Cisco ASA Active standby failover problem
We have configured ASA Active standby failover with ASA5505 . When primary unit power off, secondary unit became active. when primary unit power on, then primary unit is becoming active again. i think for active standby setup there is no preemption. The real issue is when primary ASA became active after power on all the external connectivity getting down. Please see the below config,
ASA01# show run
ASA01# show running-config
: Saved
ASA Version 8.2(5)
hostname ASA01
enable password PVSASRJovmamnVkD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.1 MPLS_Router description MPLS_Router
name 192.168.2.1 SCADA_Router description SCADA_Router
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 2
interface Ethernet0/3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.8 255.255.255.0 standby 192.168.3.9
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.8 255.255.255.0 standby 192.168.1.9
interface Vlan3
description LAN Failover Interface
ftp mode passive
clock timezone AST 3
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any host MPLS_Router
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface FAILOVER Vlan3
failover key *****
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route-map Route_Out permit 1
match ip address inside_access_in outside_access_in
match interface inside
route outside 0.0.0.0 0.0.0.0 MPLS_Router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http authentication-certificate inside
http authentication-certificate outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password eY/fQXw7Ure8Qrz7 encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1a8e46a787aa78502ffd881ab62d1c31
: end
I suggest removing the failover configuration on both units and then re-add them, and then test.
Primary
failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit primary
failover key KEY
failover
Secondary
failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit secondary
failover key KEY
failover
Please remember to select a correct answer and rate helpful posts
Similar Messages
-
Best practice for ASA Active/Standby failover
Hi,
I have configured a pair of Cisco ASA in Active/ Standby mode (see attached). What can be done to allow traffic to go from R1 to R2 via ASA2 when ASA1 inside or outside interface is down?
Currently this happens only when ASA1 is down (shutdown). Is there any recommended best practice for such network redundancy? Thanks in advanced!Hi Vibhor,
I test ping from R1 to R2 and ping drop when I shutdown either inside (g1) or outside (g0) interface of the Active ASA. Below is the ASA 'show' failover' and 'show run',
ASSA1# conf t
ASSA1(config)# int g1
ASSA1(config-if)# shut
ASSA1(config-if)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:20:00 SGT Nov 18 2014
This host: Primary - Active
Active time: 7862 (sec)
Interface outside (100.100.100.1): Normal (Monitored)
Interface inside (192.168.1.1): Link Down (Monitored)
Interface mgmt (10.101.50.100): Normal (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (100.100.100.2): Normal (Monitored)
Interface inside (192.168.1.2): Link Down (Monitored)
Interface mgmt (0.0.0.0): Normal (Waiting)
Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet2 (up)
Stateful Obj xmit xerr rcv rerr
General 1053 0 1045 0
sys cmd 1045 0 1045 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 5 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 1045
Xmit Q: 0 30 10226
ASSA1(config-if)#
ASSA1# sh run
: Saved
ASA Version 8.4(2)
hostname ASSA1
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0
nameif outside
security-level 0
ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet2
description LAN/STATE Failover Interface
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet4
nameif mgmt
security-level 0
ip address 10.101.50.100 255.255.255.0
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
clock timezone SGT 8
access-list OUTSIDE_ACCESS_IN extended permit icmp any any
pager lines 24
logging timestamp
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet2
failover link FAILOVER GigabitEthernet2
failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
access-group OUTSIDE_ACCESS_IN in interface outside
router ospf 10
network 100.100.100.0 255.255.255.0 area 1
network 192.168.1.0 255.255.255.0 area 0
area 0 authentication message-digest
area 1 authentication message-digest
log-adj-changes
default-information originate always
route outside 0.0.0.0 0.0.0.0 100.100.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.101.50.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.101.50.0 255.255.255.0 mgmt
ssh timeout 5
console timeout 0
tls-proxy maximum-session 10000
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:fafd8a885033aeac12a2f682260f57e9
: end
ASSA1# -
ASA Active/Standby mode and Hello messages
Hi Everyone,
On ASA Active/Standby mode i know thatsay inside or any other interface of active and standby ASA should connect to same switch and vlan.
When we assign say ip address to inside interface of both ASA like
ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2 255.255.255.0
Need to know if these inside interface talk to each other or not?
Do they send hello messages?
Thanks
MAheshHi Mahesh,
The ASA Active/Standby Failover pair uses both the dedicated Failover interface and the actual Data interfaces to monitor the "health" of the Failover pair.
