Asr-group feature in active/standby mode
Hi ,
I would like to know if anyone had used asr-group freature in active/standby mode. Is it not recommended by cisco for active/standby mode ? The feature works in both environment.
Thanks in advance
Tomy
Hi Tomy,
The asr-group feature on the ASA is only supported in Active/Active failover:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_active.html#wp1271955
-Mike
Similar Messages
-
How to tell if Active/active or Active/Standby mode is configured?
Folks:
I am still learning the output of my running config, but how do I tell if my firewall is set to Actve/Active or Active/Standby mode?
In addition, how do I tell if it uses regular or stateful failover mode?
Thank youI wanted to provide this as well, since I found it and it also helped me answering my question.
This output shows Active/Active failover output.
**Note** it says PIX; however, I beleive it will be the same output for ASA.
PIX1(config-subif)#show failover
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: LANFailover Ethernet3 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.2(2), Mate 7.2(2)
Group 1 last failover at: 06:12:45 UTC Apr 16 2007
Group 2 last failover at: 06:12:43 UTC Apr 16 2007
This host: Primary
Group 1 State: Active
Active time: 359610 (sec)
Group 2 State: Standby Ready
Active time: 3165 (sec)
context1 Interface inside (192.168.1.1): Normal
context1 Interface outside (172.16.1.1): Normal
context2 Interface inside (192.168.2.2): Normal
context2 Interface outside (172.16.2.2): Normal
Other host: Secondary
Group 1 State: Standby Ready
Active time: 0 (sec)
Group 2 State: Active
Active time: 3900 (sec)
context1 Interface inside (192.168.1.2): Normal
context1 Interface outside (172.16.1.2): Normal
context2 Interface inside (192.168.2.1): Normal
context2 Interface outside (172.16.2.1): Normal -
Single AIP-SSM in Cisco ASA Failover Active / Standby Mode
Hi,
I can add single AIP-SSM on Cisco ASA in failover active / standby mode?No, both units need the same hardware, that includes the installed modules.
Sent from Cisco Technical Support iPad App -
Stop/start in PGW active/standby mode
Hi all
My VOIP Network has 2 PGW in active/standby mode. But when we add more telco, the state of ss7path is OOS. i must stop/start the PGW and ss7path is IS status.
Now PGW is running services. it processing many call with other telco.
i have question need to support.
When we stop/start PGW,has PGW disconnected all call or not?
Thank for supporting
PhaiLQIf you restart the service on active pgw, calls are disconnected. If you don't want out of services you must pass the control to the standby server first.
From mml console of active server use the command:
rtrv-ne to check the status, the output is:
MGC-01 - Media Gateway Controller 2010-09-07 16:53:42.655 MEST
M RTRV
"Type:MGC"
"Hardware platform:sun4u sparc SUNW,Sun-Fire-V240"
"Vendor:"Cisco Systems, Inc.""
"Location:MGC-01 - Media Gateway Controller"
"Version:"9.6(1)""
"Platform State:ACTIVE"
sw-over::confirm to swich control to standby server
now restart the service
/etc/init.d/CiscoMGC stop
/etc/init.d/CiscoMGC start
P.S. If I remember the right way, the OOS (out of service) state of new ss7 path can be set in IS (in service) via mml command line without service restart.
set- your ss7 path ::IS use tab for help
Regards. -
Calendar entries in Active Standby mode
A double question, but both are closely related.
In Active Standby mode it shows upcoming calendar entries for today and future ones.
Q1) Can someone clarfify does it only show 1 entry for future events, since I have placed 2 entries for tomorrow and 1 for the day after. But only 1 (the first) appears in Active Standby.
Q2) I THINK IS A BUG!! It does not show Anniversary as future events in Active Standby. It only appears when it is on the day (bit late if you need to buy a present!).
Any comments
Andrew
Device: N70
Version: V 2.0536.0.2 12-09-05 RM-84I think this is by design. Not quite sure what the basis is of what is included and what is not. Items from the current day seem to show up in greater numbers than in future days.
