Cisco ASA Active standby failover problem

Similar Messages

• Best practice for ASA Active/Standby failover

  Hi,
  I have configured a pair of Cisco ASA in Active/ Standby mode (see attached). What can be done to allow traffic to go from R1 to R2 via ASA2 when ASA1 inside or outside interface is down?
  Currently this happens only when ASA1 is down (shutdown). Is there any recommended best practice for such network redundancy?  Thanks in advanced!

  Hi Vibhor,
  I test ping from R1 to R2 and ping drop when I shutdown either inside (g1) or outside (g0) interface of the Active ASA. Below is the ASA 'show' failover' and 'show run',
  ASSA1# conf t
  ASSA1(config)# int g1
  ASSA1(config-if)# shut
  ASSA1(config-if)# show failover
  Failover On
  Failover unit Primary
  Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 3 of 60 maximum
  Version: Ours 8.4(2), Mate 8.4(2)
  Last Failover at: 14:20:00 SGT Nov 18 2014
          This host: Primary - Active
                  Active time: 7862 (sec)
                    Interface outside (100.100.100.1): Normal (Monitored)
                    Interface inside (192.168.1.1): Link Down (Monitored)
                    Interface mgmt (10.101.50.100): Normal (Waiting)
          Other host: Secondary - Standby Ready
                  Active time: 0 (sec)
                    Interface outside (100.100.100.2): Normal (Monitored)
                    Interface inside (192.168.1.2): Link Down (Monitored)
                    Interface mgmt (0.0.0.0): Normal (Waiting)
  Stateful Failover Logical Update Statistics
          Link : FAILOVER GigabitEthernet2 (up)
          Stateful Obj    xmit       xerr       rcv        rerr
          General         1053       0          1045       0
          sys cmd         1045       0          1045       0
          up time         0          0          0          0
          RPC services    0          0          0          0
          TCP conn        0          0          0          0
          UDP conn        0          0          0          0
          ARP tbl         2          0          0          0
          Xlate_Timeout   0          0          0          0
          IPv6 ND tbl     0          0          0          0
          VPN IKEv1 SA    0          0          0          0
          VPN IKEv1 P2    0          0          0          0
          VPN IKEv2 SA    0          0          0          0
          VPN IKEv2 P2    0          0          0          0
          VPN CTCP upd    0          0          0          0
          VPN SDI upd     0          0          0          0
          VPN DHCP upd    0          0          0          0
          SIP Session     0          0          0          0
          Route Session   5          0          0          0
          User-Identity   1          0          0          0
          Logical Update Queue Information
                          Cur     Max     Total
          Recv Q:         0       9       1045
          Xmit Q:         0       30      10226
  ASSA1(config-if)#
  ASSA1# sh run
  : Saved
  ASA Version 8.4(2)
  hostname ASSA1
  enable password 2KFQnbNIdI.2KYOU encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface GigabitEthernet0
   nameif outside
   security-level 0
   ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2
   ospf message-digest-key 20 md5 *****
   ospf authentication message-digest
  interface GigabitEthernet1
   nameif inside
   security-level 100
   ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
   ospf message-digest-key 20 md5 *****
   ospf authentication message-digest
  interface GigabitEthernet2
   description LAN/STATE Failover Interface
  interface GigabitEthernet3
   shutdown
   no nameif
   no security-level
   no ip address
  interface GigabitEthernet4
   nameif mgmt
   security-level 0
   ip address 10.101.50.100 255.255.255.0
  interface GigabitEthernet5
   shutdown
   no nameif
   no security-level
   no ip address
  ftp mode passive
  clock timezone SGT 8
  access-list OUTSIDE_ACCESS_IN extended permit icmp any any
  pager lines 24
  logging timestamp
  logging console debugging
  logging monitor debugging
  mtu outside 1500
  mtu inside 1500
  mtu mgmt 1500
  failover
  failover lan unit primary
  failover lan interface FAILOVER GigabitEthernet2
  failover link FAILOVER GigabitEthernet2
  failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-715-100.bin
  no asdm history enable
  arp timeout 14400
  access-group OUTSIDE_ACCESS_IN in interface outside
  router ospf 10
   network 100.100.100.0 255.255.255.0 area 1
   network 192.168.1.0 255.255.255.0 area 0
   area 0 authentication message-digest
   area 1 authentication message-digest
   log-adj-changes
   default-information originate always
  route outside 0.0.0.0 0.0.0.0 100.100.100.254 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 10.101.50.0 255.255.255.0 mgmt
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh 10.101.50.0 255.255.255.0 mgmt
  ssh timeout 5
  console timeout 0
  tls-proxy maximum-session 10000
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username cisco password 3USUcOPFUiMCO4Jk encrypted
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  crashinfo save disable
  Cryptochecksum:fafd8a885033aeac12a2f682260f57e9
  : end
  ASSA1#

