Failover link inteface redundant

Similar Messages

• Redundant Failover link on ASA5500 Series?

  Cisco recommends connecting failover link over L2 switch in thier document.
  But if L2 switch fails, both ASA's failover I/F will down.
  I wonder if there is any way to get redundancy for failover link, like etherchannel.
  Or should I prepare two L2 switches to avoid both ASA's I/F down?
  Any hints appriciated.

  Even if both of the failover interfaces go down it wont affect the traffic flow. Also if the switch is being monitored this will get detected and can be solved easily. If you still want redundant failover links, using seperate switches will be good idea.

• ASA redundant failover links

  Hi,
  We are setting up a new ASA which is in multi context mode.  I was wondering if it is possible to setup redundant failover and state links?  I know that it is possible to run failover on one link and state on another, or both over the same link, but is it possible to have both failover and state running on 2 links?  For example, failover and state on ten1/0 as well as failover and state on ten1/1.
  Hope I have explained my question well enough.  If not I will try to explain better.
  thanks

  I would suggest to make a redundant logical link and attach two physical links to it. Than during failover link configuration specify your redundant link as a failover link. Not sure if it works but dont see any obstacles for this solution to fail..

• PO for LAN failover and stateful failover link?

  Hi.. We have 2 x ASA 5520s running ver 9.0. We plan to aggregate the 2 interfaces used for LAN failover and stateful failover into a lacp PO. So both the ASAs are connected to each other directly using these 2 interfaces and then we logically make it a one PO. We then assign the PO intface an ip. Is this supported?

  You can use any unused interface (physical, redundant, or EtherChannel) as the failover link. (Source)
  That said, It would be an uncommon implementation. I almost always see them on separate physical interfaces.

• Active/Standby And failover link configuration mode

  Hi everyone,
  When config failover  link of ASA  in Active Standby mode.
  When we config failover int say gi0/1
  config t
  int gi0/1
  failover lan int gi0/1
  Need to confirm we do this from interface config mode  only or we can do this from global config also ????????
  Whe we assign IP to this int we do that from global config mode ????
  Regards
  Mahesh
  Message was edited by: mahesh parmar
  Message was edited by: mahesh parmar

  Hi,
  Actually the ASA lets you insert a lot of command what ever mode you are under.
  In the output you posted is a very important thing to notice
  configure mode commands/options:
    WORD  Specify the interface name
  As you can see, the output lists only one option and before that it mentions that this is a "configure mode" command
  So even if you entered the command under the interface configuration mode, it would still be entered as a global/configure command mode.
  Take the following thing for example
  I want to check what configuration options I have with the command "failover"
  So I enter the following to my ASA
  ASA(config)# failover ?
  configure mode commands/options:
    interface              Configure the IP address to be used for failover and/or
                                stateful update information
    interface-policy    Set the policy for failover due to interface failures
    key                       Configure the failover shared secret or key
    lan                       Specify the unit as primary or secondary or configure the
                                 interface and vlan to be used for failover communication
    mac                      Specify the virtual mac address for a dynamic interface
    polltime                Configure failover poll interval
    timeout                 Specify the failover reconnect timeout value for
                                 asymmetrically routed sessions
  exec mode commands/options:
    active          Make this system to be the active unit of the failover pair
    exec            Execute command on the designated unit
    reload-standby  Force standby unit to reboot
    reset           Force a unit or failover group to an unfailed state
  As you can see, the ASA tells us that there are different additional command parameters after the "failover" command that can be used. Some of them can be used either in Exec or Configuration mode.
  - Jouni

