Will ASA-SSM-20 reload affect ASA failover?

Similar Messages

• ASA Failover messages

  I'm having trouble finding definitions for
  "show failover history" responses.  Phrases like the following:
  Just Active
  and
  Active Drain
  Any ideas?

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi Jim,
  Thanks for your post trying to find the documentation that shows definitions of ASA failover messages.
  The responses can be found in Table 26-4 of the Cisco Security Appliance Command Reference, Version 7.2.
  http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s3_72.html#wp1285887
  Thanks,
  Janel Kratky

• Will upgrading to Snow Leopard affect my Windows 7 boot camp partition?

  Hi,
  Did some preliminary searching on this before posting but couldn't find with confidence my answer. Does anybody know? Details below.
  Q: Will upgrading to Snow Leopard affect my Windows 7 boot camp partition?
  I'm running 10.5.8 on a single drive with two partitions. 1st partition for OS-x is extended (journaled), 2nd partiction (ntfs) has solid version of Windows 7 RC, build 7100 running.
  Thanks.

  Hi Michael,
  here are some nice 'Myths and Facts' about Intel Macs and BootCamp http://refit.sourceforge.net/myths/
  Bottom line: while not exactly needed for installing Windows on an Intel-based Mac, the BootCamp Assistant 'streamlines' the process with a nice GUI (no need for 'cryptic' Terminal commands).
  Mac OSX as of now (10.5 Leopard and above) plus the uptodate firmware for Intel-Macs already include everything needed to install and boot Windows.
  Deleting or reformating an OSX partition does not affect the Windows partition.
  However a repartitioning of course does, if the Windows partition is on the same harddisk.
  But even a repartitioning of any other harddisk (ones that not have the Windows partition on them) does not affect the Windows partition.
  Did that myself when adding/upgrading the harddisks in my Mac Pro.
  Nonetheless, when 'fumbling' with harddisks and partition structure I always have backups of my important files at hand.
  Take care
  Stefan

• When I click on the button to download the new IOS software, I get a message saying that all the items on my iTouch will be removed.  Will I have to reload everything after updating the software?

  When I click on the button to download the new IOS software, I get a message saying that all the items on my iTouch will be removed.  Will I have to reload everything after updating the software?  Because I had to have my hard drive wiped a while back, I have items on my iTouch that are not in my iTunes.  Is there a way to copy everything on the iTouch into iTunes, if necessary, before I load the new software?

  It is possible to transfer purchases from your iPod back into iTunes before updating the OS. If you had any CDs from your personal collection, these you have to put back into iTunes manually. Hope this helps you & good luck!

• If I want to delete Mac OS and only install windows 8, will there be ant side affects?

  I know this is crazy, but I want to buy a macbook pro with retina,
  and If I want to delete Mac OS completely and only install windows 8, will there be ant side affects?

  Mende 1,
  Thank you very much!!!
  But when you say windows support software, can you name it specifically?
  because I'm really scared that I will mess up on this.
  Or is it possible that I can ask one of the staff in the shop to do it for me when I'm buying the MacBook Pro with retina??
  Do they do such service even in Taiwan???

• How will the new OSX Mavericks affect applications already installed and using Mountain Lion?

  How will the new OSX Mavericks affect applications already installed and using Mountain Lion?

  If you're asking about compatibility, that would be something you would need to ask of the app developers, though most apps compatible with Mountain Lion should be compatible with Mavericks. You can also consult the tables here:
  http://roaringapps.com/apps
  though that information comes from user reports and so should not be considered authoritative.
  If you're asking whether installing Mavericks will delete your apps, no, it won't, though a good backup is always highly recommended.
  Regards.

• Will the retirement of FromsCentral affect my ability to create forms in my desktop Adobe Acrobat XI Pro?

  I am not familiar with Forms Central so I would just like to be sure. Will the retirement of FromsCentral affect my ability to create forms in my desktop Adobe Acrobat XI Pro?

  Hi,
  I would like to inform you that retirement of Adobe FormsCentral will not affect the working of Adobe Acrobat.
  Regards,
  Nakul

• How will the itunes match app affect my data usage?

  how will the itunes match app affect my data usage? It seems to take a while to connect and start playing so i'm assuming if my range isnt the best it will drop out like a bad radio station???

  What I have done is create playlists and I'll download the playlists to the iPhone while I'm at home, on Wi Fi, and listen while I'm out and about. I've only downloaded the occasional tracks on 3G (mainly because at&t's network was so terrible). This method worked pretty well for me.
  Incidentally, iTunes Match should not be used as a substitute for a backup: FAQ:  Why iTunes Match can NOT be used as a backup!

