Reg. Redundant interfaces in ASA 8.0

Similar Messages

• ASA Redundant Interfaces

  Hi everybody,
  and thanks for a great forum!
  I have one asa and two switches, i would like the asa set up with a redundant interface consisting of one physical interface in each switch (vlan trunked across the two switches). Now... Is it possible to set a preferred active physical interface in this redundant interface bundle? Is there a way to make sure the same interface is always active (both interfaces a working as intented), even after a reboot?
  More specifically, i need this so i can decide where to establish my stp root, and always have the most optimal path (again ofcourse unless one interface fails).
  Cheers

  Hi,
  I see that you want to configure redundant interface on ASA and also need to ensure that same interface always remain active. Now, the interface which you will defined first using 'member-interface' command while configuring redundant interface will be the active one by default. If you already have it configured and you want to change the active interface, you can use following command:
  To change the active interface, enter the following command:
  hostname# redundant-interface redundantnumber active-member physical_interface
  Now, if active interface goes down, second one will take over as expected.
  Check this link for more info:
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1045838
  Hope this answers your question.
  Sourav

• ASA Redundant interfaces with stack switches

  Hi All,
  we have two ASA 5510 connected in failover, and a pair of cisco 2960s switch connected in stack.
  Currently one interface of primary ASA is terminated on switch1 and a interface from standby is connected to switch2 as Inside, and switch1 and switch2 are in stack.
  for redundancy purpose i want to use multiple interfaces of ASA for inside , so first i thought to use etherchannel , but it has a limitation that , it cannot be terminated on stack switch(as per cisco document http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/interface_start.html ).
  So my question is :
  1. can we use redundant interface feature where  2 physical interfaces combined to a redundant interface (eg interface redundant 1) for inside redundancy purpose.
  2. Can these ports from primary/standby ASA terminated on stack switches (2960s), will this work (if the switch with active port goes down, will the other port take over in the redundant interface with the other switch).
  I have attached the nw diagram,
  Regards,
  Ashraf

  Hello Ashraf,
  1. can we use redundant interface feature where  2 physical interfaces combined to a redundant interface (eg interface redundant 1) for inside redundancy purpose.
  Sure, you can. That's the whole purpose of the feature.
  2. Can these ports from primary/standby ASA terminated on stack switches (2960s), will this work (if the switch with active port goes down, will the other port take over in the redundant interface with the other switch).
  It would make sense if that happens, as the status of the interface will be on a different state than up/up so failover to the other interface will be triggered,
  Regards,
  Julio

• Cisco ASA Redundant interface

  Hello,
  We are looking at upgrading an aging firewall with a Cisco ASA.  I have used the ASA before. 
  We would like to use the ASA in a colocation facility that will have a few site to site vpns.  The ASA MUST be able to have redundant interfaces to our switches.  Reading through ASA documentation this is possible.  (http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1045838) Can the ASA have redundant links to the same vlans?  Will any of our configuration for VPN's, etc have to be setup twice?
  Thanks

  There are four types of redundancy that one can use on ASAs. The first one you cited, redundant interfaces on a single physical device is the least common in my experience.
  The second is failover - when the ASA is mated is a failover ASA in a high availability configuration. This is the most common usage for customers requiring high availability (HA). That is the most common implementation and has been around since ASA 7.0 software (i.e. a good many years).
  The third is to bond your interfaces from a given ASA (or sets of interfaces if you have an HA pair) into an Etherchannel. This has the added advantage of giving you potentially higher trhoughput. Etherchannel support was introduced in ASA software version 8.4(1).
  The fourth and newest method is clustering. It was introduced just last fall in ASA 9.0 and is not very widely adopted just yet. It is primarily for high throughput requirements exceeding a single device's capacity but also gives the added benefit of redundancy.
  None of them require you setup things twice configuration-wise. Some file operations (software upgrade, certificate management, VPN profiles (XML files)) need to be copied onto both members in a failover pair or all members in a cluster scenario.
  Edit - there is a fifth type specific to VPNs whereby one can configure a secondary VPN gateway for clients, usually at a alternate site. That approach does require settting up everything separately on the ASAs.

• Redundant Interfaces with Management0/0 on ASA5510

  Readers,
  Is it possible to configure redundant interfaces on the Management port?
  Thanks,
  Timothy

  Timothy
  normal ASA boxes just have a single management interface.. I really dont feel the need for redundancy here.. If you need one, you can get a failver ASA box, and build up redundancy..
  in any case, you have other interaces like inside, through which you can enable management, like telnet, http etc, if required.. or any other DMZ interface (say network management DMZ)... its all flexible.. with all these, i really dont see any need for a redundant management port...
  Hope this helps.. all the best..
  Raj

• IPSec tunnel on sub-interface on ASA 5510

  Hello All,
  I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels  on each subinterface of a physical interface on ASA 5510?
  I would be greatul if someone please reply post this with some details.
  Regards,
  Muds

  Hi Jennifer,
  Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
  Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
  Regards,
  Muds 

• Interface on asa.