• Failover link in a C65K VSS with ASA-SM

  Hi
  Just experienced a coombined tcp flood/ udp flood attack, which caused both ASAs to go active :-(
  Active:
  01:56:05 ASA-SM1 : %ASA-1-105043: (Primary) Failover interface failed
  01:56:09 ASA-SM1 : %ASA-1-105042: (Primary) Failover interface OK
  01:56:32 ASA-SM1 : %ASA-1-103001: (Primary) No response from other firewall (reason code = 3).
  01:56:47 ASA-SM1 : %ASA-1-103001: (Primary) No response from other firewall (reason code = 4).
  The standby ASA said ' failover off' but a reload of the standby fixed the dual active problem:
  Standby:
  ASA-SM1# sh failo
  Failover Off
  Failover unit Secondary
  Failover LAN Interface: folink Vlan998 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  ASA-SM1# sh failo state
                      State          Last Failure Reason      Date/Time
  This host  -   Secondary
                       Disabled       None
  Other host -   Primary
                      Not Detected   Comm Failure      01:55:59
  'Service-policy in' on the uplink interface (was 512/10 before):
  embryonic-conn-max 256 per-client-embryonic-max 5
  Questions:
  1. possible causes for the com  failure (memory exhaust ?) Any good commands for checking ?
  2. The failover link:
  In an ASA appliance setup it is recomended to etasblish a dedicated physical failover link between til ASAs - What about ASA-SM in a VSS setup - does it make sense to establish a f.ex physical 1G link for failover, and if yes: won't there be a loop issue with this and the fo vlan on the VSL link ?
  3. What is "interface policy 1" in the 'sh failo' command output ?
  Thanks
  Jesper

  Hello Adrian,
  Don't know if this is the cause of your issue, but I was thinking about scenario in which after your ISP interface is doing DOWN and UP your IP address is being changed.
  IOS itself is not deleting isakmp SA because the interface on which you have crypto map attached is down, so the SA will be still up on IOS. On ASA itself since you have default configuration you have DPD (dead peer detection) turned on probably after 10 seconds crypto sa will go down since no DPD reply received.
  IOS will continue to send encrypted traffic towards ASA, but for ASA tunnel is dead and it will ignore these packets (there should be something in logs), but router will never know it since it has DPDs turned off.
  It could also happen if you are getting the same IP address from you ISP, but Internet outages are longer than 30seconds.
  Solution would be to turn on DPDs on IOS:
  crypto isakmp keepalives TIME_IN_SECONDS periodic
  Defailts about DPDs:
  https://supportforums.cisco.com/docs/DOC-8554
  Regards,

• Failover link

  Hello,
  On an ASA 5520 active, standby pair, what will result if the failover link or interface goes down or fails. Will both devices become active?
  If yes, how to prevent this. We want it in such a way that if such a situation happens, there should be only Active and the other one should be standby.
  Thanks in advance!

  If ASA units connected with cross over then no failover will take place.
  if using LAN based failover then you will end up with Active-Active and traffic will fail.
  Thanks
  Ajay

• ASA failover link over the etherchannel connected switches

  Hello,
  We have two ASA firewalls located in different locations.
  Firewalls are in Active/Standby modes.
  Failover links of firewalls are connected to two different switches.
  These switches are connected to each other with two dark fibers aggregated to Etherchannel (source-mac address mode)
  When one of fiber links fails and then immediately is connected again, secondary ASA is going to Active state and then to Standy state again.
  Please see the output bellow.
  The holddown timer is set to 15 seconds.
  What could be the cause of this state change?
  ciscoasa# sh failover history 
  ==========================================================================
  From State                 To State                   Reason
  ==========================================================================
  22:54:20 GET Apr 4 2014
  Standby Ready              Just Active                HELLO not heard from mate
  22:54:20 GET Apr 4 2014
  Just Active                Active Drain               HELLO not heard from mate
  22:54:20 GET Apr 4 2014
  Active Drain               Active Applying Config     HELLO not heard from mate
  22:54:20 GET Apr 4 2014
  Active Applying Config     Active Config Applied      HELLO not heard from mate
  22:54:20 GET Apr 4 2014
  Active Config Applied      Active                     HELLO not heard from mate
  22:54:42 GET Apr 4 2014
  Active                     Cold Standby               Failover state check
  22:54:43 GET Apr 4 2014
  Cold Standby               Sync Config                Failover state check
  22:55:36 GET Apr 4 2014
  Sync Config                Sync File System           Failover state check
  22:55:36 GET Apr 4 2014
  Sync File System           Bulk Sync                  Failover state check
  22:55:51 GET Apr 4 2014
  Bulk Sync                  Standby Ready              Failover state check

  Maybe spanning tree recalculation.  I know you said there was an etherchannel but I would make sure it is built properly.  Also run "Show spanning-tree detail" on the switches after you unplug/replug and check when the last topology change was.
   

