Failover link inteface redundant
hola estoy tratando de configurar un asa active/standby pero a su vez tratanto de que la interface failover link sea una interface redudant segun la documentacio es posible pero al configurar me indica que una interface compartida no es factible , no encuentro la configuracion correcta son dos ASA5525X version
Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 7.0(2)
Hola Julio
claro no hay problema esta es la configuracion actual de mis interfaces y interfaces redundantes quiero utilizar la interfaces G0/5 y G/6 como mi interface failover , no estoy seguro si funcionara?
interface GigabitEthernet0/5
no nameif
no security-level
no ip address
interface GigabitEthernet0/6
no nameif
no security-level
no ip address
interface GigabitEthernet0/7
description LAN/STATE Failover Interface
interface Redundant1
member-interface GigabitEthernet0/2
member-interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.18.100.X 255.255.255.0 standby 172.18.100.X
interface Redundant2
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/3
nameif vpn-outside
security-level 0
ip address 10.245.245.x 255.255.255.0 standby 10.245.245.x
interface Redundant3
description Failover
member-interface GigabitEthernet0/5
member-interface GigabitEthernet0/6
no nameif
no security-level
no ip address
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/7
failover polltime unit msec 500 holdtime 3
failover key *****
failover replication http
failover link failover GigabitEthernet0/7
failover interface ip failover 172.32.254.1 255.255.255.252 standby 172.32.254.2
al configurar esta es la secuencia de error
VPN5525X-VLP(config)# no failover lan interface failover GigabitEthernet0/7
VPN5525X-VLP(config)# no failover link failover GigabitEthernet0/7
VPN5525X-VLP(config)# failover lan interface failover redunda
VPN5525X-VLP(config)# failover lan interface failover redundant3
INFO: Non-failover interface config is cleared on Redundant3 and its sub-interfaces
VPN5525X-VLP(config)# failover link failover Redunan
VPN5525X-VLP(config)# failover link failover Redundant3
VPN5525X-VLP(config)#
VPN5525X-VLP(config)#
VPN5525X-VLP(config)# exit
VPN5525X-VLP# sh run fa
ya esta configurado pero no estoy seguro si funcionara, Julio que asi configurado.
VPN5525X-VLP# sh run failover
failover
failover lan unit primary
failover lan interface failover Redundant3
failover polltime unit msec 500 holdtime 3
failover key *****
failover replication http
failover link failover Redundant3
VPN5525X-VLP#
Similar Messages
-
Redundant Failover link on ASA5500 Series?
Cisco recommends connecting failover link over L2 switch in thier document.
But if L2 switch fails, both ASA's failover I/F will down.
I wonder if there is any way to get redundancy for failover link, like etherchannel.
Or should I prepare two L2 switches to avoid both ASA's I/F down?
Any hints appriciated.Even if both of the failover interfaces go down it wont affect the traffic flow. Also if the switch is being monitored this will get detected and can be solved easily. If you still want redundant failover links, using seperate switches will be good idea.
-
Hi,
We are setting up a new ASA which is in multi context mode. I was wondering if it is possible to setup redundant failover and state links? I know that it is possible to run failover on one link and state on another, or both over the same link, but is it possible to have both failover and state running on 2 links? For example, failover and state on ten1/0 as well as failover and state on ten1/1.
Hope I have explained my question well enough. If not I will try to explain better.
thanksI would suggest to make a redundant logical link and attach two physical links to it. Than during failover link configuration specify your redundant link as a failover link. Not sure if it works but dont see any obstacles for this solution to fail..
-
PO for LAN failover and stateful failover link?
Hi.. We have 2 x ASA 5520s running ver 9.0. We plan to aggregate the 2 interfaces used for LAN failover and stateful failover into a lacp PO. So both the ASAs are connected to each other directly using these 2 interfaces and then we logically make it a one PO. We then assign the PO intface an ip. Is this supported?