The units send Failover hello messages and wait for a reply to determine if the other unit is alive or not.
By default all Physical interfaces are automatically monitored. To my understanding Logical interfaces such as Trunk interfaces are NOT monitored by default. You will have to configure monitoring for each subinterface of the Trunk that you want to be monitored.
You would use the command
monitor-interface
Check the Command Reference section for this
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2123112
I would also suggest reading the following section of the Configuration Guide
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1079010
It has information of the Unit and Interface health monitoring of the Failover pair.
If you want to debug Failover activity you could use the command
debug fover
It has multiple additional parameter after that command
Here is the Command Reference section for the debug command
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/d1.html#wp2093011
You can even attach a computer on the switch between the ASAs and capture the packets between them an you can see the Failover messages etc from the ASAs
- Jouni -
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
This topic has been beat to death, but I did not see a real answer. Here is configuration:
1) 2 x ASA 5520, running 8.2
2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
In any case, any experts out there that can answer question? TIA!Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
Thanks much,
Mike -
About stateful active/standby failover
Hello guys.
I have two ASA's, same model and hardware. Asa have configured stateful active/standby failover by someone, few years ago. It was working normally until recently and no one have changed this configuration. Then Secondary unit is failed. Ping between 2 interfaces is ok. Please help me to resolve this problem.
on Primary site
interface Management0/0
description STATE Failover Interface
management-only
interface GigabitEthernet1/1
description LAN Failover Interface
failover
failover lan unit primary
failover lan interface failover GigabitEthernet1/1
failover link state Management0/0
failover interface ip failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
failover interface ip state 172.16.0.1 255.255.255.0 standby 172.16.0.2
on Secondary site
interface Management0/0
description STATE Failover Interface
management-only
interface GigabitEthernet1/1
description LAN Failover Interface
output of show failover on PRIMARY
show run failover
failover
failover lan unit primary
failover lan interface failover GigabitEthernet1/1
failover link state Management0/0
failover interface ip failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
failover interface ip state 172.16.0.1 255.255.255.0 standby 172.16.0.2
F1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet1/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 256 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 08:03:11 ULAST Jan 1 2003
This host: Primary - Active
Active time: 5755203 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (10.2.5.1): Normal (Waiting)
Interface Internet (202.131.225.90): No Link (Waiting)
Interface Backup1 (10.3.5.1): Normal (Waiting)
Interface Server (192.168.227.1): Normal (Waiting)
Interface Bank (10.20.1.1): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (0.0.0.0): No Link (Waiting)
Interface Internet (0.0.0.0): No Link (Waiting)
Interface Backup1 (0.0.0.0): Normal (Waiting)
Interface Server (0.0.0.0): Normal (Waiting)
Interface Bank (0.0.0.0): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : state Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 76184539 0 767513 6
sys cmd 767328 0 767326 1
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 25878669 0 11 5
UDP conn 40545710 0 40 0
ARP tbl 8987688 0 136 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 1140 0 0 0
VPN IPSEC upd 4004 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 7 6522961
Xmit Q: 0 34 106685671
output of show failover on SECONDARY
F1# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet1/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 256 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 03:36:23 ULAST Dec 15 2013
This host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (0.0.0.0): No Link (Waiting)
Interface Internet (0.0.0.0): No Link (Waiting)
Interface Backup1 (0.0.0.0): Normal (Waiting)
Interface Server (0.0.0.0): Normal (Waiting)
Interface Bank (0.0.0.0): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Primary - Active
Active time: 5743217 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (10.2.5.1): Normal (Waiting)
Interface Internet (202.131.225.90): No Link (Waiting)
Interface Backup1 (10.3.5.1): Normal (Waiting)
Interface Server (192.168.227.1): Normal (Waiting)
Interface Bank (10.20.1.1): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : state Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 765518 0 35843181 874
sys cmd 765518 0 765516 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 12671303 80
UDP conn 0 0 13432853 133
ARP tbl 0 0 8968384 661
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 0 0 1137 0
VPN IPSEC upd 0 0 3988 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 72011189
Xmit Q: 0 1 765518- ping is ok between 172.16.1.1 and 172.16.1.2, 172.16.0.1 and 172.16.0.2
- ASA that shows as failed the ASA that didn't use to be the primary , it used to be secondary.
- Yes, i logged via console on both ASAs and checked status of the ASAs. Primary is active and Secondary is failed.
- I have changed cable. Primary ASA indicates below as soon as cable changed.