All About Symbian - News, reviews and software for S60 phones. -
I have a Nokia E5
I have tried to experiment with the Modes function, whereby you can have one profile for business and another for personal.
The first time I went into Modes (from the control panel), I was asked to go into "Active Standby Mode", which I did. Now everything has changed and I am not sure whether I like it.
Is it possible to get back to how I was before - i.e. before I went into Active Standby Modes ?Hi,
No unfortunately the only way of doing this will be from the app shortcuts. There is to my knowledge no way of doing this automatically. Might be there is an ext. developed app that I do not know of.
BR, PerLs -
6288 - Active Standby Mode menu lost
Hello,
The Active Standby Mode menu has disappear from
Menu-Settings-Standby Mode Settings.
I can't access this setting any more.
My firmware version is 6.10.
Thanks for any advices.
JeromeMessage Edited by hidje on 21-Jul-200707:37 AMI have the same problem. I don't know if I'll use that option but is annoing that I can't activate it. I have software version 6.10 and in display-standby option first submenu is wallpaper (not active standby setting).
Does anyone fixed this BUG? -
ASA Active/Standby mode and Hello messages
Hi Everyone,
On ASA Active/Standby mode i know thatsay inside or any other interface of active and standby ASA should connect to same switch and vlan.
When we assign say ip address to inside interface of both ASA like
ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2 255.255.255.0
Need to know if these inside interface talk to each other or not?
Do they send hello messages?
Thanks
MAheshHi Mahesh,
The ASA Active/Standby Failover pair uses both the dedicated Failover interface and the actual Data interfaces to monitor the "health" of the Failover pair.
The units send Failover hello messages and wait for a reply to determine if the other unit is alive or not.
By default all Physical interfaces are automatically monitored. To my understanding Logical interfaces such as Trunk interfaces are NOT monitored by default. You will have to configure monitoring for each subinterface of the Trunk that you want to be monitored.
You would use the command
monitor-interface
Check the Command Reference section for this
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2123112
I would also suggest reading the following section of the Configuration Guide
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1079010
It has information of the Unit and Interface health monitoring of the Failover pair.
If you want to debug Failover activity you could use the command
debug fover
It has multiple additional parameter after that command
Here is the Command Reference section for the debug command
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/d1.html#wp2093011
You can even attach a computer on the switch between the ASAs and capture the packets between them an you can see the Failover messages etc from the ASAs
- Jouni -
Step to prep CSC SSM on ASA Active/Standby mode
Hi all,
I am trying to setup Active/Standby HA mode for my site.
Currently the site was installed with one unit ASA firewall with CSC-SSM module, the second unit is the new unit ready to be setup.
My question:
01. My concern is second unit CSC-SSM, what is the proper procedure or step need to prep it?
Is it need to prep the CSC-SSM before the ASA in HA mode Or it will auto propagate the configuration when both unit in HA mode?
What else need to concern? am i need to setup different IP for the CSC-SSM management interface?
Thanks
NoelHello Yong,
Configuration related to the CSC or SSM modules will never get propagated so you will basically need to configure it manually.
Also it's not like if the Config on both modules is different failover will fail but ofcourse you wanna have the same one
IP addresses for each of the modules will be dedicated ones. Remember that failover will fail if one box has the CSC and the other not.
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
Does anyone have any idea if I can get the icons on my phone to show at the bottom of the screen instead of the top.
It's not possible without the use of an alternative desktop.
With the built in one your only choices are to have them at the top or not have them at all.
You might want to look at this program as it's an alternative desktop that allows you to change it's layout:
http://www.symbian-freak.com/news/008/02/gdesk_beta_for_s60_3rd_ed.htm -
Active/Standby And failover link configuration mode
Hi everyone,
When config failover link of ASA in Active Standby mode.
When we config failover int say gi0/1
config t
int gi0/1
failover lan int gi0/1
Need to confirm we do this from interface config mode only or we can do this from global config also ????????
