Interpret failover command on my asa

Similar Messages

• Config commands authorization on ASA

  Hi, is there a way to control the config commands with tacacs+ authorization ?
  When I enable the configure command, in ACS shell coomand authorization set, all other config commands are enabled.
  In IOS there's the "aaa authorization config-commands", how to with ASA ?

  Please check this link that explains about command authorization on ASA.
  these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
  aaa-server authserver protocol tacacs+
  aaa-server authserver host 10.1.1.1
  aaa authorization command authserver
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards,
  ~JG
  Do rate helpful posts

• Command in cisco ASA to see security zones

  Hi there, 
  A basic question.
  I can't see security level and zone in show interface ip br command. 
  Is there any command which can be helpful. 
  Regards, 
  Yad Singh

  Try 'show nameif'
  ASA-FW# show nameif
  Interface                Name                     Security
  GigabitEthernet0/0       outside                    0
  GigabitEthernet0/1       inside                   100
  Management0/0            management               100

• Iptables command "translated" Cisco ASA 5540 Ver 9.0(1)

  I would like to have these commands on our Firewall to avoid at least several students to use this service. Can someone help me to translate this? It's apparently working great if I will use an Linux box or another firewall compatible with iptables.
  Thanks in advance.
  Hermano
  iptables -I INPUT -s hotspotshield.com -j REJECT
  iptables -I INPUT -s hotspotshield.net -j REJECT
  iptables -I INPUT -s anchorfree.com -j REJECT
  iptables -I INPUT -s anchorfree.net -j REJECT
  iptables -I INPUT -s openvpn.net -j REJECT
  iptables -I OUTPUT -d hotspotshield.com -j REJECT
  iptables -I OUTPUT -d hotspotshield.net -j REJECT
  iptables -I OUTPUT -d anchorfree.com -j REJECT
  iptables -I OUTPUT -d anchorfree.net -j REJECT
  iptables -I OUTPUT -d openvpn.net -j REJECT

  Check the following link, it should help you out.
  http://www.packetpros.com/2012/08/url-filter-on-asa.html

• Command authorization for ASA

  Hi all
     I have configured ASA firewall for command authorization with ACS.For users with privilege level 15 it is working fine.But when i login with users with privilege level 0, first when i enter the username and password ,it enters into enable mode.But after that when i put the enable password ,it is not working.password is not working.I configured to use the same PAP password option in the ACS enable section for the user.Also is it possible in ASA is it possible when user enters username and password,he could directly log into the exec mode rather than enable mode and assign privilege for the user as configured in the ACS user configuration.
  Thanks in advance
  Anvar

  Hi Dan
    I have alredy configured enable password using tacacs+.Please find my aaa config on ASA
  aaa authentication telnet console TACACS-SERVER LOCAL
  aaa authentication http console TACACS-SERVER LOCAL
  aaa authentication ssh console TACACS-SERVER LOCAL
  aaa authentication enable console TACACS-SERVER LOCAL
  aaa authentication serial console LOCAL
  aaa authorization command TACACS-SERVER LOCAL
  aaa accounting telnet console TACACS-SERVER
  aaa accounting command TACACS-SERVER
  aaa accounting ssh console TACACS-SERVER
  regards
  anvar

• Command authorization on ASA

  Hi,
  Can anyone confirm that command authorization works as advertised on the ASA platform? i.e. is anyone doing this successfully at the moment?
  We've no problems with authentication, accounting, NAR's, etc - just the authorization set's.
  thanks,
  Andrew.

  Hi andrew.burns,
  Command authorization should work on ASA. Please review
  Configuring Command Authorization
  http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/mgaccess.htm#wp1042034
  btw - what version of ASA are you using? Also, are you using shared profile components?
  Hope this helps!

• How to interpret psr command in Tuxedo 8.0

  My friends, i need your help, when I execute psr command:
  1- I need to know how does RqDone and Load Done stand for? And why Load Done = RqDone * *50* (why 50, what does it mean too?)
  2- What does RqDone = VERBOS stand for ?
  Thanks at all
  Best regards.
  Edited by: osca1069 on 04-11-2009 12:29 PM
  Edited by: osca1069 on 04-11-2009 12:30 PM

  Hi,
  the psr command shows information about Tuxedo server instances. The column RqDone shows the total number of service requests this particular server instance has processed.
  Now, a Tuxedo server can (and usually does) advertise several different services. The services really represent the "value" of the server as these are called from various clients. If a given server advertises services SvcA and SvcB, these services can be very different in terms of processing and resource consumption, i e the load they impose on the system.
  Therefore, each service can be assigned a load value (between 1 and 100) that gives an indication of this service's load on the system, relative to other services (to be picky only relative to other sevices advertised by the same server). The default load value for any given service is 50. That's the reason why Load Done usually equals RqDone * 50.
  The load values can be used for load balancing purposes. If you want to do this, you need to
  - activate the load balancing if this is not already done (ubbconfig *RESOURCES:LDBAL Y)
  - determine relevant load values (1-100) for different services, usually based on their processing time
  - declare the values for each service in the ubbconfig (*SERVICES: SvcA LOAD=xx)
  When you see the value VERBOS in a tmadmin report it's an indication that the number is too big (too many digits) to display in the given report format. Using the -v (verbose) option to psr (or most other tmadmin reporting commands) will most likely show you the value, although the entire formatting will be totally different.
  Hope this helps,
  /Per

• What are the services or commands contained under ASA-management-only policy ?