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Then output of SHOW FAILOVER on PRIMARY ASA :
F1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet1/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 256 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 08:03:11 ULAST Jan 1 2003
This host: Primary - Active
Active time: 5812656 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (10.2.5.1): Normal (Waiting)
Interface Internet (202.131.225.90): No Link (Waiting)
Interface Backup1 (10.3.5.1): Normal (Waiting)
Interface Server (192.168.227.1): Normal (Waiting)
Interface Bank (10.20.1.1): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Secondary - Standby Ready
Active time: 9 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Backup2 (0.0.0.0): No Link (Waiting)
Interface Internet (0.0.0.0): No Link (Waiting)
Interface Backup1 (0.0.0.0): Normal (Waiting)
Interface Server (0.0.0.0): Normal (Waiting)
Interface Bank (0.0.0.0): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : state Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 76940782 0 775168 6
sys cmd 774983 0 774981 1
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 26125140 0 11 5
UDP conn 40971274 0 40 0
ARP tbl 9064174 0 136 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 1155 0 0 0
VPN IPSEC upd 4056 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 7 6588043
Xmit Q: 0 34 107757911
But few seconds later Secondary ASA become FAILED.
And i also did FAILOVER RESET command. After this command, secondary ASA became Standby Ready then few seconds later it became Failed again. Why does it become Failed again ? -
Active/Standby Failover with pair of 5510s and redundant L2 links
Hi
I just got two ASA5510-SEC-BUN-K9 and I'm wondering is it possible to implement an Active/Standby Failover configuration (Routed mode) with two ASA5510 and redundant pair of switches from both inside and outside interfaces? In other words, I would like to have two L2 links from each ASA (in pair od ASAa) to each L2 switch (in pair of redundant L2 Switches). The configuration I would like to achive is just like one in Cisco Security Appliance Command Line Configuration Guide, page B-23, figure B-8, with only difference that I wouldn't go with multiple security contexts (I want Active/Standby failover).
Thanks in advance
Zoran MilenkovicHello Zoran,
Absolutely. You can have 2 ASAs configured in Active/Standby mode. For reference, here is a link which has a network connectivity diagram based on PIX, however, connectivity would still be same with ASAs-
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1053462
The difference is that on ASA, you can only have LAN-Based failover, hence you'll need to use one additional interface on both ASAs for failover-link. You can connect these two failover-link interfaces directly using a cross cable.
Apart from this, please refer to following link on how to go with configuration of Lan-based Active/Standby failover-
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1064158
Also make sure that both ASAs have required hardware/software/license based on following link-
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1047269
Hope this helps.
Regards,
Vibhor. -
Active/Standby failover automatic primary active
I have 2 ASAs 5510 with same physical configuration and running ok with active/standby failover mode. Like we have PREEMPT command in active/active failover to get back primary active after its been rebooted from failed mode. This command makes primary back to active and makes secondary firewall standby automatically.
Need help to know any such command for active/standby failover for automatic primary active. Currently we have to use command FAILOVER ACTIVE on primary to make it active manually.Remember, failover in ASA works differently than HSRP. ASA does NOT use
HSRP. Furthermore, there is NO HSRP ip address in ASA either. You are
talking about two different technologies.
Think of it this way. HSRP technology works very similar to VRRP and
Juniper NSRP. All of these technologies use virtual IP address. If you
have two devices, you will have an Virtual IP address, in addition
to the physical ip addresses of the two devices. ASA does not use the
extra VIP. -
Hi,
Can we have ASA in Active/ Active in single context mode.
If Active/ Active is possible in single context mode, then in best practices, Active/Active is prefered or Active Standby.
ThanksHi,
ASA Active/Active setup can be done only with multiple context mode, you cannot use it in a single mode.
In a single mode only you can have Active/Standby failover.
Also, please move the question to the Firewall section for more discussions.
Thanks. -
ASA 5520 Anyconnect License on Active/Standby Failover pair
Hi
Our customer has purchased 2 x L-ASA-AC-E-5520= Anyconnect Essentials VPN Licenses (750 Users)
Ive installed both activated licenses as per the cisco guides, I didnt get any errors on the install. I did a reload on both, they are both back up and running as active/standby but when I do a sh ver the license still shows "ASA 5520 VPN Plus License"
Am I being dumb and has this worked successfully or should it not now display Anyconnect when I do a sh ver
Any help would be much appreciated on this one please
Regards
GrahamThanks Marvin
Below is the show ver, but I was kind of expecting there to be a mention of Anyconnect if I had activated the license
We previously had the VPN Plus License, and it still shows VPN Plus
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license. -
Step to prep CSC SSM on ASA Active/Standby mode
Hi all,
I am trying to setup Active/Standby HA mode for my site.