• Want to configure BACKUP VPN in asa 5505 for failover link

  Hi,
  Current i'm having 2 isps one tata and another one reliance iwant to configure the backup vpn for reliance ip for same peer ip which tata vpn had configured
  i mandatory to configure same SA,ENCRPTION,IPSEC POLICY,KEY,LIFETIME...etc for failover vpn also.

  Hi michael,
  First of thanks for reply.
  Can we do it by public certificate or DNS entry e.g. both ISP Public ip address entry will be in DNS and user will hit particular DNS name. You r right that once link down so user will disconnect but when he will retry then he will connect via another link.
  Is it possible??
  Ashish

• CSS 11151 VIP Redundancy - Link State Redundancy/Keepalive

  I have a pair of CSS 11151 each connected to a pair of cross-connected 3550 switches,I've configured VIP & Interface Redundacy,either VLAN1 interface or VLAN2 interface is shut down will cause the virtual router switchover. Recently I met some problem with CSS switchover when just one VLAN1 interface shutdown, and I was told that "type redundancy-up" should not work with VIP redundant mode, so I am trying to configure a critical service with a keepalive ap-kal-pinglist and ping all the circuit vlan's ip address on the CSS itself. but I am still confuse with some aspects.
  1. Should I configure two separate virtual router for two circuit VLANs?
  2. How to configure the service IP address? Because two 3550 have separate vlan ip address, and did not configured HSRP.
  3. The script on my CSS is different with document, can I edit a new ap-kal-pinglist script to replace it?
  Here's my config...
  !************ INTERFACE *********************
  interface 2
  bridge vlan 2
  !**************** CIRCUIT **************************
  circuit VLAN1
  ip address 10.0.2.33 255.255.255.128
  ip virtual-router 1 priority 100
  ip redundant-interface 1 10.0.2.29
  ip critical-service 1 sw1-up-down
  ip critical-service 1 sw2-up-down
  circuit VLAN2
  ip address 10.0.2.133 255.255.255.240
  ip virtual-router 1 priority 100
  ip redundant-interface 1 10.0.2.129
  ip redundant-vip 1 10.0.2.132
  ip critical-service 1 gateway
  !************************** SERVICE
  service gateway
  ip address 10.0.2.130
  type redundancy-up
  active
  service sw1-up-down
  ip address 10.0.2.30
  type redundancy-up
  active
  service sw2-up-down
  ip address 10.0.2.31
  type redundancy-up
  active

  I would recommend an upgrade to version 7.40 in order to get the 'reporter' functionality.
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_command_reference_chapter09186a008028fe6c.html
  A reporter let you define which ports you want to monitor and when to failover [all ports down or any port down].
  If you can't use 7.40, here is an answer to your question :
  1. it does not matter. The vrid is used to differentiate other instances of VRRP that could exist on the same VLAN.
  2. if you plan to use an ap-kal-pinglist, the service ip address really does not matter. The keepalive will use the ip addresses that you will pass to the ap-kal-pinglist function
  3. you can modify the script and upload it back to the CSS. However, I would recommend using a different name in case you need the original script in the future.
  Regards,
  Gilles.

• ASA 5580 with EtherChannel 20Gbs, Does the Failover link must match the same Speed?

