FWSM Active/Standby in VSS mode
hello,
i do have two 6500 in VSS mode , and one FWSM module on each 6500, i want to configure these modules as Active/Standby, how do i start , should i follow this (not in VSS mode):
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html
or are there other things should i do to make it work,
thanks
up!
Similar Messages
-
Fwsm - active/standby - "Vlan configuration mismatch between peers"
Hi,
A FWSM pair fall in to active active sittuation due to a vlan configuration mismatch. What would be the best way to synchronize configurations and return to the normal active/standbay? There is a new vlan on the primary fwsm and at present both are in active state.
Thank you in advance.
ZdravkoHi,
To my understanding the FWSMs (even though both active) have identical configurations?
Have you perhaps done so that on the core switch you have only issued the "firewall vlan-group only on the primary core device (to which the FWSM is attached) and not the secondary core device?
The only time I have witnessed the same situation is when configuring a new customer link and I have only configured the primary unit (and about to configure the same on the standby unit)
Hope it helps, not sure if the above was what you meant.
- Jouni -
FWSM 4.0: switch from active/standby to active/active failover mode
Hello,
I have a pair of FWSM's running version 4.0 currently in active/standby failover mode, and I'd like to switch them to be active/active. Is there a documented procedure for doing this? What are the implications for any contexts switched to be primary on the FWSM that is currently acting as a standby (i.e., what kind of outage time can we expect)?
Thanks in advance,
MikeHi Bro
Thanks for the update, but still you'll need to create 2 contexts, each context will be ACTIVE on different Cisco ASA FW units. Hence, there will be some cut, copy and paste effort, not forgetting recabling, if that's needed. Here's a Cisco document to configure ACTIVE/ACTIVE for those who can't seem to find this document http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#req
Conclusion: There will be some network downtime. I'm guessing 15min, if it was me :-)
P/S: If you think this comment is helpful, please do rate it nicely :-) -
Step to prep CSC SSM on ASA Active/Standby mode
Hi all,
I am trying to setup Active/Standby HA mode for my site.
Currently the site was installed with one unit ASA firewall with CSC-SSM module, the second unit is the new unit ready to be setup.
My question:
01. My concern is second unit CSC-SSM, what is the proper procedure or step need to prep it?
Is it need to prep the CSC-SSM before the ASA in HA mode Or it will auto propagate the configuration when both unit in HA mode?
What else need to concern? am i need to setup different IP for the CSC-SSM management interface?
Thanks
NoelHello Yong,
Configuration related to the CSC or SSM modules will never get propagated so you will basically need to configure it manually.
Also it's not like if the Config on both modules is different failover will fail but ofcourse you wanna have the same one
IP addresses for each of the modules will be dedicated ones. Remember that failover will fail if one box has the CSC and the other not.
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
How to tell if Active/active or Active/Standby mode is configured?
Folks:
I am still learning the output of my running config, but how do I tell if my firewall is set to Actve/Active or Active/Standby mode?
In addition, how do I tell if it uses regular or stateful failover mode?
Thank youI wanted to provide this as well, since I found it and it also helped me answering my question.
This output shows Active/Active failover output.
**Note** it says PIX; however, I beleive it will be the same output for ASA.
PIX1(config-subif)#show failover
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: LANFailover Ethernet3 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.2(2), Mate 7.2(2)
Group 1 last failover at: 06:12:45 UTC Apr 16 2007
Group 2 last failover at: 06:12:43 UTC Apr 16 2007
This host: Primary
Group 1 State: Active
Active time: 359610 (sec)
Group 2 State: Standby Ready
Active time: 3165 (sec)
context1 Interface inside (192.168.1.1): Normal
context1 Interface outside (172.16.1.1): Normal
context2 Interface inside (192.168.2.2): Normal
context2 Interface outside (172.16.2.2): Normal
Other host: Secondary
Group 1 State: Standby Ready
Active time: 0 (sec)
Group 2 State: Active
Active time: 3900 (sec)
context1 Interface inside (192.168.1.2): Normal
context1 Interface outside (172.16.1.2): Normal
context2 Interface inside (192.168.2.1): Normal
context2 Interface outside (172.16.2.1): Normal -
Single AIP-SSM in Cisco ASA Failover Active / Standby Mode
Hi,
I can add single AIP-SSM on Cisco ASA in failover active / standby mode?No, both units need the same hardware, that includes the installed modules.
Sent from Cisco Technical Support iPad App -
Stop/start in PGW active/standby mode
Hi all
My VOIP Network has 2 PGW in active/standby mode. But when we add more telco, the state of ss7path is OOS. i must stop/start the PGW and ss7path is IS status.
