HA mode?
What else need to concern? am i need to setup different IP for the CSC-SSM management interface?
Thanks
NoelHello Yong,
Configuration related to the CSC or SSM modules will never get propagated so you will basically need to configure it manually.
Also it's not like if the Config on both modules is different failover will fail but ofcourse you wanna have the same one
IP addresses for each of the modules will be dedicated ones. Remember that failover will fail if one box has the CSC and the other not.
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
Single AIP-SSM in Cisco ASA Failover Active / Standby Mode
Hi,
I can add single AIP-SSM on Cisco ASA in failover active / standby mode?No, both units need the same hardware, that includes the installed modules.
Sent from Cisco Technical Support iPad App -
Best practice for ASA Active/Standby failover
Hi,
I have configured a pair of Cisco ASA in Active/ Standby mode (see attached). What can be done to allow traffic to go from R1 to R2 via ASA2 when ASA1 inside or outside interface is down?
Currently this happens only when ASA1 is down (shutdown). Is there any recommended best practice for such network redundancy? Thanks in advanced!Hi Vibhor,
I test ping from R1 to R2 and ping drop when I shutdown either inside (g1) or outside (g0) interface of the Active ASA. Below is the ASA 'show' failover' and 'show run',
ASSA1# conf t
ASSA1(config)# int g1
ASSA1(config-if)# shut
ASSA1(config-if)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:20:00 SGT Nov 18 2014
This host: Primary - Active
Active time: 7862 (sec)
Interface outside (100.100.100.1): Normal (Monitored)
Interface inside (192.168.1.1): Link Down (Monitored)
Interface mgmt (10.101.50.100): Normal (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (100.100.100.2): Normal (Monitored)
Interface inside (192.168.1.2): Link Down (Monitored)
Interface mgmt (0.0.0.0): Normal (Waiting)
Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet2 (up)
Stateful Obj xmit xerr rcv rerr
General 1053 0 1045 0
sys cmd 1045 0 1045 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 5 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 1045
Xmit Q: 0 30 10226
ASSA1(config-if)#
ASSA1# sh run
: Saved
ASA Version 8.4(2)
hostname ASSA1
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0
nameif outside
security-level 0
ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet2
description LAN/STATE Failover Interface
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet4
nameif mgmt
security-level 0
ip address 10.101.50.100 255.255.255.0
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
clock timezone SGT 8
access-list OUTSIDE_ACCESS_IN extended permit icmp any any
pager lines 24
logging timestamp
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet2
failover link FAILOVER GigabitEthernet2
failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
access-group OUTSIDE_ACCESS_IN in interface outside
router ospf 10
network 100.100.100.0 255.255.255.0 area 1
network 192.168.1.0 255.255.255.0 area 0
area 0 authentication message-digest
area 1 authentication message-digest
log-adj-changes
default-information originate always
route outside 0.0.0.0 0.0.0.0 100.100.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.101.50.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.101.50.0 255.255.255.0 mgmt
ssh timeout 5
console timeout 0
tls-proxy maximum-session 10000
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:fafd8a885033aeac12a2f682260f57e9
: end
ASSA1# -
Cisco ASA Active standby failover problem
We have configured ASA Active standby failover with ASA5505 . When primary unit power off, secondary unit became active. when primary unit power on, then primary unit is becoming active again. i think for active standby setup there is no preemption. The real issue is when primary ASA became active after power on all the external connectivity getting down. Please see the below config,
ASA01# show run
ASA01# show running-config
: Saved
ASA Version 8.2(5)
hostname ASA01
enable password PVSASRJovmamnVkD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.1 MPLS_Router description MPLS_Router
name 192.168.2.1 SCADA_Router description SCADA_Router
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 2
interface Ethernet0/3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.8 255.255.255.0 standby 192.168.3.9
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.8 255.255.255.0 standby 192.168.1.9
interface Vlan3
description LAN Failover Interface
ftp mode passive
clock timezone AST 3
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any host MPLS_Router
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface FAILOVER Vlan3
failover key *****
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route-map Route_Out permit 1
match ip address inside_access_in outside_access_in
match interface inside
route outside 0.0.0.0 0.0.0.0 MPLS_Router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http authentication-certificate inside
http authentication-certificate outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password eY/fQXw7Ure8Qrz7 encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1a8e46a787aa78502ffd881ab62d1c31
: endI suggest removing the failover configuration on both units and then re-add them, and then test.
Primary
failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit primary
failover key KEY
failover
Secondary
failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit secondary
failover key KEY
failover
Please remember to select a correct answer and rate helpful posts -
How to tell if Active/active or Active/Standby mode is configured?
Folks:
I am still learning the output of my running config, but how do I tell if my firewall is set to Actve/Active or Active/Standby mode?
In addition, how do I tell if it uses regular or stateful failover mode?