• ASA Active/Standby mode and Hello messages

  Hi Everyone,
  On ASA  Active/Standby mode  i know thatsay inside or any other interface of active and standby ASA should connect to same switch and vlan.
  When we assign say ip address to inside interface of both ASA like
  ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2 255.255.255.0
  Need to know if these inside interface talk to each other or not?
  Do they send hello messages?
  Thanks
  MAhesh

  Hi Mahesh,
  The ASA Active/Standby Failover pair uses both the dedicated Failover interface and the actual Data interfaces to monitor the "health" of the Failover pair.
  The units send Failover hello messages and wait for a reply to determine if the other unit is alive or not.
  By default all Physical interfaces are automatically monitored. To my understanding Logical interfaces such as Trunk interfaces are NOT monitored by default. You will have to configure monitoring for each subinterface of the Trunk that you want to be monitored.
  You would use the command
  monitor-interface
  Check the Command Reference section for this
  http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2123112
  I would also suggest reading the following section of the Configuration Guide
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1079010
  It has information of the Unit and Interface health monitoring of the Failover pair.
  If you want to debug Failover activity you could use the command
  debug fover
  It has multiple additional parameter after that command
  Here is the Command Reference section for the debug command
  http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/d1.html#wp2093011
  You can even attach a computer on the switch between the ASAs and capture the packets between them an you can see the Failover messages etc from the ASAs
  - Jouni

• ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  This topic has been beat to death, but I did not see a real answer. Here is configuration:
  1) 2 x ASA 5520, running 8.2
  2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
  3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
  4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
  This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
  Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
  The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
  In any case, any experts out there that can answer question? TIA!

  Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
  Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
  Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
  Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
  Thanks much,
  Mike