  Hello,
  I have an ASA 5580, I am plannning on setting two EtherChannels (inside and outside), each channel will include two TenGigabit interfaces.
  My questions is that if the links that I am gonig to use for the failover and link, should also be 20Gbs each, or it is ok to use 10Gbs for each link?
  According to the Configuration guide 8.4
  Use the following failover interface speed guidelines for the ASAs:
  • Cisco ASA 5510
  – Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due
  to the CPU speed limitation.
  • Cisco ASA 5520/5540/5550
  – Stateful link speed should match the fastest data link.
  • Cisco ASA 5580/5585
  – Use only non-management 1 Gigabit ports for the stateful link because management ports have
  lower performance and cannot meet the performance requirement for Stateful Failover.
  Thanks in advance

  Hi,
  I have 2x ASA5580-20 with 8x1GE interfaces and additional 2x 10GE interfaces each. Software version running is v8.4.4.1.
  I am planning to use them in multiple context (active/active) transparent mode. Taking into account the FW performance of 5Gbps real-world traffic per ASA5580-20, which on the following interface configurations would make the most sense?
  Option 1:
  2x10GE = 20GE Etherchannel for Data
  1x1GE LAN Failover
  1x1GE STATE Failover
  Option 2:
  1x 10GE Data
  1x 10GE LAN & STATE Failover
  Option 3:
  2x10GE = 20GE Etherchannel for Data
  4x1GE = 4GE Etherchannel for LAN/STATE Failover (possibly up to 8x1GE)
  (etherchannel for LAN/STATE Failover actually does not make much sense, since only one interface wll be used anyway)
  Option 4:
  1x10GE LAN & STATE Failover
  8x1GE = 8 GE Etherchannel for Data
  I have read several guides (e.g. link1, link2, link3). Some state that 1GE Failover interfaces would suffice for the ASA5580, others recommend a link as fast as the data link. Almost none of them account for higher bandwidth etherchannels.
  What is recommended in this case? Both Firewalls will be connected to one VSS Switch Pair, so it would make sense to cross-connect with at least 2 links on each VSS member.
  The ASA does not support connecting an EtherChannel to a switch stack. If the ASA EtherChannel is connected cross stack, and if the Master switch is powered down, then the EtherChannel connected to the remaining switch will not come up. (http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html)
  Thanks in advance for your feedback!

• Active/Standby Failover with pair of 5510s and redundant L2 links

  Hi
  I just got two ASA5510-SEC-BUN-K9 and I'm wondering is it possible to implement an Active/Standby Failover configuration (Routed mode) with two ASA5510 and redundant pair of switches from both inside and outside interfaces? In other words, I would like to have two L2 links from each ASA (in pair od ASAa) to each L2 switch (in pair of redundant L2 Switches). The configuration I would like to achive is just like one in Cisco Security Appliance Command Line Configuration Guide, page B-23, figure B-8, with only difference that I wouldn't go with multiple security contexts (I want Active/Standby failover).
  Thanks in advance
  Zoran Milenkovic

  Hello Zoran,
  Absolutely. You can have 2 ASAs configured in Active/Standby mode. For reference, here is a link which has a network connectivity diagram based on PIX, however, connectivity would still be same with ASAs-
  http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1053462
  The difference is that on ASA, you can only have LAN-Based failover, hence you'll need to use one additional interface on both ASAs for failover-link. You can connect these two failover-link interfaces directly using a cross cable.
  Apart from this, please refer to following link on how to go with configuration of Lan-based Active/Standby failover-
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1064158
  Also make sure that both ASAs have required hardware/software/license based on following link-
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1047269
  Hope this helps.
  Regards,
  Vibhor.