Thank youI wanted to provide this as well, since I found it and it also helped me answering my question.
This output shows Active/Active failover output.
**Note** it says PIX; however, I beleive it will be the same output for ASA.
PIX1(config-subif)#show failover
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: LANFailover Ethernet3 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.2(2), Mate 7.2(2)
Group 1 last failover at: 06:12:45 UTC Apr 16 2007
Group 2 last failover at: 06:12:43 UTC Apr 16 2007
This host: Primary
Group 1 State: Active
Active time: 359610 (sec)
Group 2 State: Standby Ready
Active time: 3165 (sec)
context1 Interface inside (192.168.1.1): Normal
context1 Interface outside (172.16.1.1): Normal
context2 Interface inside (192.168.2.2): Normal
context2 Interface outside (172.16.2.2): Normal
Other host: Secondary
Group 1 State: Standby Ready
Active time: 0 (sec)
Group 2 State: Active
Active time: 3900 (sec)
context1 Interface inside (192.168.1.2): Normal
context1 Interface outside (172.16.1.2): Normal
context2 Interface inside (192.168.2.1): Normal
context2 Interface outside (172.16.2.1): Normal -
6288 - Active Standby Mode menu lost
Hello,
The Active Standby Mode menu has disappear from
Menu-Settings-Standby Mode Settings.
I can't access this setting any more.
My firmware version is 6.10.
Thanks for any advices.
JeromeMessage Edited by hidje on 21-Jul-200707:37 AMI have the same problem. I don't know if I'll use that option but is annoing that I can't activate it. I have software version 6.10 and in display-standby option first submenu is wallpaper (not active standby setting).
Does anyone fixed this BUG? -
Stop/start in PGW active/standby mode
Hi all
My VOIP Network has 2 PGW in active/standby mode. But when we add more telco, the state of ss7path is OOS. i must stop/start the PGW and ss7path is IS status.
Now PGW is running services. it processing many call with other telco.
i have question need to support.
When we stop/start PGW,has PGW disconnected all call or not?
Thank for supporting
PhaiLQIf you restart the service on active pgw, calls are disconnected. If you don't want out of services you must pass the control to the standby server first.
From mml console of active server use the command:
rtrv-ne to check the status, the output is:
MGC-01 - Media Gateway Controller 2010-09-07 16:53:42.655 MEST
M RTRV
"Type:MGC"
"Hardware platform:sun4u sparc SUNW,Sun-Fire-V240"
"Vendor:"Cisco Systems, Inc.""
"Location:MGC-01 - Media Gateway Controller"
"Version:"9.6(1)""
"Platform State:ACTIVE"
sw-over::confirm to swich control to standby server
now restart the service
/etc/init.d/CiscoMGC stop
/etc/init.d/CiscoMGC start
P.S. If I remember the right way, the OOS (out of service) state of new ss7 path can be set in IS (in service) via mml command line without service restart.
set- your ss7 path ::IS use tab for help
Regards. -
Asr-group feature in active/standby mode
Hi ,
I would like to know if anyone had used asr-group freature in active/standby mode. Is it not recommended by cisco for active/standby mode ? The feature works in both environment.
Thanks in advance
TomyHi Tomy,
The asr-group feature on the ASA is only supported in Active/Active failover:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_active.html#wp1271955
-Mike -
Calendar entries in Active Standby mode
A double question, but both are closely related.
In Active Standby mode it shows upcoming calendar entries for today and future ones.
Q1) Can someone clarfify does it only show 1 entry for future events, since I have placed 2 entries for tomorrow and 1 for the day after. But only 1 (the first) appears in Active Standby.
Q2) I THINK IS A BUG!! It does not show Anniversary as future events in Active Standby. It only appears when it is on the day (bit late if you need to buy a present!).
Any comments
Andrew
Device: N70
Version: V 2.0536.0.2 12-09-05 RM-84I think this is by design. Not quite sure what the basis is of what is included and what is not. Items from the current day seem to show up in greater numbers than in future days.
All About Symbian - News, reviews and software for S60 phones. -
Can't record when box is in standby mode and other...
Once my youview box has been put into standby it will not turn on with just one press of the remote but if I press the button 10 to 15 times it will usually come on after 4 to 5 minutes. during this time, the remote will not switch my Sony Bravia tv on but it will shortly after the youview box comes on. To compound the frustrations, I will usually get an IPC6023 message on the tv screen telling me that the channel I'm tuned to is unavailable but the channel is patently available because once I have pressed the ok button three times the channel plays with perfect picture and sound.
Also any recordings scheduled whilst the box is in standby mode either fail or just do not record. I presume this is because of the IPC6023 problem.
One other thing. I am at the moment watching the tv but the youview box is showing the mauve standby light rather than the blue lights which should indicate it is on and also the recording light is on despite the fact that it is not currently recording any programmes, I presume the recording light is on because the box thinks it is still trying to record a failed programme which was set to record whilst the box was in standby mode.