• About stateful active/standby failover

  Hello guys.
  I have two ASA's, same model and hardware. Asa have configured stateful active/standby failover by someone, few years ago. It was working normally until recently and no one have changed this configuration. Then Secondary unit is failed. Ping between 2 interfaces is ok. Please help me to resolve this problem.
  on Primary site
  interface Management0/0
  description STATE Failover Interface
  management-only
  interface GigabitEthernet1/1
  description LAN Failover Interface
  failover
  failover lan unit primary
  failover lan interface failover GigabitEthernet1/1
  failover link state Management0/0
  failover interface ip failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
  failover interface ip state 172.16.0.1 255.255.255.0 standby 172.16.0.2
  on Secondary site
  interface Management0/0
  description STATE Failover Interface
  management-only
  interface GigabitEthernet1/1
  description LAN Failover Interface
  output of show failover on PRIMARY
  show run failover
  failover
  failover lan unit primary
  failover lan interface failover GigabitEthernet1/1
  failover link state Management0/0
  failover interface ip failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
  failover interface ip state 172.16.0.1 255.255.255.0 standby 172.16.0.2
  F1# show failover
  Failover On
  Failover unit Primary
  Failover LAN Interface: failover GigabitEthernet1/1 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 5 of 256 maximum
  Version: Ours 8.2(2), Mate 8.2(2)
  Last Failover at: 08:03:11 ULAST Jan 1 2003
          This host: Primary - Active
                  Active time: 5755203 (sec)
                  slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                    Interface Backup2 (10.2.5.1): Normal (Waiting)
                    Interface Internet (202.131.225.90): No Link (Waiting)
                    Interface Backup1 (10.3.5.1): Normal (Waiting)
                    Interface Server (192.168.227.1): Normal (Waiting)
                    Interface Bank (10.20.1.1): Normal (Waiting)
                  slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
          Other host: Secondary - Failed
                  Active time: 0 (sec)
                  slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                    Interface Backup2 (0.0.0.0): No Link (Waiting)
                    Interface Internet (0.0.0.0): No Link (Waiting)
                    Interface Backup1 (0.0.0.0): Normal (Waiting)
                    Interface Server (0.0.0.0): Normal (Waiting)
                    Interface Bank (0.0.0.0): Normal (Waiting)
                  slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
  Stateful Failover Logical Update Statistics
          Link : state Management0/0 (up)
          Stateful Obj    xmit       xerr       rcv        rerr
          General         76184539   0          767513     6
          sys cmd         767328     0          767326     1
          up time         0          0          0          0
          RPC services    0          0          0          0
          TCP conn        25878669   0          11         5
          UDP conn        40545710   0          40         0
          ARP tbl         8987688    0          136        0
          Xlate_Timeout   0          0          0          0
          IPv6 ND tbl     0          0          0          0
          VPN IKE upd     1140       0          0          0
          VPN IPSEC upd   4004       0          0          0
          VPN CTCP upd    0          0          0          0
          VPN SDI upd     0          0          0          0
          VPN DHCP upd    0          0          0          0
          SIP Session     0          0          0          0
          Logical Update Queue Information
                          Cur     Max     Total
          Recv Q:         0       7       6522961
          Xmit Q:         0       34      106685671
  output of show failover on SECONDARY
  F1#  show failover
  Failover On
  Failover unit Secondary
  Failover LAN Interface: failover GigabitEthernet1/1 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 5 of 256 maximum
  Version: Ours 8.2(2), Mate 8.2(2)
  Last Failover at: 03:36:23 ULAST Dec 15 2013
         This host: Secondary - Failed
                  Active time: 0 (sec)
                  slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                    Interface Backup2 (0.0.0.0): No Link (Waiting)
                    Interface Internet (0.0.0.0): No Link (Waiting)
                    Interface Backup1 (0.0.0.0): Normal (Waiting)
                    Interface Server (0.0.0.0): Normal (Waiting)
                    Interface Bank (0.0.0.0): Normal (Waiting)
                  slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
          Other host: Primary - Active
                  Active time: 5743217 (sec)
                  slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                    Interface Backup2 (10.2.5.1): Normal (Waiting)
                    Interface Internet (202.131.225.90): No Link (Waiting)
                    Interface Backup1 (10.3.5.1): Normal (Waiting)
                    Interface Server (192.168.227.1): Normal (Waiting)
                    Interface Bank (10.20.1.1): Normal (Waiting)
                  slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
  Stateful Failover Logical Update Statistics
          Link : state Management0/0 (up)
          Stateful Obj    xmit       xerr       rcv        rerr
          General         765518     0          35843181   874
          sys cmd         765518     0          765516     0
          up time         0          0          0          0
          RPC services    0          0          0          0
          TCP conn        0          0          12671303   80
          UDP conn        0          0          13432853   133
          ARP tbl         0          0          8968384    661
          Xlate_Timeout   0          0          0          0
          IPv6 ND tbl     0          0          0          0
          VPN IKE upd     0          0          1137       0
          VPN IPSEC upd   0          0          3988       0
          VPN CTCP upd    0          0          0          0
          VPN SDI upd     0          0          0          0
          VPN DHCP upd    0          0          0          0
          SIP Session     0          0          0          0
          Logical Update Queue Information
                          Cur     Max     Total
          Recv Q:         0       9       72011189
          Xmit Q:         0       1       765518

