Cisco :: ASA 5520 - LU Allocate Xlate Failed / Failover Unit Reloads

Mar 24, 2010

We just had an issue with our failover unit reloading. In perusing the logs there were a number of %ASA-3-210007:
LU allocate x late failed, errors prior to the reload. These units had just had their OS upgraded to fix a DOS issue a few weeks ago. I have not seen the error since it reloaded. However, I was asked to report the issue just in case it is a bug in the new version of the OS.Two units in failover. 
 
Cisco Adaptive Security Appliance Software Version 8.0(5)9 Device Manager Version 6.0(2). Compiled on Mon 01-Feb-10 10:36 by buildersSystem image file is

"disk0:/asa805-9-k8.bin"Config file at boot was "startup-config"  
CP-ASA up 17 days 21 hoursfailover cluster up 17 days 22 hours
[code]....

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: 5520 - Failover ASA LU Allocate Xlate Failed

Oct 10, 2011

we have two ASA 5520, on the failover unit is showing LU allocate xlate failed. We read on [URL] that it could be a memory problem , but have cheked it and we have 85% of memory free on both nodes. We also can see  all xlate on failover unit.
 
We have forced failover this evenig and we can´t stablish outbound connexions by outside interface, we think xlates or nat cant work properly.

View 5 Replies View Related

Cisco Firewall :: ASA5510 - LU Allocate Xlate Failed / Add More Memory

Sep 13, 2011

I got an asa5510. After problems with ipsec connections the log said :
 
LU allocate xlate failed this error repeats every minute. At the cisco site i found the following :
 
explantion : stateful failover failed to allocate a translation (xlate) slot record recommended Action : check the available memory by using the show memory command to make sure that the security appliance had free memory in the system. If no memory is available, add more memory
 
But when i do there is free memory. (about 54%)
 
What can i do to fix this ?

View 2 Replies View Related

Cisco Firewall :: ASA 5520 / Crypto Errors CTM ERROR / Failed To Allocate X Bytes Of Memory

Oct 9, 2012

I am currently getting a strange error when trying to use and crypto services on our ASA 5520 (8.0.3)Initially I observed that a connected VPN had dropped.Then when I attempted to use ASDM or SSH I was blocked.
 
In the end I opened telnet as a test and this was successful. Syslog also shows that traffic is passing as normal.The only obvious error I can see when observing various debug traces is this;
 
FW02# CTM: rsa session with no priority allocated @ 0xCF1FBBA0
CTM: Session 0xCF1FBBA0 uses a nlite (Nitrox Lite) as its hardware engine
CTM: rsa context allocated for session 0xCF1FBBA0
CTM: rsa session with no priority allocated @ 0xCE7A5EA8

[code]....

View 5 Replies View Related

Cisco Firewall :: Rebuild ASA 5520 Failover Unit

May 12, 2011

What process I need to follow to rebuild my failover unit? I've had to turn it off because it seems that both the primary and secondary were thinking they should both be the active unit. I'm not sure why. But in turning off the failover, I had internet access again. So I think I want to rebuild the secondary unit's configuration. Do I need to turn off failover from the primary unit first? Disconnect the secondary unit, console into it and remove the configuration (command to remove from flash?)? Rebuild the interfaces..all interfaces or just STATE between the units? Just trying to get a list of the process

View 1 Replies View Related

Cisco Firewall :: ASA 5520 Failover Unit Anyconnect Licenses

Jan 2, 2012

So i setup a failover active / passive with 2 ASA5520's
 
Primary asa has 750 Anyconnect vpn licensing and the secondary asa has 2 Anyconnect licenses     
 
I haven't setup the second asa with the new 750 licenses i purchased but when i do a show version it shows that the failover licensed features shows 750...
 
Does this mean i do not have to install the secondary anyconnect licenses on the standby ASA unit?
 
output of secondary asa
:
Licensed features for this platform:Maximum Physical Interfaces       : Unlimited      perpetualMaximum VLANs                     : 150            perpetualInside Hosts                      : Unlimited      perpetualFailover                          : Active/Active 

[Code]......