  If an interface is enabled of management-only policy under adaptive security appliance, what are the services comes under this would be allowed ?

  Thanks Obama for replying.
  Here is the comment from @jaiharidas of MSFT if anyone's interested:
  @Naziq, It is better to have multiple shares under single storage account and there is no perf implications. However, please ensure that your ingress/egress and request/sec is within
  the limits of a single storage account (seemsdn.microsoft.com/.../dn249410.aspx)
  and use multiple storage accounts if you need to scale beyond the limits.
  See the original comment  on Azure Storage Team here: http://ow.ly/ChPNf 
  @nazik_huq

• Failover License Sync Between Two ASA 5520

  According to the link here:
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/intro_license.html#wp1315746
  Starting with Version 8.3(1), it no longer needs to install identical licenses. Typically, we only buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active.
  So I wanna know if there's some additional configuration to synchronize the licenses such as SSL VPN or Context between the primary one and the second one? Or they can just synchronize by default as soon as I finish the failover configuration and when the primary one gets down, the second one will take over the role including licenses automatically?

  Karsten - I have an issue in synching the licenses between active and standby firewalls. I have installed the security plus license on the primary firewall and done the failover configurations, but on standby firewall i can't enable the failover commands as the license is not replicated to standby firewall. Earlier both ASA has base version installed. what might be the issue. Does the replication happen automatic? let me know.. how the primary firewall knows the standby inorder to replicate the license?

• How to correct start failover after loosing disk0 on one of ASA

  Hello, guys.
  I have some problems with correct answer. One CF in one of ASA had died from active/standby failover cluster few days ago.
  So all works perfectly.
  But now I have:
  asa-5520/act# sh fail
  Failover On
  Failover unit Secondary
  Failover LAN Interface: failover GigabitEthernet0/2 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 3 of 160 maximum
  Version: Ours 8.4(4), Mate 8.4(2)
  Last Failover at: 00:25:50 UTC Jun 14 2012
  This host: Secondary - Active
  Active time: 161347 (sec)
  slot 0: ASA5520 hw/sw rev (2.0/8.4(4)) status (Up Sys)
  Interface internet (x.x.x.1): Normal (Waiting)
  Interface inside (10.137.250.1): Normal (Waiting)
  Interface management (192.168.1.1): Link Down (Waiting)
  slot 1: empty
  Other host: Primary - Failed
  Active time: 24695466 (sec)
  slot 0: ASA5520 hw/sw rev (1.0/8.4(2)) status (Unknown/Unknown)
  Interface internet (x.x.x.2): Unknown (Monitored)
  Interface inside (10.137.250.2): Unknown (Monitored)
  Interface management (0.0.0.0): Unknown (Waiting)
  slot 1: empty
  Он failover unit Primary has died internal flash card (disk0). So a card had replaced, I've booted up ASA via tftp, copied files (image file, asdm file and startup-config from live ASA).
  So I have a quiestion. I have startup-config from unit secondary. As I understand, I can simply change in config the next:
  failover lan unit secondary
  to failover lan primary
  It will be correct?
  Or I can make on current secondary command:
  failover lan primary
  And boot up another ASA with config from secondary?
  So, appriciate any help, and I can't experiment with commands, because it's very production

  As I understand correctly, my steps will be next:
  On new ASA without any configuration (almost clean) I'll enter:
  ASA(config)#failover lan unit primary
  ASA(config)#failover lan interface failover GigabitEthernet0/2
  ASA(config)#failover link failover GigabitEthernet0/2
  ASA(config)#failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
  ASA(config)# interface GigabitEthernet0/2
  ASA(config-if)#no shut
  ASA(config-if)#exit
  ASA(config)#failover
  And after that configuration will be synced from active (secondary) to standby (primary) unit without any  downtimes and traffic corraption. Yes?

• Failover link in a C65K VSS with ASA-SM

  Hi
  Just experienced a coombined tcp flood/ udp flood attack, which caused both ASAs to go active :-(
  Active:
  01:56:05 ASA-SM1 : %ASA-1-105043: (Primary) Failover interface failed
  01:56:09 ASA-SM1 : %ASA-1-105042: (Primary) Failover interface OK
  01:56:32 ASA-SM1 : %ASA-1-103001: (Primary) No response from other firewall (reason code = 3).
  01:56:47 ASA-SM1 : %ASA-1-103001: (Primary) No response from other firewall (reason code = 4).
  The standby ASA said ' failover off' but a reload of the standby fixed the dual active problem:
  Standby:
  ASA-SM1# sh failo
  Failover Off
  Failover unit Secondary
  Failover LAN Interface: folink Vlan998 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  ASA-SM1# sh failo state
                      State          Last Failure Reason      Date/Time
  This host  -   Secondary
                       Disabled       None
  Other host -   Primary
                      Not Detected   Comm Failure      01:55:59
  'Service-policy in' on the uplink interface (was 512/10 before):
  embryonic-conn-max 256 per-client-embryonic-max 5
  Questions:
  1. possible causes for the com  failure (memory exhaust ?) Any good commands for checking ?
  2. The failover link:
  In an ASA appliance setup it is recomended to etasblish a dedicated physical failover link between til ASAs - What about ASA-SM in a VSS setup - does it make sense to establish a f.ex physical 1G link for failover, and if yes: won't there be a loop issue with this and the fo vlan on the VSL link ?
  3. What is "interface policy 1" in the 'sh failo' command output ?
  Thanks
  Jesper