Whe we assign IP to this int we do that from global config mode ????
Regards
Mahesh
Message was edited by: mahesh parmar
Message was edited by: mahesh parmarHi,
Actually the ASA lets you insert a lot of command what ever mode you are under.
In the output you posted is a very important thing to notice
configure mode commands/options:
WORD Specify the interface name
As you can see, the output lists only one option and before that it mentions that this is a "configure mode" command
So even if you entered the command under the interface configuration mode, it would still be entered as a global/configure command mode.
Take the following thing for example
I want to check what configuration options I have with the command "failover"
So I enter the following to my ASA
ASA(config)# failover ?
configure mode commands/options:
interface Configure the IP address to be used for failover and/or
stateful update information
interface-policy Set the policy for failover due to interface failures
key Configure the failover shared secret or key
lan Specify the unit as primary or secondary or configure the
interface and vlan to be used for failover communication
mac Specify the virtual mac address for a dynamic interface
polltime Configure failover poll interval
timeout Specify the failover reconnect timeout value for
asymmetrically routed sessions
exec mode commands/options:
active Make this system to be the active unit of the failover pair
exec Execute command on the designated unit
reload-standby Force standby unit to reboot
reset Force a unit or failover group to an unfailed state
As you can see, the ASA tells us that there are different additional command parameters after the "failover" command that can be used. Some of them can be used either in Exec or Configuration mode.
- Jouni -
ASA 8.2 8.4 9.1 possible with no downtime as we run active/standby?
Hello,
We have 2 x ASA 5520s (with 2GB mem) in active/standby mode, they also include the IPS modules.
The current firmware is 8.2 and I was wondering if it is possible to upgrade these firewalls with no downtimes? In the past I have upgraded the standby ASA, rebooted it and then made it the active ASA then upgraded the new standby ASA.
I have have quite a lot of NAT Exempts (No-NATs?) and a few static NATs, how did you approach this during your upgrades?
I guess I can roll back as the 8.2 firmware will still be on the flash and I will have the config?
ThanksYeah it's supported:
Release Notes for the Cisco ASA Series, 9.1(x)
http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp732442
This document has the information that you need; it talks about the requirements and zero downtime procedure.
But you need to take a lot of considerations that you can reference in the document:
https://supportforums.cisco.com/docs/DOC-12690
If you don't mind me asking why are you upgrading?
Because of a fix or feature? -
Best practice for ASA Active/Standby failover
Hi,
I have configured a pair of Cisco ASA in Active/ Standby mode (see attached). What can be done to allow traffic to go from R1 to R2 via ASA2 when ASA1 inside or outside interface is down?
Currently this happens only when ASA1 is down (shutdown). Is there any recommended best practice for such network redundancy? Thanks in advanced!Hi Vibhor,
I test ping from R1 to R2 and ping drop when I shutdown either inside (g1) or outside (g0) interface of the Active ASA. Below is the ASA 'show' failover' and 'show run',
ASSA1# conf t
ASSA1(config)# int g1
ASSA1(config-if)# shut
ASSA1(config-if)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:20:00 SGT Nov 18 2014
This host: Primary - Active
Active time: 7862 (sec)
Interface outside (100.100.100.1): Normal (Monitored)
Interface inside (192.168.1.1): Link Down (Monitored)
Interface mgmt (10.101.50.100): Normal (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (100.100.100.2): Normal (Monitored)
Interface inside (192.168.1.2): Link Down (Monitored)
Interface mgmt (0.0.0.0): Normal (Waiting)
Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet2 (up)
Stateful Obj xmit xerr rcv rerr
General 1053 0 1045 0
sys cmd 1045 0 1045 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 5 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 1045
Xmit Q: 0 30 10226
ASSA1(config-if)#
ASSA1# sh run
: Saved
ASA Version 8.4(2)
hostname ASSA1
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0
nameif outside
security-level 0
ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet2
description LAN/STATE Failover Interface
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet4
nameif mgmt
security-level 0
ip address 10.101.50.100 255.255.255.0
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
clock timezone SGT 8
access-list OUTSIDE_ACCESS_IN extended permit icmp any any
pager lines 24
logging timestamp
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet2
failover link FAILOVER GigabitEthernet2
failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
access-group OUTSIDE_ACCESS_IN in interface outside
router ospf 10
network 100.100.100.0 255.255.255.0 area 1
network 192.168.1.0 255.255.255.0 area 0
area 0 authentication message-digest
area 1 authentication message-digest
log-adj-changes
default-information originate always
route outside 0.0.0.0 0.0.0.0 100.100.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.101.50.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.101.50.0 255.255.255.0 mgmt
ssh timeout 5
console timeout 0
tls-proxy maximum-session 10000
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:fafd8a885033aeac12a2f682260f57e9
: end
ASSA1# -
Nokia 7373 - Adding active standby content not in ...
