FWSM Active/Active Failover ICMP replication

Similar Messages

• Active standby pair Replication scheme

  Hi
  I just want to know that is this possible to have "Active Active pair".
  Actually i want to create pair in which both Masters are in Active mode.None master is in standby mode.
  Please ....
  Regards
  Muh.Usman

  Could you please elaborate why you need active/active? Active/active configurations are potentially dangerous with any replication technology and are discouraged. TimesTen Active/Standby pair replication does nto support active/active (the clue is in he name :-)). TimesTen legacy replication does support active/active in some scenarios but if you use that then you cannot use Oracle caching. If you want to use both replication and Oracle caching then realistically you must use Active/Standby pair replication.
  Chris

• ASA Active/Active Failover with Redundant Guest Anchors

  Does anyone know how an ASA and a guest anchor 5508 will interact if I setup an Active/Active failover pair with physical interface redundancy?  I see from documentation that I can create a logical group in the ASA to bond physical interfaces together, but it doesn't describe what protocol is being used to manage that bundle.  Do I assume etherchannel?  If I were to create this scenario, can I run the 5508 in LAG mode?
  The current failover configuration example is for PIX, and old code at that.  I'm referencing an ASA/PIX guide ISBN:1-58705-819-7 beginning on page 531.
  Regards,
  Scott

  In addition to what you have, you should add to each unit the global configuration command "failover".
  We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference.

• Can I replicate new tables using the ACTIVE STANDBY PAIR replication scheme

  Hi,
  I have created myself a simple setup using an active/standby pair with a single subscriber like so:
  CREATE ACTIVE STANDBY PAIR cie ON "tt-test1", cie ON "tt-test2" RETURN RECEIPT SUBSCRIBER cie on "tt-test3";
  I have then added some tables on the master, they did not replicate automatically. I find this:
  Command> repschemes;
  Replication Scheme Active Standby:
  Master Store: CIE on TT-TEST1
  Master Store: CIE on TT-TEST2
  Master Return Service: Return Receipt
  Subscriber Store: CIE on TT-TEST3
  Excluded Tables:
  ROOT.EXTRACTOR_
  ROOT.PROMPT_
  ROOT.PREFERABLE_
  Included Tables:
  List too long (59 items), use verbosity 4 to display
  <snip>
  My question is ... how do I include these tables in replication?
  Do I need to trash and clone the secondary master store and the subscriber again? Even doing that won't add the tables to the replication scheme so I don't think that is a solution.
  I couldn't find much documentation on the ALTER REPLICATION statement but from what I could find it requires me to know the 'name' of the replication scheme and the examples in the documentation didn't work when I used 'Active Standby' as the scheme name in the statement.
  Am I being retarded here? Is this a limitation of using the ACTIVE STANDBY PAIR replication model?
  Thanks in advance.
  Huw

  When you setup and rollout the ACTIVE/STANDBY pair (or indeed legacy replication) it only includes tables that already exist. The normal deployment process is:
  1. Create the first datastore (the one which will initially be the 'active').
  2. Create (and populate) all necessary tables.
  3. Create the active/standby pair replication scheme.
  4. Start the repagent
  5. Make the datastore active by calling ttRepStateSet('ACTIVE')
  6. Use ttRepAdmin -duplicate to create the standby store from the active
  7. Start repagent at standby
  8. Use ttRepAdmin -duplicate to create the subscriber store from the standby
  7. Start repagent at subscriber
  If you need to add/remove tables later you must do the following:
  At active node:
  1. Create any new tables (and populate them) as needed
  2. Stop repagent
  3. Execute ALTER ACTIVE STANDBY PAIR with INCLUDE and/or EXCLUDE clauses as required
  4. Start repagent
  Then you need to redeploy the other stores:
  At standby:
  5. Stop repagent
  6. Drop datastore (ttDestroy)
  7. Re-create datastore from active using ttRepAdmin -duplicate
  8. Start repagent
  At subscriber:
  9. Stop repagent
  10. Drop datastore (ttDestroy)
  11. Re-create datastore from standby using ttRepAdmin -duplicate
  12. Start repagent
  This is documented in the TimesTen Replication Guide in the section on administering an active/standby pair.
  Chris

• ASA active/active failover back to back

  Hi,
        for HA  I want to connect 4 ASA's in active/active failover with each ASA having two contexts.
  The reason I need this is to separate two domains. Each domain has the ASA pair in active/active failover.
  Is this possible and what would you need to do it  ie a switch or two in between ?
  I know you need switches or vlans to do the LAN side as the failover context needs to be in the same network. So I'm assuming you would need to do something similar between the 4 ASA's ???
  Would you put 2 switches trunked together carrying two vlans, one for each context ?
            -| CTX1 |-          ?         -| CTX1 |-
            -| CTX2 |-          ?         -| CTX2 |-
                 |  |                                |  |
            -| CTX1 |-          ?         -| CTX1 |-
            -| CTX2 |-          ?         -| CTX2 |-
  Thanks in advance.