  Hello Adrian,
  Don't know if this is the cause of your issue, but I was thinking about scenario in which after your ISP interface is doing DOWN and UP your IP address is being changed.
  IOS itself is not deleting isakmp SA because the interface on which you have crypto map attached is down, so the SA will be still up on IOS. On ASA itself since you have default configuration you have DPD (dead peer detection) turned on probably after 10 seconds crypto sa will go down since no DPD reply received.
  IOS will continue to send encrypted traffic towards ASA, but for ASA tunnel is dead and it will ignore these packets (there should be something in logs), but router will never know it since it has DPDs turned off.
  It could also happen if you are getting the same IP address from you ISP, but Internet outages are longer than 30seconds.
  Solution would be to turn on DPDs on IOS:
  crypto isakmp keepalives TIME_IN_SECONDS periodic
  Defailts about DPDs:
  https://supportforums.cisco.com/docs/DOC-8554
  Regards,

• New ASA 5515x failover setup

  Just an architecture setup question. We have purchased two 5515x ASA firewalls. I will be setting them up in a stateful failover setup. I know this sounds like a basic question but here goes. I am thinking we should get the first one working on my network and then install the failover ASA once the first one is working properly....? Any thoughts?

  Hi,
  Yes, you can just configure the single ASA first with the configurations and after its configurations are finished install the Secondary unit.
  Naturally while you are configuring the Primary unit you should already setup the interfaces with a "standby" IP address under the interface configuration.
  After you have setup the Primary ASA and made sure that for each of its interfaces/subinterfaces you have a L2 connection through the connecting networking devices to the Secondary ASAs corresponding interfaces/subinterfaces, then you are ready to install the Secondary ASA to the network.
  What you could do on the Secondary ASA is that you remove its default factory configuration and then configure "no shutdown" on each physical interface that you are going to use. Then you could configure the required Failover configurations using the multiple different "failover" configuration commands. (You wont need to configure the actual physical port separately, just need to enable it with "no shutdown", the "failover" commands should handle the rest) After the physical interfaces are configured up and the "failover" commands are set up on the Secondary ASA (and naturally the Primary ASA) then you could basically save the configuration on the Secondary ASA, power down the Secondary ASA, connect it to the network and boot it up. It should then sync the configuration from the Primary ASA after it has booted up and noticed the Active unit (Primary ASA) through the Failover link. So you should not really need to configure the Secondary ASA a lot since it syncs majority of the configurations from the Primary ASA. Naturally the above "failover" configurations are required so the Failover link can be formed for the sync.
  I have had to do this a couple of times lately because of broken down ASAs in Failover pairs. Naturally I would suggest that you take backups of the Primary ASAs configurations before you start setting up the Failover environment so that incase of some error in the setup you still have the configuration. Some people have mentioned the other unit wiping the others configuration but it has not happened to me atleast.
  Hope this helps and that I made any sense :)
  - Jouni

• Cisco asa security context active/active failover

  Hi,                  
  I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
  Each ASA appliance will have two security context named "ctx1" & "ctx2".
  I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
  I am a reading a book on failover configuration in active/active in that below note is mentioned.
  If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
  What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
  Regards,
  Nick

  Yout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.

• IPS engine upgrade with failover ASA, now they don't match?

  We recently added a failover 5520 with the ASA-SSM-20, which matches the primary ASA/IPS. My question is I just upgraded the primary IPS to 5.1(5)-E1. It went fine, except now the failover IPS is still on 5.0(2). How do I update the failover IPS to match what's on the primary?
  Shouldn't this happen automatically since it is setup in a failover scenario? I have it cabled via a cross-over cable to the primary ASA.

  The SSM modules are managed completely separately from the firewalls; you need to upgrade & manage both of them individually, as well as apply the same configurations to each either separately, or via a group in either CSM or VMS...
  If the second SSM module hasn't been given its own IP, you can "session" into it from the standby firewall console and then give it it's own IP..
  If this helped, please rate the post :-)
  Thanks!
  ...Nick

• ASA Command check bandwith use.

  I am using a 5505 and  I want to know if  exist a command to show me  how much bandwith is using each ip address.
  or something similar. Sometimes the network works really slow. So  I want to see if someone is using to much Bandwith.

  Hello,
  There are no commands on the ASA to see this information, you can see the amount of connections per IP but not the
  bandwith usage.
  You can use NetFlow for this purpose.
  Regards,
  Felipe.
  Remember to rate useful posts.