Now PGW is running services. it processing many call with other telco.
i have question need to support.
When we stop/start PGW,has PGW disconnected all call or not?
Thank for supporting
PhaiLQIf you restart the service on active pgw, calls are disconnected. If you don't want out of services you must pass the control to the standby server first.
From mml console of active server use the command:
rtrv-ne to check the status, the output is:
MGC-01 - Media Gateway Controller 2010-09-07 16:53:42.655 MEST
M RTRV
"Type:MGC"
"Hardware platform:sun4u sparc SUNW,Sun-Fire-V240"
"Vendor:"Cisco Systems, Inc.""
"Location:MGC-01 - Media Gateway Controller"
"Version:"9.6(1)""
"Platform State:ACTIVE"
sw-over::confirm to swich control to standby server
now restart the service
/etc/init.d/CiscoMGC stop
/etc/init.d/CiscoMGC start
P.S. If I remember the right way, the OOS (out of service) state of new ss7 path can be set in IS (in service) via mml command line without service restart.
set- your ss7 path ::IS use tab for help
Regards. -
Asr-group feature in active/standby mode
Hi ,
I would like to know if anyone had used asr-group freature in active/standby mode. Is it not recommended by cisco for active/standby mode ? The feature works in both environment.
Thanks in advance
TomyHi Tomy,
The asr-group feature on the ASA is only supported in Active/Active failover:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_active.html#wp1271955
-Mike -
Calendar entries in Active Standby mode
A double question, but both are closely related.
In Active Standby mode it shows upcoming calendar entries for today and future ones.
Q1) Can someone clarfify does it only show 1 entry for future events, since I have placed 2 entries for tomorrow and 1 for the day after. But only 1 (the first) appears in Active Standby.
Q2) I THINK IS A BUG!! It does not show Anniversary as future events in Active Standby. It only appears when it is on the day (bit late if you need to buy a present!).
Any comments
Andrew
Device: N70
Version: V 2.0536.0.2 12-09-05 RM-84I think this is by design. Not quite sure what the basis is of what is included and what is not. Items from the current day seem to show up in greater numbers than in future days.
All About Symbian - News, reviews and software for S60 phones. -
FWSM move from Active/Standby to Active/active
Hi there,
we have some FWSM installed in 6500 with many contexts in them. They are at the moment configured as Active/Standby and in production. But we have noticed that whenever a backup is run which goes through some of the contexts, the FWSM start counting errors which was already determined to be an oversubscription issue. So, while we wait for the new ASA 5585X to arrive and finally replace them, we want to mitigate the issue by configuring the FWSM as Active/Active and move the contexts for backup traffic to the other box (keeping the production contexts in the other one).
My question is, can this be done without impacting the production traffic? Or as soon as we enable the active/active by the configuration of the groups and assignments of the contexts, the traffic will be impacted and we will produce an outage to the network?
Thanks in advance for your help.
Regards,
PaulaSo no answers?
Just one to update why had problem here: we need to to pull changes from Physical StandBy, because of performance reasons we cannot afford to reload every table with full refresh, we only want to get changes. At first I thought that it will be easy just create materialized view log and do basic replication, but in Physical StandBy we cant do it -
Active/Standby And failover link configuration mode
Hi everyone,
When config failover link of ASA in Active Standby mode.
When we config failover int say gi0/1
config t
int gi0/1
failover lan int gi0/1
Need to confirm we do this from interface config mode only or we can do this from global config also ????????
Whe we assign IP to this int we do that from global config mode ????
Regards
Mahesh
Message was edited by: mahesh parmar
Message was edited by: mahesh parmarHi,
Actually the ASA lets you insert a lot of command what ever mode you are under.
In the output you posted is a very important thing to notice
configure mode commands/options:
WORD Specify the interface name
As you can see, the output lists only one option and before that it mentions that this is a "configure mode" command
So even if you entered the command under the interface configuration mode, it would still be entered as a global/configure command mode.
Take the following thing for example
I want to check what configuration options I have with the command "failover"
So I enter the following to my ASA
ASA(config)# failover ?
configure mode commands/options:
interface Configure the IP address to be used for failover and/or
stateful update information
interface-policy Set the policy for failover due to interface failures
key Configure the failover shared secret or key
lan Specify the unit as primary or secondary or configure the
interface and vlan to be used for failover communication
mac Specify the virtual mac address for a dynamic interface
polltime Configure failover poll interval
timeout Specify the failover reconnect timeout value for
asymmetrically routed sessions
exec mode commands/options:
active Make this system to be the active unit of the failover pair
exec Execute command on the designated unit
reload-standby Force standby unit to reboot
reset Force a unit or failover group to an unfailed state
As you can see, the ASA tells us that there are different additional command parameters after the "failover" command that can be used. Some of them can be used either in Exec or Configuration mode.