  - ping is ok between 172.16.1.1 and 172.16.1.2, 172.16.0.1 and 172.16.0.2
  - ASA that shows as failed the ASA that didn't use to be the primary , it used to be secondary.
  - Yes, i logged via console on both ASAs and checked status of the ASAs. Primary is active and Secondary is failed.
  - I have changed cable. Primary ASA indicates below as soon as cable changed.
  Beginning configuration replication: Sending to mate.
  End Configuration Replication to mate
  Then output of SHOW FAILOVER on PRIMARY ASA :
  F1# show failover
  Failover On
  Failover unit Primary
  Failover LAN Interface: failover GigabitEthernet1/1 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 5 of 256 maximum
  Version: Ours 8.2(2), Mate 8.2(2)
  Last Failover at: 08:03:11 ULAST Jan 1 2003
          This host: Primary - Active
                  Active time: 5812656 (sec)
                  slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                    Interface Backup2 (10.2.5.1): Normal (Waiting)
                    Interface Internet (202.131.225.90): No Link (Waiting)
                    Interface Backup1 (10.3.5.1): Normal (Waiting)
                    Interface Server (192.168.227.1): Normal (Waiting)
                    Interface Bank (10.20.1.1): Normal (Waiting)
                  slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
         Other host: Secondary - Standby Ready
                  Active time: 9 (sec)
                  slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                    Interface Backup2 (0.0.0.0): No Link (Waiting)
                    Interface Internet (0.0.0.0): No Link (Waiting)
                    Interface Backup1 (0.0.0.0): Normal (Waiting)
                    Interface Server (0.0.0.0): Normal (Waiting)
                    Interface Bank (0.0.0.0): Normal (Waiting)
                  slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
  Stateful Failover Logical Update Statistics
          Link : state Management0/0 (up)
          Stateful Obj    xmit       xerr       rcv        rerr
          General         76940782   0          775168     6
          sys cmd         774983     0          774981     1
          up time         0          0          0          0
          RPC services    0          0          0          0
          TCP conn        26125140   0          11         5
          UDP conn        40971274   0          40         0
          ARP tbl         9064174    0          136        0
          Xlate_Timeout   0          0          0          0
          IPv6 ND tbl     0          0          0          0
          VPN IKE upd     1155       0          0          0
          VPN IPSEC upd   4056       0          0          0
          VPN CTCP upd    0          0          0          0
          VPN SDI upd     0          0          0          0
          VPN DHCP upd    0          0          0          0
          SIP Session     0          0          0          0
          Logical Update Queue Information
                          Cur     Max     Total
          Recv Q:         0       7       6588043
          Xmit Q:         0       34      107757911
  But few seconds later Secondary ASA become FAILED.
  And i also did FAILOVER RESET  command. After this command, secondary ASA became Standby Ready then few seconds later it became Failed again. Why does it become Failed again ?

• Active/Standby Failover with pair of 5510s and redundant L2 links

  Hi
  I just got two ASA5510-SEC-BUN-K9 and I'm wondering is it possible to implement an Active/Standby Failover configuration (Routed mode) with two ASA5510 and redundant pair of switches from both inside and outside interfaces? In other words, I would like to have two L2 links from each ASA (in pair od ASAa) to each L2 switch (in pair of redundant L2 Switches). The configuration I would like to achive is just like one in Cisco Security Appliance Command Line Configuration Guide, page B-23, figure B-8, with only difference that I wouldn't go with multiple security contexts (I want Active/Standby failover).
  Thanks in advance
  Zoran Milenkovic

  Hello Zoran,
  Absolutely. You can have 2 ASAs configured in Active/Standby mode. For reference, here is a link which has a network connectivity diagram based on PIX, however, connectivity would still be same with ASAs-
  http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1053462
  The difference is that on ASA, you can only have LAN-Based failover, hence you'll need to use one additional interface on both ASAs for failover-link. You can connect these two failover-link interfaces directly using a cross cable.
  Apart from this, please refer to following link on how to go with configuration of Lan-based Active/Standby failover-
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1064158
  Also make sure that both ASAs have required hardware/software/license based on following link-
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1047269
  Hope this helps.
  Regards,
  Vibhor.

• Active/Standby failover automatic primary active

  I have 2 ASAs 5510 with same physical configuration and running ok with active/standby failover mode. Like we have PREEMPT command in active/active failover to get back primary active after its been rebooted from failed mode. This command makes primary back to active and makes secondary firewall standby automatically.
  Need help to know any such command for active/standby failover for automatic primary active. Currently we have to use command FAILOVER ACTIVE on primary to make it active manually.

  Remember, failover in ASA works differently than HSRP. ASA does NOT use
  HSRP. Furthermore, there is NO HSRP ip address in ASA either. You are
  talking about two different technologies.
  Think of it this way. HSRP technology works very similar to VRRP and
  Juniper NSRP. All of these technologies use virtual IP address. If you
  have two devices, you will have an Virtual IP address, in addition
  to the physical ip addresses of the two devices. ASA does not use the
  extra VIP.

• Cisco ASA Active/ Active

  Hi,
  Can we have ASA in  Active/ Active in single context mode.
  If Active/ Active is  possible in single context mode, then in best practices, Active/Active is  prefered or Active Standby.
  Thanks

  Hi,
  ASA Active/Active setup can be done only with multiple context mode, you cannot use it in a single mode.
  In a single mode only you can have Active/Standby failover.
  Also, please move the question to the Firewall section for more discussions.
  Thanks.