Currently the site was installed with one unit ASA firewall with CSC-SSM module, the second unit is the new unit ready to be setup.
My question:
01. My concern is second unit CSC-SSM, what is the proper procedure or step need to prep it?
Is it need to prep the CSC-SSM before the ASA in HA mode Or it will auto propagate the configuration when both unit in HA mode?
What else need to concern? am i need to setup different IP for the CSC-SSM management interface?
Thanks
NoelHello Yong,
Configuration related to the CSC or SSM modules will never get propagated so you will basically need to configure it manually.
Also it's not like if the Config on both modules is different failover will fail but ofcourse you wanna have the same one
IP addresses for each of the modules will be dedicated ones. Remember that failover will fail if one box has the CSC and the other not.
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
Cisco ASA 5505 Reset-I Problem with TCP State Bypass
Hello,
I have a Cisco ASA 5505 that functions as my primary firewall and a Mitel 5000 controller behind it. I have two external phone users that have been connecting through the firewall with no issues for six months until about two weeks ago. I am now seeing the following log entry on the phone trying to connect to the Mitel Controller.
6
May 16 2014
14:52:52
302014
72.135.115.37
6915
192.168.20.2
6801
Teardown TCP connection 1203584 for outside:72.135.115.37/6915 to inside:192.168.20.2/6801 duration 0:00:00 bytes 0 TCP Reset-I
My phones are designed to work with the Mitel 5000 and Mitel 3300 phone controllers. The 5000 will only use port 6800 for call control, while the 3300 will use 6801 (Secured Minet), 6802 (Minet SSH), and if those fail, port 6800 (Minet Unsecured). When the phones initiate a connection, they try 6801 first. If 6801 is unavailable, the phone controller adds the RST flag to the ACK packet. When the phone sees the RST flag, it is supposed to reset and use the next port (6802). The same process happens again for port 6802, then the phone knows to try 6800. The problem is that the ASA sees the RST flag now and terminates the connection at the firewall. Therefore, the phones never see the RST flag, and continue to try the connection with port 6801.
I have tried to use the TCP State Bypass feature to correct the situation, but the log shows that the connection is still being terminated immediately by the firewall. I am a novice when it comes to configuring the ASA. Any help would be greatly appreciated, as the company that I bought the phone system from is out of troubleshooting options. I do not think that I have made any changes to the firewall around this time. I have packet captures and logs from my ASA and I have wireshark data on the inside of my network. I need to figure out how to configure the ASA so that it ignores the RST flag and sends the packet back to the source.
Any help would be greatly appreciated!Thanks Rizwan,
Still no luck. I can't even ping the otherside (office).. I am not sure if i'm running the debug rightway. Here are my results...
homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side. I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
Success rate is 0
homeasa(config)# debug crypto isakmp 7
homeasa(config)# debug crypto ipsec 7
homeasa(config)# sho crypto isakmp 7
^
ERROR: % Invalid input detected at '^' marker.
homeasa(config)# sho crypto isakmp
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
There are no ipsec sas
homeasa(config)# -
Active/Standby Failover Config change
Hi everyone,
This weekend we are doing some change on ASA in Active/Standby mode.
We will power off standby ASA.
Do some changes on Active ASA save the changes and reboot it.
Power up the Active ASA and will test the connectivity if it is working or not .
In case Active ASA is not working as expected after the change i will power it off.
Power up Standby ASA then it will become active as expected.
Now if i Power up other ASA where changes were made will it synchnorize to old config from Standby ASA or not?
Last week we did some changes on Active ASA and it did not work as expected so we have to undo our change.
Need to make sure our backup plan is working?
Regards
MaheshIn your fall back scenario you would have to tell what was the secondary ASA that it is now the primary
change
failover lan unit secondary
to
failover lan unit primary
and vice-versa on the now primary ASA.
change
failover lan unit primary
to
failover lan unit secondary
Hope it helps -
CISCO ASA Enable DNS Lookup Problem
I have Cisco ASA 5510 , from ASA CLI i can not resolved the hostname. ( cisco.com or google.com)
At many form say do this.