Hi,
I just bought a Nokia 7373 which I find to be quite cool ! One of the features I like is the ability to display the calendar in the active standby mode. However it only displays calendar appointments, but not todo list entries or any other customizable option.
Is there any way that I can show also the todo list in the active standby mode ?
Cheers,
JoelThere is no way to show also the todo list in the active standby mode.
You could add To-do to the shortcuts (top line in active standby) to get faster access to to-do items. -
Active-Standby -Client-Site VPN
Dear Experts.
We have Cisco two ASA 5550 which is configured in Active-Standby mode but client-site VPN is not working when secondary unit becomes active. Failover status is showing as " Secondary Active" when primary unit is active all client-site VPN connections are working fine. Both ASA's has 7.2(3) IOS image and DES, 3DES/AES license enables.
We are getting following error messages
IPSEC: Deleted outbound permit rule, SPI 0xBFA351A9
Rule ID: 0x059C3060
IPSEC: Deleted outbound VPN context, SPI 0xBFA351A9
VPN handle: 0x00227DFC
Jan 09 13:23:52 [IKEv1]: Group = DefaultRAGroup, IP = x.x.x.x, Removing peer from peer table failed, no match!
Jan 09 13:23:52 [IKEv1]: Group = DefaultRAGroup, IP = x.x.x.x, Error: Unable to remove PeerTblEntry
Please adviseOne of the things that I have seen that can cause symptoms like this is to not have some files in flash of the backup ASA. In particular I suggest that you check for files related to the client VPN. So get the output of show flash from the primary ASA and from the backup ASA and compare them.
HTH
Rick
Maybe you are looking for
-
Write Message in Job Log from FM
Hi everyone, I´m having an issue trying to find the way to write a message in job log. I´ve read a lot of solutions but I can't find anyone that describes how to do it from a function module. What i'm saying is that all the answers focus on reports a
-
Time Machine will not backup to my external Hard Drive even though it works on another Mac
I have a WD My Book Studio Edition II that backs up perfectly fine on my iMac 2008 ,but when it comes to my Mac Pro 2001 it just comes up with a "Calculating size..." Message that goes on forever.
-
Web reference WSDL not conforming to SOAP standard
I built a web service based on the BAPI_FLIGHT_GETLIST function module using the "create web service" wizard. The generated web service endpoint is active in SOAMANAGER transaction. When I try to generate a proxy class in Visual Studio 2005 using the
-
Compact RIO and LabVIEW run time
Dear All, Good Morning. We are developing a new experimental setup which will have different components, such as mass spectrometer, pressure transducers, valves and thermocouples, RTDs. We are currently having LabVIEW 8.6 Run time. We would like to c
-
Applet not displaying in IE but working well by jbuilder
I m trying to open applet in IE but it is not displaying but it is working well when i run it through jbuilder ....in IE it give these exception in java consol java.lang.ArrayIndexOutOfBoundsException: -1 at PicMsgComposer.setModels(PicMsgCompos