• ASA 5520 Anyconnect License on Active/Standby Failover pair

  Hi
  Our customer has purchased 2 x L-ASA-AC-E-5520= Anyconnect Essentials VPN Licenses (750 Users)
  Ive installed both activated licenses as per the cisco guides, I didnt get any errors on the install. I did a reload on both, they are both back up and running as active/standby but when I do a sh ver the license still shows "ASA 5520 VPN Plus License"
  Am I being dumb and has this worked successfully or should it not now display Anyconnect when I do a sh ver
  Any help would be much appreciated on this one please
  Regards
  Graham

  Thanks Marvin
  Below is the show ver, but I was kind of expecting there to be a mention of Anyconnect if I had activated the license
  We previously had the VPN Plus License, and it still shows VPN Plus
  Licensed features for this platform:
  Maximum Physical Interfaces : Unlimited
  Maximum VLANs               : 150      
  Inside Hosts                 : Unlimited
  Failover                     : Active/Active
  VPN-DES                     : Enabled  
  VPN-3DES-AES                 : Enabled  
  Security Contexts           : 2        
  GTP/GPRS                     : Disabled
  VPN Peers                   : 750      
  WebVPN Peers                 : 2        
  AnyConnect for Mobile       : Disabled
  AnyConnect for Linksys phone : Disabled
  Advanced Endpoint Assessment : Disabled
  UC Proxy Sessions           : 2        
  This platform has an ASA 5520 VPN Plus license.

• Step to prep CSC SSM on ASA Active/Standby mode

  Hi all, 
  I am trying to setup Active/Standby HA mode for my site.
  Currently the site was installed with one unit ASA firewall with CSC-SSM module, the second unit is the new unit ready to be setup.
  My question:
  01. My concern is second unit CSC-SSM, what is the proper procedure or step need to prep it?
  Is it need to prep the CSC-SSM before the ASA in HA mode Or it will auto propagate the configuration when both unit in HA mode?
  What else need to concern? am i need to setup different IP for the CSC-SSM management interface?
  Thanks
  Noel

  Hello Yong,
  Configuration related to the CSC or SSM modules will never get propagated so you will basically need to configure it manually.
  Also it's not like if the Config on both modules is different failover will fail but ofcourse you wanna have the same one
  IP addresses for each of the modules will be dedicated ones. Remember that failover will fail if one box has the CSC and the other not.
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• Cisco ASA 5505 Reset-I Problem with TCP State Bypass

  Hello,
  I have a Cisco ASA 5505 that functions as my primary firewall and a Mitel 5000 controller behind it. I have two external phone users that have been connecting through the firewall with no issues for six months until about two weeks ago. I am now seeing the following log entry on the phone trying to connect to the Mitel Controller.
  6
  May 16 2014
  14:52:52
  302014
  72.135.115.37
  6915
  192.168.20.2
  6801
  Teardown TCP connection 1203584 for outside:72.135.115.37/6915 to inside:192.168.20.2/6801 duration 0:00:00 bytes 0 TCP Reset-I
  My phones are designed to work with the Mitel 5000 and Mitel 3300 phone controllers. The 5000 will only use port 6800 for call control, while the 3300 will use 6801 (Secured Minet), 6802 (Minet SSH), and if those fail, port 6800 (Minet Unsecured). When the phones initiate a connection, they try 6801 first. If 6801 is unavailable, the phone controller adds the RST flag to the ACK packet. When the phone sees the RST flag, it is supposed to reset and use the next port (6802). The same process happens again for port 6802, then the phone knows to try 6800. The problem is that the ASA sees the RST flag now and terminates the connection at the firewall. Therefore, the phones never see the RST flag, and continue to try the connection with port 6801.
  I have tried to use the TCP State Bypass feature to correct the situation, but the log shows that the connection is still being terminated immediately by the firewall. I am a novice when it comes to configuring the ASA. Any help would be greatly appreciated, as the company that I bought the phone system from is out of troubleshooting options. I do not think that I have made any changes to the firewall around this time. I have packet captures and logs from my ASA and I have wireshark data on the inside of my network. I need to figure out how to configure the ASA so that it ignores the RST flag and sends the packet back to the source.
  Any help would be greatly appreciated!