View 1 Replies View Related

Cisco Firewall :: 5520 - Procedure To Replace Failed Secondary ASA Unit

Apr 10, 2012

i just received a RMA for failed ASA 5520 that was acting as secondary unit in multicontext configuration. What would be correct procedure to install it back in production? Do i need to restore backed up config of the fallen unit or is it just enough to enable multimode and connect to existing (primary) unit? Any good link for documentation that deal with this issues.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ASA 5520 Failover Exec Authorization Failed

Mar 14, 2013

I have a pair of ASA 5520 firewalls running in active/standby mode on 8.3.2.34 code. My configuration performs authentication/authorization into ACS 5.1, however command authorization is failing when I try to execute a command on the standby from the active unit...
 
failover exec standby dir disk0:/
 
Fallback authorization. Username 'adminuser' not in LOCAL database Command authorization failed
 
I don't even see the authentication attempt going into ACS.

View 2 Replies View Related

Cisco Firewall :: LU Allocate Connection Failed On ASA5585?

Jun 7, 2011

We saw this syslog on ASA5585 with version 8.4(1). I have two HA firewall pairs (contains 4 ASA5585, active/standby), and I saw this message on the standby ones.
 
Jun  7 07:36:26 10.99.96.32 last message repeated 4 times
Jun  7 07:36:26  10.99.96.32 :Jun 07 07:36:26 HKST: %ASA-ha-3-210005: LU allocate connection  failed

[Code]....

View 4 Replies View Related

Cisco Firewall :: ASA 5550 LU Allocate Connection Failed 8.2.5

Feb 17, 2013

Customer is running ASA 5550 with software 8.2.5 version.
 
They continously get the below messages
 
%ASA-3-210005: LU allocate connection failed
%ASA-3-210007: LU allocate xlate failed
 
I have already searched in the forums and also BUG toolkit, These issue has either been resolved in prior relases or in 8.4 .x train. I didnt find any bug which says that it has been found in 8.2.5 release.
 
I have also run "show conn count" and "show xlate count" I see these is difference in count output.
 
From Standby
 
COGINBLRMBPB1INTF1# show conn count
6097 in use, 17220 most used
COGINBLRMBPB1INTF1# sh xlate count

[Code].....

View 2 Replies View Related

Cisco Firewall :: ASA-5520 - Auto-Save The Connections Detail And Xlate

Oct 10, 2012

I have the ASA5520, everyday I have a lot of connections through my ASA5520. But buffer in ASA5520 to save connections is limited. Now, I want my ASA can auto save the conn detail and Xlate to my Syslog server, how can i do that?

View 3 Replies View Related

Cisco Firewall :: 5510 ASA Failover Pair For Access Second Unit Via VPN

Jun 11, 2009

we are running two failover pairs of asa (5510, 5505) in two different locations in active/standby configurations.Is it possible to access the inside ip of the standby unit via vpn terminated by the active unit? It's only for monitoring.With our configuration here it is not.Is that possible in general?

View 6 Replies View Related

Cisco Firewall :: Integrating Secondary Failover Unit ASA 5510?

Nov 20, 2011

I have a single production 5510 with 2 contexts.  Now I want to integrate the secondary failover unit. My question is: How much configuration needs to be done on the secondary firewall?  How much of the configuration will be sync'd from the primary to the secondary when the secondary is connected?
 
For example, do I need to add the following on the secondary or will it be sync'd from the primary?
 
admin-context NAME
context NAME
allocate-interface Ethernet0/0.14

[Code].....

View 3 Replies View Related

Cisco Firewall :: Replacement Of Primary Unit Failed ASA5510

Sep 7, 2011

I have an issue bringing up my RMA'd primary ASA unit.
 
So what happened so far:
 
1. primary unit failed
2. secondary took over and is now secondary - active (as per sh fail)
2. requested RMA at Cisco
3. got ASA and checked that Lic (SSL), OS (8.2.2) and ASDM are at the same level as the secondary
4. issued wr erase and reloaded
5. copied the following commands to the new (RMA) primary unit:
failover lan unit primary
failover lan interface Failover Ethernet3
failover interface ip Failover 172.x.x.9 255.255.255.248 standby 172.x.x.10
int eth3
no shut
failover
wr mem
6. installed primary unit into rack
7. plugged-in all cables (network, failover, console and power)
8. fired up the primary unit
9. expected that the unit shows:
Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
10. but nothing happened on primary unit
 
What is a valid and viable approach in replacing a failed primary unit? Is there a missing step that hinders me to successfully replicate the secondary - active config to the primary - standby unit.
 