1. Whilst in enable mode > enter configure terminal mode, then enable DNS Lookups.
CiscoASA#conf t
CiscoASA(config)# dns domain-lookup Outside
2. Then specify the external DNS Servers (Change IP addresses appropriately).
CiscoASA(config)# dns server-group DefaultDNS
CiscoASA(config-dns-server-group)# name-server 122.122.122.199
CiscoASA(config-dns-server-group)# name-server 122.122.122.198
CiscoASA(config-dns-server-group)# exit
3. Test it by pinging a name/URL.
CiscoASA(config)# ping www.20best.blogspot.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 seconds:
But there is no command ( dns server-group ) in my ASA
Please tell me how to do this or any way
My ASA is showing only
ail-ASA# sh runn
: Saved
ASA Version 7.0(8)
hostname Mail-ASA
domain-name rawabiholding.com
enable password QuzxIf5jNzzT5kki encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.16.0.94 Test-web-mail
name 172.16.5.63 Mail-server
name 172.16.0.40 Web-Mail
name 172.16.0.24 MX-A
name 172.16.0.93 Test-Mail-MX
name 172.16.1.55 DNS-1
name 172.16.1.17 Web-Server
name 172.16.0.41 Helpdesk.rawabiholding.com
name 172.16.0.98 Test-Server
no dns-guard
interface Ethernet0/0
nameif outside
security-level 10
ip address 82.118.161.34 255.255.255.224
interface Ethernet0/1
nameif LAN
security-level 100
ip address 172.16.1.65 255.255.252.0
interface Ethernet0/2
nameif inside-Mail
security-level 100
ip address 172.16.5.37 255.255.255.0
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
banner exec ************* If you are not Rawabi IT Member Please logout ********
banner login ***************** Do not open or login , if you are not allowed *
ftp mode passive
dns domain-lookup outside
dns name-server 212.102.0.82
dns name-server 212.102.0.11
access-list outside_access_in extended permit tcp any host 82.118.161.35 eq pop3
access-list outside_access_in extended permit tcp any host 82.118.161.35 eq smt.http://20best.blogspot.com
Dear Jennifer,
From Router-ISP, I check it is resolving the name to IP
but from ASA 5510 not, it giving error
Jennifer Halim wrote:Doesn't look like the DNS servers that you configured is resolving any DNS requests.I have just tried both DNS server, and it is refusing the DNS:> www.google.comServer: ns3.shabakah.net.saAddress: 212.102.0.82*** ns3.shabakah.net.sa can't find www.google.com: Query refused> www.google.comServer: [212.102.0.11]Address: 212.102.0.11*** [212.102.0.11] can't find www.google.com: Query refused
http://20best.blogspot.com/2011/06/visit-to-grand-canyon-in-10-days.html -
How to easily bring Cisco ASA back into failover.
We had two asa's that were never upgraded so I decided to upgrade them. However the failover was never turned off. If I copy the config off the one asa to the other and bring both back online will this take care of the issue or will I need to re-do the config on both the the primary unit and the secondary unit?
Hello,
1) First thing is to keep up to date with the Cisco vulnerabilities announcements to check whether your box is not compliant, etc.
Use Scanning tools like NMAP,ZEN-MAP, Veracode, etc.
Use Dictionary attacks to determie whether you can hack into the Device.
Etc,etc.
2) To audit the ASA well
Check the ACLs (make sure they are as specific as possible) Show run access-list
Make sure a failover cluster is in place (show failover)
Make sure traffic not desired is denied (packet-tracer tool)
Make sure you are sending logs to a syslog server for further audit stuff.( show run logging)
Check the Authentication ,Authorization and Accounting variables (show run aaa)
Etc
3) Change the ACLs to satisfy your needs. Being more specific is always more secure.
access-list outside_inside permit tcp any host 4.2.2.2
to
access-list outside_inside permit tcp any host 4.2.2.2 eq 80 (In the case of a HTTP server)
4) Always check release-notes and Cisco vulnerabilities announcements
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
Cisco ASA 5505 Failover issue..
Hi,
I am having two firewalls (cisco ASA 5505) which is configured as active/standby Mode.It was running smoothly for more than an year,but last week the secondary firewall got failed and It made my whole network down.then I just removed the connectivity of the secondary firewall and run only the primary one.when I login by console i found out that the failover has been disabled .So again I connected to the Network and enabled the firewall.After a couple of days same issue happen.This time I take down the Secondary firewall erased the Flash.Reloaded the IOS image.Configured the failover and connected to the primary for the replication of configs.It found out the Active Mate.Replicated the configs and got synced...But after sync the same thing happened,The whole network gone down .I juz done the same thing removed the secondary firewall.Network came up.I feel there is some thing with failover thing ,but couldnt fin out :( .And the firewalls are in Router Mode.Please find the logs...