• Redundant links

  Hello,
  Please have a look at attached diagram. R1 is attached to MPLS VPN backbone and internet, R2 and R3 are connected through MPLS VPN to R1 and also directly. All sites are accessing HQ through MPLS VPN backbone using OSPF for intranet and internet. Remote sites have ADSL backup links for redundancy. If the link between R4 and backbone fails and is it possible to switch to ADSL link to route all traffic and to access HQ. Please guide.
  Regards

  Hello,
  there are various ways in which you can configure the ADSL link as a backup to the MPLS VPN, the easiest being to define two static default route, one of which has a higher administrative distance:
  ip route 0.0.0.0 0.0.0.0 Tunnel0
  ip route 0.0.0.0 0.0.0.0 ATM0.1 250
  This way, all you traffic would be routed out the tunnel VPN interface that connects to the MPLS cloud, and the ADSL link would only become active when the primary interface fails.
  Regards,
  GNT

• Need to add a new segment on a live ASA5520 with a failover setup running

  Hi ,
  how do I add a new segment on my ASA5520 that is currently on a lan based active/standby failover. ?
  Will it trigger the failover if I add another interface and will be just as simple as unshutting a normal interface and adding an IP with the same configuration as the other interfaces for failover .
  all of my existing segment has a redundant switch and for the new segment that I will be creating is just a straight forward with only 1 switch on the segment.
  fw-inside-1# show run int
  interface GigabitEthernet0/0
  description OUTSIDE Interface_1
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/1
  description APPS Interface_1
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/2
  description DB Interface_1
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  description LAN/STATE Failover Interface
  interface Management0/0
  shutdown
  nameif management
  security-level 100
  no ip address
  management-only
  interface GigabitEthernet1/0
  description OUTSIDE Interface_2
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet1/1
  description APPS Interface_2
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet1/2
  description DB Interface_2
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet1/3           <<<<<<<<<<<<<<<<<< I will use this interface for the new segment.
  shutdown
  no nameif
  no security-level
  no ip address
  interface Redundant1
  member-interface GigabitEthernet0/0
  member-interface GigabitEthernet1/0
  nameif outside
  security-level 0
  ip address 10.50.5.10 255.255.255.0 standby 10.50.5.11
  interface Redundant2
  member-interface GigabitEthernet0/1
  member-interface GigabitEthernet1/1
  nameif apps
  security-level 80
  ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2
  interface Redundant3
  member-interface GigabitEthernet0/2
  member-interface GigabitEthernet1/2
  nameif db
  security-level 90
  ip address 172.16.4.1 255.255.255.0 standby 172.16.4.2
  fw-inside-1#
  fw-inside-1# show run fail
  failover
  failover lan unit primary
  failover lan interface Failover GigabitEthernet0/3
  failover polltime unit 5 holdtime 15
  failover link Failover GigabitEthernet0/3
  failover interface ip Failover 10.0.0.1 255.255.255.252
  fw-inside-1#
  Since I will not be having a redundant switch on the new segment I will use the below config
  interface GigabitEthernet1/3    
    no shut
    nameif
    security-level 75
    ip address 172.16.3.1 255.255.255.0 standby 172.16.3.2
  Then I will connect cables..
  Please let me know if you have any suggestions or links.
  Regards

  You should first configure your interface, then cable both units and after that no shut it on the ASA. Additionally you can remove your new interface from failover-monitoring as a precaution if somerhing goes wrong.
  Sent from Cisco Technical Support iPad App

• Best practice for ASA Active/Standby failover

  Hi,
  I have configured a pair of Cisco ASA in Active/ Standby mode (see attached). What can be done to allow traffic to go from R1 to R2 via ASA2 when ASA1 inside or outside interface is down?
  Currently this happens only when ASA1 is down (shutdown). Is there any recommended best practice for such network redundancy?  Thanks in advanced!