You can use any unused interface (physical, redundant, or EtherChannel) as the failover link. (Source)
That said, It would be an uncommon implementation. I almost always see them on separate physical interfaces. -
Active/Standby And failover link configuration mode
Hi everyone,
When config failover link of ASA in Active Standby mode.
When we config failover int say gi0/1
config t
int gi0/1
failover lan int gi0/1
Need to confirm we do this from interface config mode only or we can do this from global config also ????????
Whe we assign IP to this int we do that from global config mode ????
Regards
Mahesh
Message was edited by: mahesh parmar
Message was edited by: mahesh parmarHi,
Actually the ASA lets you insert a lot of command what ever mode you are under.
In the output you posted is a very important thing to notice
configure mode commands/options:
WORD Specify the interface name
As you can see, the output lists only one option and before that it mentions that this is a "configure mode" command
So even if you entered the command under the interface configuration mode, it would still be entered as a global/configure command mode.
Take the following thing for example
I want to check what configuration options I have with the command "failover"
So I enter the following to my ASA
ASA(config)# failover ?
configure mode commands/options:
interface Configure the IP address to be used for failover and/or
stateful update information
interface-policy Set the policy for failover due to interface failures
key Configure the failover shared secret or key
lan Specify the unit as primary or secondary or configure the
interface and vlan to be used for failover communication
mac Specify the virtual mac address for a dynamic interface
polltime Configure failover poll interval
timeout Specify the failover reconnect timeout value for
asymmetrically routed sessions
exec mode commands/options:
active Make this system to be the active unit of the failover pair
exec Execute command on the designated unit
reload-standby Force standby unit to reboot
reset Force a unit or failover group to an unfailed state
As you can see, the ASA tells us that there are different additional command parameters after the "failover" command that can be used. Some of them can be used either in Exec or Configuration mode.
- Jouni -
Failover link in a C65K VSS with ASA-SM
Hi
Just experienced a coombined tcp flood/ udp flood attack, which caused both ASAs to go active :-(
Active:
01:56:05 ASA-SM1 : %ASA-1-105043: (Primary) Failover interface failed
01:56:09 ASA-SM1 : %ASA-1-105042: (Primary) Failover interface OK
01:56:32 ASA-SM1 : %ASA-1-103001: (Primary) No response from other firewall (reason code = 3).
01:56:47 ASA-SM1 : %ASA-1-103001: (Primary) No response from other firewall (reason code = 4).
The standby ASA said ' failover off' but a reload of the standby fixed the dual active problem:
Standby:
ASA-SM1# sh failo
Failover Off
Failover unit Secondary
Failover LAN Interface: folink Vlan998 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
ASA-SM1# sh failo state
State Last Failure Reason Date/Time
This host - Secondary
Disabled None
Other host - Primary
Not Detected Comm Failure 01:55:59
'Service-policy in' on the uplink interface (was 512/10 before):
embryonic-conn-max 256 per-client-embryonic-max 5
Questions:
1. possible causes for the com failure (memory exhaust ?) Any good commands for checking ?
2. The failover link:
In an ASA appliance setup it is recomended to etasblish a dedicated physical failover link between til ASAs - What about ASA-SM in a VSS setup - does it make sense to establish a f.ex physical 1G link for failover, and if yes: won't there be a loop issue with this and the fo vlan on the VSL link ?
3. What is "interface policy 1" in the 'sh failo' command output ?
Thanks
JesperHello Adrian,
Don't know if this is the cause of your issue, but I was thinking about scenario in which after your ISP interface is doing DOWN and UP your IP address is being changed.
IOS itself is not deleting isakmp SA because the interface on which you have crypto map attached is down, so the SA will be still up on IOS. On ASA itself since you have default configuration you have DPD (dead peer detection) turned on probably after 10 seconds crypto sa will go down since no DPD reply received.
IOS will continue to send encrypted traffic towards ASA, but for ASA tunnel is dead and it will ignore these packets (there should be something in logs), but router will never know it since it has DPDs turned off.
It could also happen if you are getting the same IP address from you ISP, but Internet outages are longer than 30seconds.