  Thanks Rizwan,
  Still no luck.  I can't even ping the otherside (office)..  I am not sure if i'm running the debug rightway.   Here are my results...
  homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side.  I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
  Success rate is 0
  homeasa(config)# debug crypto isakmp 7
  homeasa(config)# debug crypto ipsec 7
  homeasa(config)# sho crypto isakmp 7
                                     ^
  ERROR: % Invalid input detected at '^' marker.
  homeasa(config)# sho crypto isakmp
  There are no isakmp sas
  Global IKE Statistics
  Active Tunnels: 0
  Previous Tunnels: 0
  In Octets: 0
  In Packets: 0
  In Drop Packets: 0
  In Notifys: 0
  In P2 Exchanges: 0
  In P2 Exchange Invalids: 0
  In P2 Exchange Rejects: 0
  In P2 Sa Delete Requests: 0
  Out Octets: 0
  Out Packets: 0
  Out Drop Packets: 0
  Out Notifys: 0
  Out P2 Exchanges: 0
  Out P2 Exchange Invalids: 0
  Out P2 Exchange Rejects: 0
  Out P2 Sa Delete Requests: 0
  Initiator Tunnels: 0
  Initiator Fails: 0
  Responder Fails: 0
  System Capacity Fails: 0
  Auth Fails: 0
  Decrypt Fails: 0
  Hash Valid Fails: 0
  No Sa Fails: 0
  Global IPSec over TCP Statistics
  Embryonic connections: 0
  Active connections: 0
  Previous connections: 0
  Inbound packets: 0
  Inbound dropped packets: 0
  Outbound packets: 0
  Outbound dropped packets: 0
  RST packets: 0
  Recevied ACK heart-beat packets: 0
  Bad headers: 0
  Bad trailers: 0
  Timer failures: 0
  Checksum errors: 0
  Internal errors: 0
  hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
  There are no ipsec sas
  homeasa(config)#

• Active/Standby Failover Config change

  Hi everyone,
  This weekend we are doing some change on ASA in Active/Standby mode.
  We will power off standby ASA.
  Do some changes on Active ASA  save the changes  and reboot it.
  Power up the Active ASA and will test  the connectivity if it is working  or not .
  In case Active ASA is not working as expected after the change i will power it off.
  Power up Standby ASA  then it will become active as expected.
  Now if i Power up other ASA where changes were made will  it synchnorize to old config from Standby  ASA or  not?
  Last week we did some changes on Active ASA and it did not work as expected so we have to undo our change.
  Need to make sure our backup plan is working?
  Regards
  Mahesh

  In your fall back scenario you would have to tell what was the secondary ASA that it is now the primary
  change
  failover lan unit secondary
  to
  failover lan unit primary
  and vice-versa on the now primary ASA.
  change
  failover lan unit primary
  to
  failover lan unit secondary
  Hope it helps      

• CISCO ASA Enable DNS Lookup Problem

  I have Cisco ASA 5510 , from ASA CLI i can not resolved the hostname. ( cisco.com or google.com)
  At many form say do this.
  1. Whilst in enable mode > enter configure terminal mode, then enable DNS Lookups.
  CiscoASA#conf t
  CiscoASA(config)# dns domain-lookup Outside
  2. Then specify the external DNS Servers (Change IP addresses appropriately).
  CiscoASA(config)# dns server-group DefaultDNS
  CiscoASA(config-dns-server-group)# name-server 122.122.122.199
  CiscoASA(config-dns-server-group)# name-server 122.122.122.198
  CiscoASA(config-dns-server-group)# exit
  3. Test it by pinging a name/URL.
  CiscoASA(config)# ping www.20best.blogspot.com
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 seconds:
  But there is no command ( dns server-group ) in my ASA
  Please tell me how to do this or any way
  My ASA is showing only
  ail-ASA# sh runn
  : Saved
  ASA Version 7.0(8)
  hostname Mail-ASA
  domain-name rawabiholding.com
  enable password QuzxIf5jNzzT5kki encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 172.16.0.94 Test-web-mail
  name 172.16.5.63 Mail-server
  name 172.16.0.40 Web-Mail
  name 172.16.0.24 MX-A
  name 172.16.0.93 Test-Mail-MX
  name 172.16.1.55 DNS-1
  name 172.16.1.17 Web-Server
  name 172.16.0.41 Helpdesk.rawabiholding.com
  name 172.16.0.98 Test-Server
  no dns-guard
  interface Ethernet0/0
  nameif outside
  security-level 10
  ip address 82.118.161.34 255.255.255.224
  interface Ethernet0/1
  nameif LAN
  security-level 100
  ip address 172.16.1.65 255.255.252.0
  interface Ethernet0/2
  nameif inside-Mail
  security-level 100
  ip address 172.16.5.37 255.255.255.0
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  management-only
  banner exec ************* If you are not Rawabi IT Member Please logout ********
  banner login *****************   Do not open or login , if you are not allowed *
  ftp mode passive
  dns domain-lookup outside
  dns name-server 212.102.0.82
  dns name-server 212.102.0.11
  access-list outside_access_in extended permit tcp any host 82.118.161.35 eq pop3
  access-list outside_access_in extended permit tcp any host 82.118.161.35 eq smt.