- Jouni -
Active/standby in multiple context mode
is active/standby configuration possible in multilple context mode? i cannot find an article regarding this matter.
Hello John,
It is available
Actually the ones you need are the regular ones (documents) as the ASA will trigger failover if one of the context fail
Important Notes
For multiple context mode, the ASA can fail over the entire unit (including all contexts) but cannot fail over individual contexts separately.
. Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover.
VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for
Active/Standby Failover configurations in single context configurations.
With this I think you are ready to start configuring it:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml
Julio -
I have a Nokia E5
I have tried to experiment with the Modes function, whereby you can have one profile for business and another for personal.
The first time I went into Modes (from the control panel), I was asked to go into "Active Standby Mode", which I did. Now everything has changed and I am not sure whether I like it.
Is it possible to get back to how I was before - i.e. before I went into Active Standby Modes ?Hi,
No unfortunately the only way of doing this will be from the app shortcuts. There is to my knowledge no way of doing this automatically. Might be there is an ext. developed app that I do not know of.
BR, PerLs -
6288 - Active Standby Mode menu lost
Hello,
The Active Standby Mode menu has disappear from
Menu-Settings-Standby Mode Settings.
I can't access this setting any more.
My firmware version is 6.10.
Thanks for any advices.
JeromeMessage Edited by hidje on 21-Jul-200707:37 AMI have the same problem. I don't know if I'll use that option but is annoing that I can't activate it. I have software version 6.10 and in display-standby option first submenu is wallpaper (not active standby setting).
Does anyone fixed this BUG? -
ASA Active/Standby mode and Hello messages
Hi Everyone,
On ASA Active/Standby mode i know thatsay inside or any other interface of active and standby ASA should connect to same switch and vlan.
When we assign say ip address to inside interface of both ASA like
ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2 255.255.255.0
Need to know if these inside interface talk to each other or not?
Do they send hello messages?
Thanks
MAheshHi Mahesh,
The ASA Active/Standby Failover pair uses both the dedicated Failover interface and the actual Data interfaces to monitor the "health" of the Failover pair.
The units send Failover hello messages and wait for a reply to determine if the other unit is alive or not.
By default all Physical interfaces are automatically monitored. To my understanding Logical interfaces such as Trunk interfaces are NOT monitored by default. You will have to configure monitoring for each subinterface of the Trunk that you want to be monitored.
You would use the command
monitor-interface
Check the Command Reference section for this
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2123112
I would also suggest reading the following section of the Configuration Guide
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1079010
It has information of the Unit and Interface health monitoring of the Failover pair.
If you want to debug Failover activity you could use the command
debug fover
It has multiple additional parameter after that command
Here is the Command Reference section for the debug command
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/d1.html#wp2093011
You can even attach a computer on the switch between the ASAs and capture the packets between them an you can see the Failover messages etc from the ASAs
- Jouni
Maybe you are looking for
-
Setting up NICs and Volumes on VMware
Virtual NW 6.5.8/BM 3.8.5 on VMware 4.1. The only TID I found was for setting up BM on VMware 2.5. 1. In the VM Configuration tab, the VM Network shows vmnic0, which is used to access the VM machine through vSphere, and vmnic1, which is Down. Both ad
-
NEF files aren't working in the newly updated Camera Raw nor in CS6.
I'm using the Nikon D600. It says it supports it. Did all the updates and still not working! Any clues as to what the problem might be?
-
How to open .msg attachments
I upgraded recently Leopard 10.5.1. Previously I was working 10.4.10 so I do not have experience with Mail from 10.5.0. In Leopard Mail 3.1 (914/915) I am receiving some mails with files xyz.msg and abc.msg (example names) attached. Those files do no
-
How to convert string to decimal in data association function?
In a BPM Script component, how in the Data Association can I use an expression to convert an argument from String to Decimal? I have a Process argument named percentage which is a string. I need to set the value of a data object called signed to ei
-
Migrating SAP 2004 DB to 2005DB?
Hi, I want to migrate the SAP 2004 DB to SAP 2005 DB. Is there any difference on the Structure of the DB?. Regards, Suresh.G