• HT1420 if upgrading to windows 8, will i have trouble reloading itunes?

  if upgrading to windows 8, will i have trouble reloading itunes?

  Hi 3backpacker3,
  It sounds like you are on the right track in troubleshooting this issue. If you are having launch issues, you may find the following article helpful:
  iTunes for Windows Vista or Windows 7: Troubleshooting unexpected quits, freezes, or launch issues
  http://support.apple.com/kb/ts1717
  Regards,
  - Brenden

• ASA failover with 1 AIP SSM in Active/Standby?

  I have a customer with two ASAs; in Active/Standby. They want to purchase one AIP. Will failover (without the AIP functionality) to the Standby work if the AIP is configured for Promiscuous mode? Thanks, Bob

  The only connection to the SSM that can be done internally through the ASA is a "session". This is an internal telnet to the SSM and can be used to access the SSM's CLI.
  This is very usefull when you manage your SSM directly through the CLI.
  However, most customers prefer to use a graphics based tool like IDM, ASDM, or CSM for managing the configuration of the SSM, and prefer to use a graphics based tool like IEV or CS MARS for monitoring of the alerts from the SSM.
  All of these graphics based tools need network access to the SSM through a web port (https on port 443 by default). Access to this port is not allowed internally through the ASA direct to the SSM.
  All web connections must be made to the External Management interface of the SSM.
  If you are not using all 4 of your ASA interfaces you could choose to wire the External SSM interface directly to one of your ASA interfaces, and create a small subnet for the ASA and IPS IP Addresses. So then all external connections to the SSM would be routed into the ASA, then out of the ASA, and into the external port of the SSM.
  That subnet of just the ASA and SSM could be made using a network reserved for local IPs (like a 10, or 172, or 192 network) and then use NAT/PAT for translation on the other network interfaces of the ASA.
  But it does still require that wire connected to the external port of the SSM.

• Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

  Hi,
  I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

  No, both units need the same hardware, that includes the installed modules.
  Sent from Cisco Technical Support iPad App

• ASA Failover when Firewalls are at different sites - help

  I am implementing a solution for a customer whereby they have two Cisco ASA 5520X firewalls. They wish for the firewalls to be in an Active-Standby state.
  This not only means that if one firewall dies, the other will take over. It also means that any configuration changes made on the primary are copied to the backup.
  The only catch is, both firewalls are at different sites. There is no layer 2 WAN link running between the sites. They are seperated by both the internet cloud on one side and their internal company MPLS cloud on the other.
  The diagram, that I have taken from my GNS3 simulation and modified slightly, shows the setup. All of the IP addresses (and AS numbers) are made up. Any reflection on real world IPs is unintentional and just a coincidence.
  The diagram is probably too overcrowded with IP information than is needed in this question - but the basic idea is the following:
  1. Under normal conditions traffic will flow to the internet from the remote MPLS site and leave via the firewall (PAT) at site1 - however note the public range of 23.23.23.0/24 is configured at both Site-1 and Site-2 - so at the moment the internet cloud is prefering Site-1 to reach that range.
  2. If the internet link fron INT-PRI at Site-1 fails, remote MPLS traffic destined for the internet will be forwarded out to the internet at Site-2.
  3. If the two MPLS links to Site-1 fail, INT-PRI will stop advertising the public range to the internet PE routers and traffic from the remote MPLS router destined for the internet will go out via Site-2.
  I have the tracking and dynamic routing failover setup between the sites all configured and worked out (I can provide the details of how INT-PRI tracks a sponge address in the MPLS cloud to determine whether or not it advertises the public range to the internet etc etc if you want, but on this question I want to focus on the firewalls).
  Currently the customer has resigned to having to do manual copying between the firewalls every time a change is made (i.e. there is no dynamic failover configured and the Site-2 firewall is just a clone that is kept up to date by their change management team).
  Is there a smart way to set up an Active-Standby configuration between these distant sites? Or at the very least dynamically copy the configuraiton to the backup everytime a change is made? My first though would be some kind of EEM or TCL script but I'm not that experienced with either. Alternatively, if there is smart was to get the two firewalls talking over Layer 2 it might be a better way forward.
  Thanks in advance. Apologies for this question being too wordy.