  http://20best.blogspot.com
  Dear Jennifer,
  From Router-ISP, I check it is resolving the name to IP
  but from ASA 5510 not, it giving error
  Jennifer Halim wrote:Doesn't look like the DNS servers that you configured is resolving any DNS requests.I have just tried both DNS server, and it is refusing the DNS:> www.google.comServer:  ns3.shabakah.net.saAddress:  212.102.0.82*** ns3.shabakah.net.sa can't find www.google.com: Query refused> www.google.comServer:  [212.102.0.11]Address:  212.102.0.11*** [212.102.0.11] can't find www.google.com: Query refused
  http://20best.blogspot.com/2011/06/visit-to-grand-canyon-in-10-days.html

• How to easily bring Cisco ASA back into failover.

  We had two asa's that were never upgraded so I decided to upgrade them.  However the failover was never turned off.  If I copy the config off the one asa to the other and bring both back online will this take care of the issue or will I need to re-do the config on both the the primary unit and the secondary unit?

  Hello,
  1) First thing is to keep up to date with the Cisco vulnerabilities announcements to check whether your box is not compliant, etc.
  Use Scanning tools like NMAP,ZEN-MAP, Veracode, etc.
  Use Dictionary attacks to determie whether you can hack into the Device.
  Etc,etc.
  2) To audit the ASA well
  Check the ACLs (make sure they are as specific as possible) Show run access-list
  Make sure a failover cluster is in place (show failover)
  Make sure traffic not desired is denied (packet-tracer tool)
  Make sure you are sending logs to a syslog server for further audit stuff.( show run logging)
  Check the Authentication ,Authorization and Accounting variables (show run aaa)
  Etc
  3) Change the ACLs to satisfy your needs. Being more specific is always more secure.
  access-list outside_inside permit tcp any host 4.2.2.2
  to
  access-list outside_inside permit tcp any host 4.2.2.2 eq 80 (In the case of a HTTP server)
  4) Always check release-notes and Cisco vulnerabilities announcements
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• Cisco ASA 5505 Failover issue..

  Hi,
   I am having two firewalls (cisco ASA 5505) which is configured as active/standby Mode.It was running smoothly for more than an year,but last week the secondary firewall got failed and It made my whole network down.then I just removed the connectivity of the secondary firewall and run only the primary one.when I login  by console i found out that the failover has been disabled .So again I connected  to the Network and enabled the firewall.After a couple of days same issue happen.This time I take down the Secondary firewall erased the Flash.Reloaded the IOS image.Configured the failover and connected to the primary for the replication of configs.It found out the Active Mate.Replicated the configs and got synced...But after sync the same thing happened,The whole network gone down .I juz done the same thing removed the secondary firewall.Network came up.I feel there is some thing with failover thing ,but couldnt fin out :( .And the firewalls are in Router Mode.