Solution would be to turn on DPDs on IOS:
crypto isakmp keepalives TIME_IN_SECONDS periodic
Defailts about DPDs:
https://supportforums.cisco.com/docs/DOC-8554
Regards, -
Hello,
On an ASA 5520 active, standby pair, what will result if the failover link or interface goes down or fails. Will both devices become active?
If yes, how to prevent this. We want it in such a way that if such a situation happens, there should be only Active and the other one should be standby.
Thanks in advance!If ASA units connected with cross over then no failover will take place.
if using LAN based failover then you will end up with Active-Active and traffic will fail.
Thanks
Ajay -
ASA failover link over the etherchannel connected switches
Hello,
We have two ASA firewalls located in different locations.
Firewalls are in Active/Standby modes.
Failover links of firewalls are connected to two different switches.
These switches are connected to each other with two dark fibers aggregated to Etherchannel (source-mac address mode)
When one of fiber links fails and then immediately is connected again, secondary ASA is going to Active state and then to Standy state again.
Please see the output bellow.
The holddown timer is set to 15 seconds.
What could be the cause of this state change?
ciscoasa# sh failover history
==========================================================================
From State To State Reason
==========================================================================
22:54:20 GET Apr 4 2014
Standby Ready Just Active HELLO not heard from mate
22:54:20 GET Apr 4 2014
Just Active Active Drain HELLO not heard from mate
22:54:20 GET Apr 4 2014
Active Drain Active Applying Config HELLO not heard from mate
22:54:20 GET Apr 4 2014
Active Applying Config Active Config Applied HELLO not heard from mate
22:54:20 GET Apr 4 2014
Active Config Applied Active HELLO not heard from mate
22:54:42 GET Apr 4 2014
Active Cold Standby Failover state check
22:54:43 GET Apr 4 2014
Cold Standby Sync Config Failover state check
22:55:36 GET Apr 4 2014
Sync Config Sync File System Failover state check
22:55:36 GET Apr 4 2014
Sync File System Bulk Sync Failover state check
22:55:51 GET Apr 4 2014
Bulk Sync Standby Ready Failover state checkMaybe spanning tree recalculation. I know you said there was an etherchannel but I would make sure it is built properly. Also run "Show spanning-tree detail" on the switches after you unplug/replug and check when the last topology change was.
-
Want to configure BACKUP VPN in asa 5505 for failover link
Hi,
Current i'm having 2 isps one tata and another one reliance iwant to configure the backup vpn for reliance ip for same peer ip which tata vpn had configured
i mandatory to configure same SA,ENCRPTION,IPSEC POLICY,KEY,LIFETIME...etc for failover vpn also.Hi michael,
First of thanks for reply.
Can we do it by public certificate or DNS entry e.g. both ISP Public ip address entry will be in DNS and user will hit particular DNS name. You r right that once link down so user will disconnect but when he will retry then he will connect via another link.
Is it possible??
Ashish -
CSS 11151 VIP Redundancy - Link State Redundancy/Keepalive
I have a pair of CSS 11151 each connected to a pair of cross-connected 3550 switches,I've configured VIP & Interface Redundacy,either VLAN1 interface or VLAN2 interface is shut down will cause the virtual router switchover. Recently I met some problem with CSS switchover when just one VLAN1 interface shutdown, and I was told that "type redundancy-up" should not work with VIP redundant mode, so I am trying to configure a critical service with a keepalive ap-kal-pinglist and ping all the circuit vlan's ip address on the CSS itself. but I am still confuse with some aspects.
1. Should I configure two separate virtual router for two circuit VLANs?
2. How to configure the service IP address? Because two 3550 have separate vlan ip address, and did not configured HSRP.
3. The script on my CSS is different with document, can I edit a new ap-kal-pinglist script to replace it?
Here's my config...