  Hi Vibhor,
  I test ping from R1 to R2 and ping drop when I shutdown either inside (g1) or outside (g0) interface of the Active ASA. Below is the ASA 'show' failover' and 'show run',
  ASSA1# conf t
  ASSA1(config)# int g1
  ASSA1(config-if)# shut
  ASSA1(config-if)# show failover
  Failover On
  Failover unit Primary
  Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 3 of 60 maximum
  Version: Ours 8.4(2), Mate 8.4(2)
  Last Failover at: 14:20:00 SGT Nov 18 2014
          This host: Primary - Active
                  Active time: 7862 (sec)
                    Interface outside (100.100.100.1): Normal (Monitored)
                    Interface inside (192.168.1.1): Link Down (Monitored)
                    Interface mgmt (10.101.50.100): Normal (Waiting)
          Other host: Secondary - Standby Ready
                  Active time: 0 (sec)
                    Interface outside (100.100.100.2): Normal (Monitored)
                    Interface inside (192.168.1.2): Link Down (Monitored)
                    Interface mgmt (0.0.0.0): Normal (Waiting)
  Stateful Failover Logical Update Statistics
          Link : FAILOVER GigabitEthernet2 (up)
          Stateful Obj    xmit       xerr       rcv        rerr
          General         1053       0          1045       0
          sys cmd         1045       0          1045       0
          up time         0          0          0          0
          RPC services    0          0          0          0
          TCP conn        0          0          0          0
          UDP conn        0          0          0          0
          ARP tbl         2          0          0          0
          Xlate_Timeout   0          0          0          0
          IPv6 ND tbl     0          0          0          0
          VPN IKEv1 SA    0          0          0          0
          VPN IKEv1 P2    0          0          0          0
          VPN IKEv2 SA    0          0          0          0
          VPN IKEv2 P2    0          0          0          0
          VPN CTCP upd    0          0          0          0
          VPN SDI upd     0          0          0          0
          VPN DHCP upd    0          0          0          0
          SIP Session     0          0          0          0
          Route Session   5          0          0          0
          User-Identity   1          0          0          0
          Logical Update Queue Information
                          Cur     Max     Total
          Recv Q:         0       9       1045
          Xmit Q:         0       30      10226
  ASSA1(config-if)#
  ASSA1# sh run
  : Saved
  ASA Version 8.4(2)
  hostname ASSA1
  enable password 2KFQnbNIdI.2KYOU encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface GigabitEthernet0
   nameif outside
   security-level 0
   ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2
   ospf message-digest-key 20 md5 *****
   ospf authentication message-digest
  interface GigabitEthernet1
   nameif inside
   security-level 100
   ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
   ospf message-digest-key 20 md5 *****
   ospf authentication message-digest
  interface GigabitEthernet2
   description LAN/STATE Failover Interface
  interface GigabitEthernet3
   shutdown
   no nameif
   no security-level
   no ip address
  interface GigabitEthernet4
   nameif mgmt
   security-level 0
   ip address 10.101.50.100 255.255.255.0
  interface GigabitEthernet5
   shutdown
   no nameif
   no security-level
   no ip address
  ftp mode passive
  clock timezone SGT 8
  access-list OUTSIDE_ACCESS_IN extended permit icmp any any
  pager lines 24
  logging timestamp
  logging console debugging
  logging monitor debugging
  mtu outside 1500
  mtu inside 1500
  mtu mgmt 1500
  failover
  failover lan unit primary
  failover lan interface FAILOVER GigabitEthernet2
  failover link FAILOVER GigabitEthernet2
  failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-715-100.bin
  no asdm history enable
  arp timeout 14400
  access-group OUTSIDE_ACCESS_IN in interface outside
  router ospf 10
   network 100.100.100.0 255.255.255.0 area 1
   network 192.168.1.0 255.255.255.0 area 0
   area 0 authentication message-digest
   area 1 authentication message-digest
   log-adj-changes
   default-information originate always
  route outside 0.0.0.0 0.0.0.0 100.100.100.254 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 10.101.50.0 255.255.255.0 mgmt
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh 10.101.50.0 255.255.255.0 mgmt
  ssh timeout 5
  console timeout 0
  tls-proxy maximum-session 10000
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username cisco password 3USUcOPFUiMCO4Jk encrypted
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  crashinfo save disable
  Cryptochecksum:fafd8a885033aeac12a2f682260f57e9
  : end
  ASSA1#