  You could used Ethernet over MPLS (EoMPLS) or Virtual Private Lan Services (VPLS), though if I remember correctly this is limited to certain platforms and IOS versions.
  Here is a design guide you could have a read through on the options
  http://www.cisco.com/c/en/us/products/collateral/data-center-virtualization/data-center-interconnect/white_paper_c11_493718.html#wp9000079
  EoMPLS configuration guide:
  http://www.cisco.com/c/en/us/td/docs/wireless/asr_901/Configuration/Guide/config_guide/eompls.html
  VPLS configuration guide:
  http://www.cisco.com/c/en/us/td/docs/optical/cpt/r9_5/configuration/guide/cpt95_configuration/cpt95_configuration_chapter_011000.html
  Please remember to rate and select a correct answer

• ASA failover: secondary ASA disabled failover on its own

  Hi all
  I have a failover pair of ASA 5520 (Software Version 8.2(4)4)
  located in two different data centers.
  Because of a network issue the layer 2 connection between both locations has been interrupted for a couple of seconds and the ASAs went into split-brain as one would expect them to do.
  The thing is that after approx. 1 minute the secondary ASA switched off its failover configuration (i.e. "show run" gives "no failover") without anybody telling it to do so. Here is the "show failover history" of the device:
  07:57:34 MESZ Aug 15 2011
  Standby Ready              Just Active                HELLO not heard from mate
  07:57:34 MESZ Aug 15 2011
  Just Active                Active Drain               HELLO not heard from mate
  07:57:34 MESZ Aug 15 2011
  Active Drain               Active Applying Config     HELLO not heard from mate
  07:57:34 MESZ Aug 15 2011
  Active Applying Config     Active Config Applied      HELLO not heard from mate
  07:57:34 MESZ Aug 15 2011
  Active Config Applied      Active                     HELLO not heard from mate
  07:58:03 MESZ Aug 15 2011
  Active                     Cold Standby               Failover state check
  07:58:18 MESZ Aug 15 2011
  Cold Standby               Disabled                   HA state progression failed
  At this point failover was switched off completely and the split-brain remained even after the layer-2-connection has been reestablished.
  This is no good.:( I have searched for "HA state progression failed" without any useful result/explanation.
  Why did the device switch off failover on its own and how can we assure that it won't do this again?
  Best regards,
  Grischa

  Yes, only thing I needed to do was issuing "failover" on the secondary. It detected its active mate and went properly into standby:
  09:16:18 MESZ Aug 15 2011
  Disabled                   Negotiation                Set by the config command
  09:16:19 MESZ Aug 15 2011
  Negotiation                Cold Standby               Detected an Active mate
  09:16:21 MESZ Aug 15 2011
  Cold Standby               Sync Config                Detected an Active mate
  09:16:31 MESZ Aug 15 2011
  Sync Config                Sync File System           Detected an Active mate
  09:16:31 MESZ Aug 15 2011
  Sync File System           Bulk Sync                  Detected an Active mate
  09:16:31 MESZ Aug 15 2011
  Bulk Sync                  Standby Ready              Detected an Active mate
  I guess we will go the TAC way if we encounter this situation a second time. This time we will be warned and know where to look at.
  Is there really no documentation available of the "HA state progression failed" message? What does it mean and how is it triggered usually?
  Regards,
  Grischa

• ASA failover is not replicating configuration

  Hi:
  I discover an issue with my CISCO ASA 5550 because I'm looking at the vlans that I have configured and some vlans on the Stand by device had not an IP address configured, checking the configuration of the failover I don't see anything wrong so I don't if maybe I'm missing something, Can you help me please, and if you need more information about my configuration let me know.
  Regards.

  There will only be a standby IP address assigned if the active configuration specifies one in the interface configuration section. It's optional whether or not to use standby IP addresses.

• CISCO ASA Failover

  Any one tell me which protocole is use  for failove in ASA & how it  working.

  ASAs use keepalive packets between eachother that are sent over the failover link.  By using the keepalive packets, the standby ASA monitors the health status of the Active ASA.  If the standby ASA stops recieving keepalive packets from the active ASA it will send out 3 test packets, out the monitored interfaces.  that is to say it will send test packets out the actual interfaces that will trigger a failover if one of them fails.  If the standby ASA still does not recieve a reply from the active ASA it will now assume that the active ASA is dead and will take over the role as active ASA.
  The failover link is also used to replicate the configuration between the active and standby ASAs.
  The state link is used to replicate the state table and other relevant active connection information.
  Please remember to rate and select a correct answer