I have checked my broadband and cables and they do not seem to be the problem
BT has supplied me with a 2nd Youview DTRT2100 box and this has exactly the same problems. I changed the hdmi cables and the Ethernet cables after finding this same problem occurred on the 2nd box but there is no difference.
I have now had 3 Cube engineers visit to check my problem but all they do is a factory reset, deleting any recordings that I have managed to make while the box is not in standby mode and then leaving with the problem unsolved, Now that I’ve received a replacement box which has exactly the same problems, I do not want to go through the whole rigmarole againHi Colin6443,
Welcome and thanks for posting!
Sorry for the problems you're having with your Youview box and that it's going on for so long.
Send over your details and we'll help get things sorted from here. Click on my username and under the "about me" section of my profile you'll see the link to get in touch with us.
All the best,
Robbie
BTCare Community Mod
If we have asked you to email us with your details, please make sure you are logged in to the forum, otherwise you will not be able to see our ‘Contact Us’ link within our profiles.
We are sorry that we are unable to deal with service/account queries via the private message(PM) function so please don't PM your account info, we need to deal with this via our email account :-)
If someone answers your question correctly please let other members know by clicking on ’Mark as Accepted Solution’. -
I have a Nokia E5
I have tried to experiment with the Modes function, whereby you can have one profile for business and another for personal.
The first time I went into Modes (from the control panel), I was asked to go into "Active Standby Mode", which I did. Now everything has changed and I am not sure whether I like it.
Is it possible to get back to how I was before - i.e. before I went into Active Standby Modes ?Hi,
No unfortunately the only way of doing this will be from the app shortcuts. There is to my knowledge no way of doing this automatically. Might be there is an ext. developed app that I do not know of.
BR, PerLs -
My iPhone turns off whenever it goes into standby mode and has to be turned back on to work
My iPhone turns off whenever it goes into standby mode and has to be turned back on to work
That's normal behavior. It turns off automatically in order to preserve the battery. Pushing the On/Off button turns it on immediately. This also requires entering the passcode and prevents the phone from being accessed by anyone but you.
-
ASA in transparent mode and IP addresses
Hello,
I need to put an ASA in transparent mode.
Our router (managed by the carrier) routes more than one public IP class in a single VLAN.
On the "Cisco Security Appliance Command Line Configuration guide", in "Trasnaprent Firewall Guidelines" it's written: "Each directly connected network must be on the same network".
This means also that I can have ONLY ONE subnet that flows fron the outside and the inside, or can I have more than one class?
If I can have only one class, the only solution is to use multiple context (and separate each classes in different interfaces)?
Thanks a lotThe ASA in trasparent mode works at layer 2. So it really does not care if the traffic that flows through it is from different subnet as long as the L3 devices it connects to knows how to reach these subnet. TheASA in transparent is basically a bump in the wire (a bridge) and for that reason you can only use 2 interfaces on the ASA in transparent implementation.
P.S. When people see attitude in your threads, they will refrain from answering your question. That's for future reference. -
Hi,
In NBMA (non-broadcast multiple access), this communications protocol have no ability for send broadcast or multicast. How it is establish connection with neighbor because (Hello Message) send as multicast.
BR,
Auos.Hello Auos,
for example for FR by using frame-relay map command with the broadcast option.
FR or ATM NBMA needs to create a copy of each broadcast/multicast packet for each active PVC DLCI.
OSPF has also network types that don't use at all multicast hellos but in this case neighbor commands are needed in the OSPF process.
Hope to help
Giuseppe
Maybe you are looking for
-
How do I connect my i-pod to my car cd player
I would like to listen to my i--pod in my car. How can I connect it to my car cd player?
-
I am having a problem getting the INSERT statement to execute in my writeback setup. I am trying to set this up on the standard EMP table. I created an additional table to store writeback comments related to the EMP table. The Write Back table has co
-
[VOD_46] Error
HELP! I'm at the end of my rope here and I'm hoping someone might be able to help. Here's my issue: Over the weekend I put through an order to remove my HBO subscription and pick up the movie package (starz, showtime, etc.) This morning I turned o
-
Impact on changing ECC client on the working of ESS business package in EP
Dear Experts, We had ESS business package working fine in our EP 7.0 which connected to client 100 of ECC 6.0. Now we changed to client 700 in ECC 6.0. Now all is working OK except for the Personal Data piece (address,bank etc). The first screen show
-
Integrating Crystal reports with Java Portal (test=pluto,Prod=Vignette
Hi, Crystal reports is new to me...so please don't mind if i sound outright silly, and would love a shove in the correct direction. This question might have been asked here (I tried searching for this.) Problem: We have some old CR9 reports with us w