!************ INTERFACE *********************
interface 2
bridge vlan 2
!**************** CIRCUIT **************************
circuit VLAN1
ip address 10.0.2.33 255.255.255.128
ip virtual-router 1 priority 100
ip redundant-interface 1 10.0.2.29
ip critical-service 1 sw1-up-down
ip critical-service 1 sw2-up-down
circuit VLAN2
ip address 10.0.2.133 255.255.255.240
ip virtual-router 1 priority 100
ip redundant-interface 1 10.0.2.129
ip redundant-vip 1 10.0.2.132
ip critical-service 1 gateway
!************************** SERVICE
service gateway
ip address 10.0.2.130
type redundancy-up
active
service sw1-up-down
ip address 10.0.2.30
type redundancy-up
active
service sw2-up-down
ip address 10.0.2.31
type redundancy-up
activeI would recommend an upgrade to version 7.40 in order to get the 'reporter' functionality.
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_command_reference_chapter09186a008028fe6c.html
A reporter let you define which ports you want to monitor and when to failover [all ports down or any port down].
If you can't use 7.40, here is an answer to your question :
1. it does not matter. The vrid is used to differentiate other instances of VRRP that could exist on the same VLAN.
2. if you plan to use an ap-kal-pinglist, the service ip address really does not matter. The keepalive will use the ip addresses that you will pass to the ap-kal-pinglist function
3. you can modify the script and upload it back to the CSS. However, I would recommend using a different name in case you need the original script in the future.
Regards,
Gilles. -
ASA 5580 with EtherChannel 20Gbs, Does the Failover link must match the same Speed?
Hello,
I have an ASA 5580, I am plannning on setting two EtherChannels (inside and outside), each channel will include two TenGigabit interfaces.
My questions is that if the links that I am gonig to use for the failover and link, should also be 20Gbs each, or it is ok to use 10Gbs for each link?
According to the Configuration guide 8.4
Use the following failover interface speed guidelines for the ASAs:
• Cisco ASA 5510
– Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due
to the CPU speed limitation.
• Cisco ASA 5520/5540/5550
– Stateful link speed should match the fastest data link.
• Cisco ASA 5580/5585
– Use only non-management 1 Gigabit ports for the stateful link because management ports have
lower performance and cannot meet the performance requirement for Stateful Failover.
Thanks in advanceHi,
I have 2x ASA5580-20 with 8x1GE interfaces and additional 2x 10GE interfaces each. Software version running is v8.4.4.1.
I am planning to use them in multiple context (active/active) transparent mode. Taking into account the FW performance of 5Gbps real-world traffic per ASA5580-20, which on the following interface configurations would make the most sense?
Option 1:
2x10GE = 20GE Etherchannel for Data
1x1GE LAN Failover
1x1GE STATE Failover
Option 2:
1x 10GE Data
1x 10GE LAN & STATE Failover
Option 3:
2x10GE = 20GE Etherchannel for Data
4x1GE = 4GE Etherchannel for LAN/STATE Failover (possibly up to 8x1GE)
(etherchannel for LAN/STATE Failover actually does not make much sense, since only one interface wll be used anyway)
Option 4:
1x10GE LAN & STATE Failover
8x1GE = 8 GE Etherchannel for Data
I have read several guides (e.g. link1, link2, link3). Some state that 1GE Failover interfaces would suffice for the ASA5580, others recommend a link as fast as the data link. Almost none of them account for higher bandwidth etherchannels.
What is recommended in this case? Both Firewalls will be connected to one VSS Switch Pair, so it would make sense to cross-connect with at least 2 links on each VSS member.
The ASA does not support connecting an EtherChannel to a switch stack. If the ASA EtherChannel is connected cross stack, and if the Master switch is powered down, then the EtherChannel connected to the remaining switch will not come up. (http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html)
Thanks in advance for your feedback! -
Active/Standby Failover with pair of 5510s and redundant L2 links
Hi
I just got two ASA5510-SEC-BUN-K9 and I'm wondering is it possible to implement an Active/Standby Failover configuration (Routed mode) with two ASA5510 and redundant pair of switches from both inside and outside interfaces? In other words, I would like to have two L2 links from each ASA (in pair od ASAa) to each L2 switch (in pair of redundant L2 Switches). The configuration I would like to achive is just like one in Cisco Security Appliance Command Line Configuration Guide, page B-23, figure B-8, with only difference that I wouldn't go with multiple security contexts (I want Active/Standby failover).