  Your latest attachment is pretty close to what I was thinking.
  I would add a second interface on each ASA to the switches.
  So (considering the "Inside" interfaces of ASA1 for example) it would have one physical interface allocated to context 1 and connected to a port in VLAN2 and a second physical interface allocated to context 2 and connected to a port in VLAN 3.
  An alternative would be to stick with a single physical interface and allocate subinterfaces (on a trunk) to each context.
  You could further add redundancy by creating Etherchannels (with either the physical or logical interface approach).

• Does VPN works in Firewall Active Active failover mode?

  i want to clarify these two things!
  1. Does VPN works in failover mode in Active/Active mode?
  2. What about in Failover mode Active/Pasive?
  Regards!

  Hi,
  Using an Active/Active Failover means that the Firewalls will be in Multiple Context mode. In other words virtual firewalls.
  This means that you can ONLY use IPsec L2L VPN connections on the virtual firewalls if you are running 9.x software level on the firewalls. Any form of Client and Clientless VPN isnt supported in Multiple Context Mode at the moment.
  Now with Active/Standby we have to make a distinction (if that was the word).
  IF you run a normal Active/Standby Failover pair of ASAs that IS NOT in Multiple Context mode YOU CAN use any type of VPN the ASAs support.
  IF you run a a pair of ASAs in Multiple Context Mode and in Active/Standby Mode you will naturally run into the limitation of VPN support in Multiple Context Mode and WILL NOT be able to use any other VPNs other than IPsec L2L VPN connections provided you are running 9.x software that supports it.
  Hope this helps
  - Jouni

• Radius auth to standby ASA in Active Active Failover

  Hi Everyone,
  When ASA is in Active/standby failover i can ssh to standby ASA using Radius.
  But when ASA is in multi context mode  Active/Active failover i can not do Radius Auth to standby ASA?
  Is this default behaviour?
  Regards
  MAhesh

  I would not have thought this is the default behavior...but then again, I have never tested this.  If you console into the standby context issue the command show run | in aaa.  Which authentication database is indicated?
  Please remember to select a correct answer and rate helpful posts

• Active-Active Failover when different contexts monitor different interfaces

  I'm trying to understand the relationship between failover groups and contexts, however it appears that the configuration is split in an way that I am having trouble understanding.
  The interfaces that you actually monitor are configured PER CONTEXT e.g.
  ciscoasa/ConextA(config)# monitor-interface inside
  But the number of interfaces that need to fail for failover to take place is done PER FAILOVER GROUP e.g.
  ciscoasa(config)# failover group 1
  ciscoasa(config-fover-group)# interface-policy 1
  (from the system context)
  If my laptop could take it, I would spin up a test environment in GNS3, but I think the best way to ask the question is to give an example. What would happen in the following setup:
  OPTION 1
  OPTION 2
  Thanks in advance

  You would never have a scenario where, as you put it, the Admin context would monitor Gi0 and ContextB also monitor Gi0.  This is because you need to assign the interface to a specific context and once it is assigned to one context it can not also be assigned to another...unless you have configured subinterfaces, then those subinterfaces can be split up and assigned to seperate contexts.  But one interface or one subinterface can not be assigned to more than one context.
  Now, if you have failover groups configured and an interface on one failover group dies, then only the context that the interface belongs to will failover to the standby failover group.
  The following is a good article to have a read through on the Active/Active failover functions:
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91336-pix-activeactive-config.html
  Please remember to rate and select a correct answer

• To apply license in FWSM (Active-Active mode) and disable failover

  Dear Team
  I want to apply license to increase security context in FWSM which is running in Active-Active mode on VSS Core switches
  As per below document, first we need to disable failover by entering 'no failover' command on active FWSM and then apply the license seperately on both FWSM.
  I just want to know when i will disable the failover then standby move to pseudo-standby state. 
  Will there be any services impact which are running behind the FWSM when disbaling the failover and then re-enabling the failover.
  http://www.cisco.com/c/en/us/td/docs/security/fwsm/fwsm40/configuration/guide/fwsm_cfg/swcnfg_f.html#wp1073226
  Appreciate your response.