Secondary Firewall While Sync..
cisco-asa(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 06:01:10 GMT Apr 29 2015
This host: Secondary - Sync Config
Active time: 55 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): No Link (Waiting)
Interface inside (10.11.0.20): No Link (Waiting)
Interface mgmt (10.11.200.21): No Link (Waiting)
slot 1: empty
Other host: Primary - Active
Active time: 177303 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
=======================================================================================
Secondary Firewall Just after Sync ,Active (primary Firewall got rebootted)
cisco-asa# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate Unknown
Last Failover at: 06:06:12 GMT Apr 29 2015
This host: Secondary - Active
Active time: 44 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): Normal (Waiting)
Interface inside (10.11.0.20): No Link (Waiting)
Interface mgmt (10.11.200.21): No Link (Waiting)
slot 1: empty
Other host: Primary - Not Detected
Active time: 0 (sec)
slot 0: empty
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
==========================================================================================
After Active firewall got rebootted failover off,whole network gone down.
cisco-asa# sh failover
Failover Off
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
===========================================================================================
Primary Firewall after rebootting
cisco-asa# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: e0/7 Vlan3 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate Unknown
Last Failover at: 06:17:29 GMT Apr 29 2015
This host: Primary - Active
Active time: 24707 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): Normal (Waiting)
Interface inside (10.11.0.20): Normal (Waiting)
Interface mgmt (10.11.200.21): Normal (Waiting)
slot 1: empty
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: empty
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
cisco-asa# sh failover history
==========================================================================
From State To State Reason
==========================================================================
06:16:43 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:29 GMT Apr 29 2015
Negotiation Just Active No Active unit found
06:17:29 GMT Apr 29 2015
Just Active Active Drain No Active unit found
06:17:29 GMT Apr 29 2015
Active Drain Active Applying Config No Active unit found
06:17:29 GMT Apr 29 2015
Active Applying Config Active Config Applied No Active unit found
06:17:29 GMT Apr 29 2015
Active Config Applied Active No Active unit found
==========================================================================
cisco-asa#
cisco-asa# sh failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Comm Failure 06:17:43 GMT Apr 29 2015
====Configuration State===
====Communication State===
==================================================================================
Secondary Firewall
cisc-asa# sh failover h
==========================================================================
From State To State Reason
==========================================================================
06:16:32 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:05 GMT Apr 29 2015
Negotiation Disabled Set by the config command
==========================================================================
cisco-asa# sh failover
Failover Off
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (down)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
ecs-pune-fw-01# sh failover h
==========================================================================
From State To State Reason
==========================================================================
06:16:32 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:05 GMT Apr 29 2015
Negotiation Disabled Set by the config command
==========================================================================
cisco-asa# sh failover state
State Last Failure Reason Date/Time
This host - Secondary
Disabled None
Other host - Primary
Not Detected None
====Configuration State===
====Communication State===
Thanks...
Maybe you are looking for
-
Purchase order creation problem.. me21n
Hi All, I have the following requirement in creation of PO. When the Purchase Order of some type, say for eg. in my case its a custom type ZNB denoting intercompany pricing is created from a Purchase Requisition, the system should check the Account A
-
Hi everyone, I am trying to build a custom file finder to search for my mp3 files on my computer. As you can see my nickname, I am a DJ, so I have lots of mp3 files on many directories on my PC and sometimes it's difficult for me to find the song I a
-
The "Better Privacy" help page opens as a separate tab every time I open Firefox. I close it, but it keeps coming back, usually when I go to another site (by clicking a link or using a bookmark) and at seemingly random intervals while I'm browsing. c
-
Handle special characters in org name
Hi, I need to do a org recon from my Directory server. Some of the org names have the '/' character and OIM says it can't create the org because of the special character. Could someone please tell me how do I handle this. Thanks, Supreetha
-
Can you just sync playlists across 2 macs with identical libraries
can you just sync playlists across 2 macs with identical libraries. i have done a carbon copy of my home mac itunes library to a work mac. i'll then switch itunes match on on the home mac, and i am assumign i won't need to redownload everything to m