Thanks in advance
Zoran MilenkovicHello Zoran,
Absolutely. You can have 2 ASAs configured in Active/Standby mode. For reference, here is a link which has a network connectivity diagram based on PIX, however, connectivity would still be same with ASAs-
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1053462
The difference is that on ASA, you can only have LAN-Based failover, hence you'll need to use one additional interface on both ASAs for failover-link. You can connect these two failover-link interfaces directly using a cross cable.
Apart from this, please refer to following link on how to go with configuration of Lan-based Active/Standby failover-
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1064158
Also make sure that both ASAs have required hardware/software/license based on following link-
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1047269
Hope this helps.
Regards,
Vibhor. -
Hello,
Please have a look at attached diagram. R1 is attached to MPLS VPN backbone and internet, R2 and R3 are connected through MPLS VPN to R1 and also directly. All sites are accessing HQ through MPLS VPN backbone using OSPF for intranet and internet. Remote sites have ADSL backup links for redundancy. If the link between R4 and backbone fails and is it possible to switch to ADSL link to route all traffic and to access HQ. Please guide.
RegardsHello,
there are various ways in which you can configure the ADSL link as a backup to the MPLS VPN, the easiest being to define two static default route, one of which has a higher administrative distance:
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route 0.0.0.0 0.0.0.0 ATM0.1 250
This way, all you traffic would be routed out the tunnel VPN interface that connects to the MPLS cloud, and the ADSL link would only become active when the primary interface fails.
Regards,
GNT -
Need to add a new segment on a live ASA5520 with a failover setup running
Hi ,
how do I add a new segment on my ASA5520 that is currently on a lan based active/standby failover. ?
Will it trigger the failover if I add another interface and will be just as simple as unshutting a normal interface and adding an IP with the same configuration as the other interfaces for failover .
all of my existing segment has a redundant switch and for the new segment that I will be creating is just a straight forward with only 1 switch on the segment.
fw-inside-1# show run int
interface GigabitEthernet0/0
description OUTSIDE Interface_1
no nameif
no security-level
no ip address
interface GigabitEthernet0/1
description APPS Interface_1
no nameif
no security-level
no ip address
interface GigabitEthernet0/2
description DB Interface_1
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
interface GigabitEthernet1/0
description OUTSIDE Interface_2
no nameif
no security-level
no ip address
interface GigabitEthernet1/1
description APPS Interface_2
no nameif
no security-level
no ip address
interface GigabitEthernet1/2
description DB Interface_2
no nameif
no security-level
no ip address
interface GigabitEthernet1/3 <<<<<<<<<<<<<<<<<< I will use this interface for the new segment.
shutdown
no nameif
no security-level
no ip address
interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet1/0
nameif outside
security-level 0
ip address 10.50.5.10 255.255.255.0 standby 10.50.5.11
interface Redundant2
member-interface GigabitEthernet0/1
member-interface GigabitEthernet1/1
nameif apps
security-level 80
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2
interface Redundant3
member-interface GigabitEthernet0/2
member-interface GigabitEthernet1/2
nameif db
security-level 90
ip address 172.16.4.1 255.255.255.0 standby 172.16.4.2
fw-inside-1#
fw-inside-1# show run fail
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/3
failover polltime unit 5 holdtime 15
failover link Failover GigabitEthernet0/3
failover interface ip Failover 10.0.0.1 255.255.255.252
fw-inside-1#
Since I will not be having a redundant switch on the new segment I will use the below config
interface GigabitEthernet1/3
no shut
nameif
security-level 75
ip address 172.16.3.1 255.255.255.0 standby 172.16.3.2
Then I will connect cables..
Please let me know if you have any suggestions or links.