  Hi ,
  I have connected a firewall inside interface to l3 switch.
  on l3 switch
  int gi0/1
  no switchport
  ip address 192.168.10.1 255.255.255.0
  no shut    
  on firewall
  int gi0/1
  nameif inside
  security level 100
  ip address 192.168.10.2 255.255.255.0
  If i ping to 192.168.10.2 from firewall thus it ping.
  As i know inside host can ping to inside interface.But not any opposite interface such as dmz etc.(need access-list)

  Hi Prashant,
  Here are two things involved.
  1. Ping to the far end interface.
  The ASA will not allow to ping the far end interface, for example is you are a host connected on the Inside network and ping the Inside interface the ASA will reply, but if you try to ping the DMZ interface from a host on the inside this will not answer and is expected.
  2. Permit traffic from lower to higer interfaces.
  All the traffic from higher interface level to lower interface level is permitted by default but is deny the other way around, from lower to higher.
  If you need to permit traffic from lower to higher you need to enter a access-list on the lower level interface to permit traffic to the higher security level (If you are on version 8.2 or earlier you might need to add a NAT rule)
  For example:
  Inside security level 100
  Outside security level 0
  Inside host 192.168.1.1
  access-list outside_access_in permit ip any host 192.168.1.1
  access-group outside_access_in in interface outside
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml
  I hope these helps.
  Regards
  Godfrey

• Redundancy Interface for Content Server Release 6.x

  Third-generation Content Server is UCS C220 (Not Vmware).
  I see from TCS Release 6.x Quick Start which cannot use LAN2.
  I'm not sure. How to connect LAN for redundancy interface or not because it have many NIC card.
  Dual 1-Gb Ethernet ports:
  LAN1 (Arrow 7, left pointer)— Use this port to connect the Content Server to the network (also see Figure 3)
  LAN2 (Arrow 7, right pointer)— Not used

  Hi,
  The TCS server supports only single NIC in a deployment. That particular NIC value is used to generate the checksum, which needs to be passed along with the Release keys to bring up the content engine. That is the reason if you connect any other NIC to the network, the content engine will not start.
  Also, when the release keys are generated on the license server, it uses the NIC with the lowest value (always the first NIC on the server).
  I know its a complete waste to have so many NICs and use only one. But what can I say, thats the way Cisco designed the server..!!!
  Regards,
  -Deepti

• Why do we configure the Redundant Interface in CSS Public Face

  Hi,
  I have a question : Why do we configure the redundant interface in a CSS facing the public side of a CSS.
  I understand the need for the interface in the server side though. Please refer to the URL below;
  http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_810/redundgd/vipredun.htm#wp1063393

  this is not a requirement if your vips belong to the public vlan subnet.
  But if your vip addresses are from a different subnet, then the upstream router needs a route pointing to the CSS redundant interface ip.
  Gilles.

• Ability to ping redundant interface IP address

  Hi,
  I have this setup for our content switches.
  Primary F/W --> Primary CSS --> Local Switches
  | |
  | |
  Secondary F/W --> Secondary CSS --> Local Switches
  This is the relevant configuration.
  Primary CSS
  circuit VLAN4
  ip address 192.168.76.4 255.255.255.0
  ip virtual-router 4 priority 101 preempt
  ip redundant-interface 4 192.168.76.254
  Secondary CSS
  circuit VLAN4
  ip address 192.168.76.5 255.255.255.0
  ip virtual-router 4 priority 90
  ip redundant-interface 4 192.168.76.254
  The problem is that the Secondary F/W can not ping the redundant interface IP address via the secondary path when all devices are in normal mode.
  Is this normal?
  The ping is occuring for firewall failover checking.
  Thanks,
  Ben

  it should work.
  Your diagram does not display very well, so I don't know where are the | links.
  What should be the path of traffic from secondary firewall redundant-interface ?
  Is the traffic going to 1 CSS and being bridge to the 2nd CSS ?
  If that's the case, you need the command 'ip uncond-bridging' on both CSS to force CSS to bridge first and then route.
  Regards,
  Gilles.

• Impact of Deleting interface from ASA

  Hi Everyone,
  During our maintenance window i need to delete few interfaces from ASA.
  In ASDM when i filter by these interface names i see many acl configured for these interfaces but ACL have different name as compare to interface
  name.
  If i delete the interface will it also delete all those ACLs and any object groups configured under interface subnets?
  Or
  What else will be deleted when  i delete the interface from ASA?
  Regards
  MAhesh

  You would have to re write that ACL entry as it will either be deleted or the reference to the inside interface will be deleted and the rest of the ACL will remain.  When I tested it my ACL remained but the name of the interface was removed.  As I mentioned I am testing this on an 8.4 box so it is possible that in newer versions this ACL will be deleted.
  the access-group inside_access_in in interface inside command will be deleted once you delete the inside interface...actually you don't need to delete the inside interface for it to be deleted, you only need to remove the nameif command from the interface.  once the nameif is removed from the interface, all commands that reference that name will also be deleted.
  This is why I stated that you should assume that all commands that reference the name of the interface you are deleting will also be deleted.  That would include, but not limited to, ACLs, NAT, Policy maps, and static routes...just to name a few.
  Please remember to select a correct answer and rate helpful posts

• Do the sub-interface of ASA firewall has limit of bandwidth

  do the sub-interface of ASA firewall has limit of bandwidth? or how does the bandwidth of the physical interface divided among the sub-interface? is there a cisco documentation url link that explains this?