  Please find the logs...
  Secondary Firewall While Sync..
  cisco-asa(config)# sh failover 
  Failover On 
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  Version: Ours 8.2(5), Mate 8.2(5)
  Last Failover at: 06:01:10 GMT Apr 29 2015
  This host: Secondary - Sync Config 
  Active time: 55 (sec)
  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
   Interface outside (27.251.167.246): No Link (Waiting)
   Interface inside (10.11.0.20): No Link (Waiting)
   Interface mgmt (10.11.200.21): No Link (Waiting)
  slot 1: empty
  Other host: Primary - Active 
  Active time: 177303 (sec)
  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
   Interface outside (27.251.167.247): Unknown (Waiting)
   Interface inside (10.11.0.21): Unknown (Waiting)
   Interface mgmt (10.11.200.22): Unknown (Waiting)
  slot 1: empty
  =======================================================================================
  Secondary Firewall Just after Sync ,Active (primary Firewall got rebootted)
  cisco-asa# sh failover 
  Failover On 
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  Version: Ours 8.2(5), Mate Unknown
  Last Failover at: 06:06:12 GMT Apr 29 2015
  This host: Secondary - Active 
  Active time: 44 (sec)
  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
   Interface outside (27.251.167.246): Normal (Waiting)
   Interface inside (10.11.0.20): No Link (Waiting)
   Interface mgmt (10.11.200.21): No Link (Waiting)
  slot 1: empty
  Other host: Primary - Not Detected 
  Active time: 0 (sec)
  slot 0: empty
   Interface outside (27.251.167.247): Unknown (Waiting)
   Interface inside (10.11.0.21): Unknown (Waiting)
   Interface mgmt (10.11.200.22): Unknown (Waiting)
  slot 1: empty
  ==========================================================================================
  After Active firewall got rebootted failover off,whole network gone down.
  cisco-asa# sh failover 
  Failover Off 
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  ===========================================================================================
  Primary Firewall after rebootting
  cisco-asa# sh failover
  Failover On
  Failover unit Primary
  Failover LAN Interface: e0/7 Vlan3 (Failed - No Switchover)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  Version: Ours 8.2(5), Mate Unknown
  Last Failover at: 06:17:29 GMT Apr 29 2015
          This host: Primary - Active
                  Active time: 24707 (sec)
                  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
                    Interface outside (27.251.167.246): Normal (Waiting)
                    Interface inside (10.11.0.20): Normal (Waiting)
                    Interface mgmt (10.11.200.21): Normal (Waiting)
                  slot 1: empty
          Other host: Secondary - Failed
                  Active time: 0 (sec)
                  slot 0: empty
                    Interface outside (27.251.167.247): Unknown (Waiting)
                    Interface inside (10.11.0.21): Unknown (Waiting)
                    Interface mgmt (10.11.200.22): Unknown (Waiting)
                  slot 1: empty
  cisco-asa# sh failover history
  ==========================================================================
  From State                 To State                   Reason
  ==========================================================================
  06:16:43 GMT Apr 29 2015
  Not Detected               Negotiation                No Error
  06:17:29 GMT Apr 29 2015
  Negotiation                Just Active                No Active unit found
  06:17:29 GMT Apr 29 2015
  Just Active                Active Drain               No Active unit found
  06:17:29 GMT Apr 29 2015
  Active Drain               Active Applying Config     No Active unit found
  06:17:29 GMT Apr 29 2015
  Active Applying Config     Active Config Applied      No Active unit found
  06:17:29 GMT Apr 29 2015
  Active Config Applied      Active                     No Active unit found
  ==========================================================================
  cisco-asa#
  cisco-asa# sh failover state
                 State          Last Failure Reason      Date/Time
  This host  -   Primary
                 Active         None
  Other host -   Secondary
                 Failed         Comm Failure             06:17:43 GMT Apr 29 2015
  ====Configuration State===
  ====Communication State===
  ==================================================================================
  Secondary Firewall
  cisc-asa# sh failover h
  ==========================================================================
  From State                 To State                   Reason
  ==========================================================================
  06:16:32 GMT Apr 29 2015
  Not Detected               Negotiation                No Error
  06:17:05 GMT Apr 29 2015
  Negotiation                Disabled                   Set by the config command
  ==========================================================================
  cisco-asa# sh failover
  Failover Off
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (down)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  ecs-pune-fw-01# sh failover h
  ==========================================================================
  From State                 To State                   Reason
  ==========================================================================
  06:16:32 GMT Apr 29 2015
  Not Detected               Negotiation                No Error
  06:17:05 GMT Apr 29 2015
  Negotiation                Disabled                   Set by the config command
  ==========================================================================
  cisco-asa# sh failover state
                 State          Last Failure Reason      Date/Time
  This host  -   Secondary
                 Disabled       None
  Other host -   Primary
                 Not Detected   None
  ====Configuration State===
  ====Communication State===
  Thanks...