  Hi,
  I think in your case as it is Active/Active , there is one extra step required.
  You need to make all the contexts active on one unit and on the other one all should be standby.
  Then disable the failover and update the license and re-enable the failover.
  Thanks and Regards,
  Vibhor Amrodia

• FWSM Active/Active Failover Logging

  Hi,
  Does anyone know if during a failover syslog logs or SNMP alerts should be generated on individual FWSM contexts. I have looked through syslogs from the time a failover has occured and I have seen no mention of any failover. Our SNMP management software doesn't report anything either. At the time all contexts other than the admin context were configured for syslog. The admin context was only configured for SNMP, which has now been corrected. Until we see another failover event though I cannot confirm if this has made any difference.
  The main driver for this is that in the event of a failover our NOC does not see a problem. They poll the devices via IP, so unless we were to physically lose a module we do not know a failover has occured as both the active and standby IP addresses are available.
  Thanks
  Andy

  Here is the documentation for your reference:
  http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/monitr_f.html#wp1098808
  Hope that helps.

• FWSM 4.0: switch from active/standby to active/active failover mode

  Hello,
  I have a pair of FWSM's running version 4.0 currently in active/standby failover mode, and I'd like to switch them to be active/active.  Is there a documented procedure for doing this?  What are the implications for any contexts switched to be primary on the FWSM that is currently acting as a standby (i.e., what kind of outage time can we expect)?
  Thanks in advance,
  Mike

  Hi Bro
  Thanks for the update, but still you'll need to create 2 contexts, each context will be ACTIVE on different Cisco ASA FW units. Hence, there will be some cut, copy and paste effort, not forgetting recabling, if that's needed. Here's a Cisco document to configure ACTIVE/ACTIVE for those who can't seem to find this document http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#req
  Conclusion: There will be some network downtime. I'm guessing 15min, if it was me :-)
  P/S: If you think this comment is helpful, please do rate it nicely :-)

• FWSM Active/Standby in VSS mode

  hello,
  i do have two 6500 in VSS mode , and one FWSM module on each 6500, i want to configure these modules as Active/Standby, how do i start , should i  follow this (not in VSS mode):
  http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html
  or are there other things should i do to make it work,
  thanks

  up!

• Active directory SYSVOL replication issues

  Hello. 
  I have 2 domain controllers, both of them on the same site DC1 & DC2. I have added a new site with a DC3. When I have added DC3 to the domain, I have realized, SYSVOL was not initialized correctly. I went back to DC1 and found out, there's following
  error in the event viewer:
  Error: 4012 on DC1
  The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter
  (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.
  Error: 2213 on DC2
  The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication
  WMI method to resume replication. 
  This indicates a DFS replication issue between DC1 & DC2 and probably this would be the reason, why the SYSVOL was not properly initialized on DC3. 
  How can I restore correct DFS replication between DC1 & DC2? I've read
  this article, but it's not clear to me, which of the 2 domain controllers has a good version of SYSVOL + I can not find a decent step-by-step article for reconnecting Windows 2012 domain controller.
  Any idea, how I can proceed further here?