  Nakayama-san,
  The configuration recommendation to limit the traffic entering the router was intended for legacy (i.e. non-ISR routers). Since you are using a 2811, I would recommend that you test WAAS without these limitations configured.
  Thanks,
  Zach

• CSS redundant-interface ping response

  Hi,
  I just wan't to make a simple question:
  Should the css11151 respond to ping requests made to a redundant-interface?
  If yes, what can be the reason for the redundant interface, not being responding to ping requests?
  Thanks in advance,
  Regards,
  LR

  Hi,
  Did you ever find solution to the issue.
  I have 11503 and I have same problem, I cannot ping the redundant-interface address from the directly connected switch.
  It works for first few seconds when the CSS reboots or interface bounces then stops.
  Any ideas?
  Thanks

• CSS redundant interface and DNS server

  We're attempting to implement a pair of CSS's using redundant ASR and GSLB where the CSS's act as DNS servers.
  But I'm not sure if the 2 features are compatible. The CSS's answer DNS queries to their direct interface but not the redundant interface.
  Does anyone have any suggestions or work-arounds? We're running version 8.20.
  TIA,
  Dan

  Dan doing some research I can see that the option to configure redundant-interface to resolve dns queries is not included on CSS 11500 series, this from the documentation.
  On the document for CSS 11000 series that I provided before shows:
  Configuration Requirements and Restrictions
  The following requirements and restrictions apply to the configuration of this feature.
  •You can configure this feature only on Cisco 11000 series CSSs (not 11500)
  If I look at the redundant-interface configuration on old CSS 11000 series I see the option for dns:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11000series/v6.10/configuration/advanced/guide/VIPRedun.html#wp1067528
  Look at this line:
  dns-server - Keyword that enables the CSS to respond to DNS queries destined for the redundant interface IP address. For more information, see the "Configuring a Redundant Virtual Interface to Respond to DNS Requests" section.
  On new CSS 11500 series this option is not available:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/VIPRedun.html#wp1067528
  I am trying to find if there is any workaround but so far semms that is expected to miss this feature on CSS11500.

• Unable to see interface on ASA 5510 Firewall

  Hi All,
  I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
  Below is the output.
  ciscoasa# sh int ip br
  Interface                  IP-Address      OK? Method Status                Protocol
  Ethernet0/0                x.x.x.x           YES CONFIG up                    up
  Ethernet0/1                x.x.x.x           YES CONFIG up                    up
  Ethernet0/2                unassigned      YES unset  administratively down down
  Internal-Control0/0        127.0.1.1       YES unset  up                    up
  Internal-Data0/0           unassigned      YES unset  up                    up
  Management0/0              192.168.1.1     YES CONFIG up                    up
  Please suggest what could be the reason.
  Regards
  Pankaj

  Hi Ramraj,
  Even i have the base license for my ASA 5510 which is showing all the 4 interfaces in sh ver. I don't think so license would be an issue. There should be some IOS code bug that needs to be upgraded. If this goes for an OS upgrade it should get resolved.
  Its not showing up in sh ver . As Karsten said he might be running on old IOS version.
  fy-a# sh ver
  Cisco Adaptive Security Appliance Software Version 8.4(4)1
  Device Manager Version 6.4(5)
  Compiled on Thu 14-Jun-12 11:20 by builders
  System image file is "disk0:/asa844-1-k8.bin"
  Config file at boot was "startup-config"
  fy-a up 1 day 1 hour
  Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
  Internal ATA Compact Flash, 256MB
  BIOS Flash M50FW016 @ 0xfff00000, 2048KB
  Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                               Boot microcode   : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                               Number of accelerators: 1
  0: Ext: Ethernet0/0         : address is 2c54.2d0c.8f1a, irq 9
  1: Ext: Ethernet0/1         : address is 2c54.2d0c.8f1b, irq 9
  2: Ext: Ethernet0/2         : address is 2c54.2d0c.8f1c, irq 9
  3: Ext: Ethernet0/3         : address is 2c54.2d0c.8f1d, irq 9
  4: Ext: Management0/0       : address is 2c54.2d0c.8f1e, irq 11
  5: Int: Not used            : irq 11
  6: Int: Not used            : irq 5
  Licensed features for this platform:
  Maximum Physical Interfaces       : Unlimited      perpetual
  Maximum VLANs                     : 50             perpetual
  Inside Hosts                      : Unlimited      perpetual
  Failover                          : Disabled       perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  Security Contexts                 : 0              perpetual
  GTP/GPRS                          : Disabled       perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 250            perpetual
  Total VPN Peers                   : 250            perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has a Base license.
  Serial Number: JMX1AXXXXX
  Running Permanent Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  Configuration register is 0x1
  Configuration has not been modified since last system restart.
  fy-a#
  Ramraj please do correct me if am wrong.
  Please do rate if the given information helps.
  By
  Karthik