RegardsYou should first configure your interface, then cable both units and after that no shut it on the ASA. Additionally you can remove your new interface from failover-monitoring as a precaution if somerhing goes wrong.
Sent from Cisco Technical Support iPad App -
Best practice for ASA Active/Standby failover
Hi,
I have configured a pair of Cisco ASA in Active/ Standby mode (see attached). What can be done to allow traffic to go from R1 to R2 via ASA2 when ASA1 inside or outside interface is down?
Currently this happens only when ASA1 is down (shutdown). Is there any recommended best practice for such network redundancy? Thanks in advanced!Hi Vibhor,
I test ping from R1 to R2 and ping drop when I shutdown either inside (g1) or outside (g0) interface of the Active ASA. Below is the ASA 'show' failover' and 'show run',
ASSA1# conf t
ASSA1(config)# int g1
ASSA1(config-if)# shut
ASSA1(config-if)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:20:00 SGT Nov 18 2014
This host: Primary - Active
Active time: 7862 (sec)
Interface outside (100.100.100.1): Normal (Monitored)
Interface inside (192.168.1.1): Link Down (Monitored)
Interface mgmt (10.101.50.100): Normal (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (100.100.100.2): Normal (Monitored)
Interface inside (192.168.1.2): Link Down (Monitored)
Interface mgmt (0.0.0.0): Normal (Waiting)
Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet2 (up)
Stateful Obj xmit xerr rcv rerr
General 1053 0 1045 0
sys cmd 1045 0 1045 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 5 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 1045
Xmit Q: 0 30 10226
ASSA1(config-if)#
ASSA1# sh run
: Saved
ASA Version 8.4(2)
hostname ASSA1
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0
nameif outside
security-level 0
ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet2
description LAN/STATE Failover Interface
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet4
nameif mgmt
security-level 0
ip address 10.101.50.100 255.255.255.0
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
clock timezone SGT 8
access-list OUTSIDE_ACCESS_IN extended permit icmp any any
pager lines 24
logging timestamp
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet2
failover link FAILOVER GigabitEthernet2
failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
access-group OUTSIDE_ACCESS_IN in interface outside
router ospf 10
network 100.100.100.0 255.255.255.0 area 1
network 192.168.1.0 255.255.255.0 area 0
area 0 authentication message-digest
area 1 authentication message-digest
log-adj-changes
default-information originate always
route outside 0.0.0.0 0.0.0.0 100.100.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.101.50.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.101.50.0 255.255.255.0 mgmt
ssh timeout 5
console timeout 0
tls-proxy maximum-session 10000
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:fafd8a885033aeac12a2f682260f57e9
: end
ASSA1#
Maybe you are looking for
-
Apple Micro-DVI to Video Adapter New MacBook Air
Hi All, I am brand new to the Mac world (Been a PC user my entire life). Thought I would take a gamble on a Mac and see how it goes. So far I have been really impressed and happy! I bought a MacBook Air a few weeks ago. It's a 2.13 GHZ MacBook Air. I
-
Why can I not sign in on my iPhone yet can sign in on here using my Apple ID?
Anyone know why I can sign in on here using my Apple ID yet it won't let me on my iPhone 4S?? Software updated ages ago and not had a problem until now.... Any help greatly appreciated as I have lost access to my iMessages :-(
-
A list of inputs using netui tags
Hi all, we have a family of netui problems which occur quite frequently. The main problem is: what to do when we have a list of items (we don't now how many), and we want to display them, and get some input from the user. 1. The simplest form, when t
-
Adobe Acrobat submit button feature not working
Hello, I just created a new time card using Adobe Acrobat. I'd like to make it so when the user enters their hours, they click on the submit button and it routes the form to the e-mail I've provided. Following the directions provided by adobe (htt
-
Online help for RoboHelp unavailable
When I go to Help > Contents and Index, or Help > On WYSIWYG, there is a yellow question mark present...clicking on these doesn't work. Anyone know why? This is on both version 3 and 4.1.