  Here's a complete documentation with resolution of my issue. I have created this documentation for my own purposes in our WIKI, so I will paste it here (I hope, it will help somebody else in the future):
  The Problem
  We have bought a new server for our domain. This server (NEWDC01) was promoted to be a domain
  controller in the DOMAIN. After the promotion, I have added a single computer to the domain. When I have logged on the client to the domain, I realized, this computer is not using the new domain controller (NEWDC01)
  for authentication, but DC02 domain controller instead. This is not intended. Local clients should use local domain controllers for authentication (assuming, the Active directory sites & services are configured properly). Further investigation revealed,
  there are some replication errors on OLDDC01 & OLDDC02 servers. First I need to solve these replication errors. Then I can
  add the NEWDC01 server to domain properly.
  Analysis
  There are several errors related to DFSR replication on both domain controllers:
  Error: 4012 on OLDDC01
  The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain.
  This server has been disconnected from other partners for 99 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder
  until this error is corrected.
  Error: 2213 on OLDDC02
  The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database
  is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.
  In order to have active directory in a healthy condition, one must ensure, there’s a successful
  replication between existing domain controllers up and running. If the replication does not work correctly, you can expect bunch of issues.
  group policies and logon scripts are not applied correctly, or as intended
  when you want to add a new domain controller to the domain, it will not work as expected (although, you will not see any specific errors after the
  server is promoted to be a domain controller)
  Active directory backup
  I have scheduled an AD backup on OLDDC01 server using the ‘Windows Backup’ solution to make sure,
  I can restore the AD / SYSVOL, in case something goes wrong. The backup is scheduled to be executed every day.
  Active directory restore
  In this particular case, I will talk only about SYSVOL restore. As indicated above, we must get
  rid of the DFSR event viewer errors which you can find in event viewer. One of them is indicating, that the JET database was not shut down cleanly and autorecovery was disabled. The other error indicates, the SYSVOL volume is no longer replicated. I am not
  sure, what is the reason, why the AD’s in the domain stopped to replicate. Probably it was an unclean server shutdown. The DFSR service stopped to replicate the SYSVOL share and I was not aware about that. When the replication did not run for more than ~99
  days, the SYSVOL share was excluded from the DFSR replications.
  Find out the most accurate SYSVOL share in the domain
  I have compared the content of the SYSVOL directories on both OLDDC01 and OLDDC02 servers: C:\Windows\SYSVOL\domain\Policies.
  Both directories have 37 subdirectories. Each subdirectory corresponds to one group policy. This means, that the content is approximately the same, thus I can’t tell, which version is most recent. I do most of the GPO changes on OLDDC01, so I made a conclusion,
  that this server contains the most recent version of the SYSVOL share.
  There are 2 types of SYSVOL restores, you can do:
  Authoritative restore
  Non-authoritative restore
  Non-authoritative restore
  This is a more simple kind of a restore. You can perform this kind of restore, when you are sure,
  that one of the domain controllers is authoritative (e.g. you presume, the SYSVOL share is intact and working properly). If you can identify such a working server, you can perform non-authoritative restore of the active directory on a broken domain controller.
  Authoritative restore
  In this case, you can designate a specific domain controller to be authoritative. You set a special
  flag on this server, which will prohibit to overwrite it’s state from another domain controllers, when the replication is enabled on the server again. After you designate one server to be authoritative, you need to update all the another domain controllers
  using the non-authoritative procedure.
  In this article, you can find, how to perform authoritative vs. non authoritative AD resotre:
  http://support.microsoft.com/kb/2218556.
  In my case, I was not sure, which of the domain controllers had a more recent copy of AD, so I
  have decided to make OLDDC01 authoritative (check the link above). Once this has been done, I have made a non-authoritative update on OLDDC02 server.
  Everything was almost ready. The last step, I needed to execute was, I needed to fix the ‘JET’
  event viewer error on SRVBK1. In the event log entry on the bottom, you can find following:
  Recovery Steps
  1. Back up the files in all replicated folders on the volume. Failure to do
  so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.
  2. To resume the replication for this volume, use the WMI method ResumeReplication
  of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:
  wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig
  where volumeGuid="D37A9FC3-8B1D-11E2-93E8-806E6F6E6963" call ResumeReplication
  For more information, see http://support.microsoft.com/kb/2663685.
  Final words
  After I have executed this command, the replication was again started between OLDDC01 and OLDDC02
  servers. After I have started up the NEWDC01 server, I have realized, it has automatically replicated the contents of the SYSVOL share - almost immediately after the server was started up. I have again tried to login with the local client into DOMAIN domain
  and now I see, that local client is using local Domain controller for authentication.
  Everything seems to be OK now.

• Cisco asa security context active/active failover

  Hi,                  
  I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
  Each ASA appliance will have two security context named "ctx1" & "ctx2".
  I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
  I am a reading a book on failover configuration in active/active in that below note is mentioned.
  If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
  What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
  Regards,
  Nick

  Yout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.

• Fwsm - active/standby - "Vlan configuration mismatch between peers"

  Hi,
  A FWSM pair fall in to active active sittuation due to a vlan configuration mismatch. What would be the best way to synchronize configurations and return to the normal active/standbay? There is a new vlan on the primary fwsm and at present both are in active state.
  Thank you in advance.
  Zdravko

  Hi,
  To my understanding the FWSMs (even though both active) have identical configurations?
  Have you perhaps done so that on the core switch you have only issued the "firewall vlan-group only on the primary core device (to which the FWSM is attached) and not the secondary core device?
  The only time I have witnessed the same situation is when configuring a new customer link and I have only configured the primary unit (and about to configure the same on the standby unit)
  Hope it helps, not sure if the above was what you meant.
  - Jouni