I was not able to find anything related to ASA55xx primary unit replacement with a clear guideline or step by step instructions.

View 10 Replies View Related

Cisco VPN :: ASA 5500 - Restored Failed Unit Now Unable To Pass Traffic Over VPN Tunnels

Nov 11, 2012

I restored the HA pair back to Active/Standby.
 
1 remaining issue.
 
I have 3 IPsec Site-to_SIte tunnels.
 
I noticed that when the NEW UNIT becomes ACTIVE that I am unable to pass traffic over the VPN tunnels.When I failback I am able to pass traffic.

View 7 Replies View Related

Cisco WAN :: ASA 5520 Failover

May 7, 2013

When I try to put my ASAs in active/standby config here is the error I get.Warning: Failover message decryption failure. Pleas make sure both units have the same failover shared key and crypto license or the system is out of memory.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 With Failover NAT With Two ISP?

Jun 20, 2011

Currently we have one ISP1 and all traffic goes to this way. Suppose our isp1 goes down, our outside user cant get the server. All servers are nated to this ISP1.We planned to purchase a another ISP2. Shall we Configure same inside server to map this ISP2? so that one primary ISP1 goes down it will take place the outside trafficISP2.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 Failover With SLA?

Jul 19, 2011

Is it possible to setup 2 x Cisco ASA 5520 that are in an Active/Standby failover using sla monitoring?
 
For example ASA1 outside interface connects to an upstream switch and you setup sla monitor with icmp echo to ping that switch. The switch goes down and you need the other ASA2 to become the Active ASA. Can the sla monitor be automatically integrated with the failover commands for this to happen?

View 5 Replies View Related

Cisco WAN :: Failover Between ISP Router ASA 5520

Aug 24, 2011

I'd like to configure HA between an ISP router and a firewall ASA like shown in the document. I was thinking about HSRP but can I use HSRP between a router and a firewall?Another information.I have 1 asa 5520 on my site connected to an ISP 1, and a second asa 5520 at a second ISP's datacenter. My aim is that if the 2nd ISP is not available, all trafic go through the asa on site and to the first ISP.

View 4 Replies View Related

Cisco Firewall :: ASA 5520 Failover Did Not Work?

Apr 17, 2011

I am having ASA 5520 with active/standby configured. Around 2 days ago, the ASA stopped responding & all of my websites stopped working. when i checked the failover status it said that failover is off. I had to manually turn the failover to start my traffic flow.During this time my secondary ASA was not responding. After some time, the primary stopped responding & secondary became active......to solve this i had to make the secondary unit as failover unit primary & the primary unit as failover unit secondary. i did get a log on ASA :-
 
“(Primary) Disabling Failover” with error message no.105001 which states the below:-
 
Error Message %PIX|ASA-1-105001: (Primary) Disabling failover.
 
Explanation In version 7.x and later, this message may indicate the following: failover has been automatically disabled because of a mode mismatch (single or multiple), a license mismatch (encryption or context), or a hardware difference (one unit has an IPS SSM installed, and its peer has a CSC SSM installed).(Primary) can also be listed as (Secondary) for the secondary unit.

View 1 Replies View Related

Cisco Firewall :: Cannot Run ASDM After Failover Asa 5520

Nov 24, 2011

I have 2 ASA5520's in failover pair.After failing over I cannot run ADSM on the secondary (now active device), I get "unable to launch device manager from [primary address]"
 
I can ASDM to the primary device (now marked as "standby ready") on the failover address. I can SSH to it also.I CANNOT ASDM to the secondary device (now marked as "active") on the primary address. I CAN SSH to it.
 
When I run "sh asdm image" I get valid output (asdm image disk0:/asdm-645.bin) on both.However when I run "sh ver" on each it appears ASDM is not running on the secondary device :
 
Cisco Adaptive Security Appliance Software Version xxxx [only]
 
Compared with :
 
Cisco Adaptive Security Appliance Software Version xxxx
Device Manager Version 6.4(5)
 
It appears as though ASDM is only running on the primary device (regardless of the fact it is now in standby mode). Is this normal?
I am having to run in a failover condition due to a intermittent hardware fault on the primary unit but require access to the ASDM for monitoring/diag purposes during this condition.

View 2 Replies View Related

Cisco WAN :: OSPF ASA 5520 In Failover Mode?

Apr 1, 2008

I currently have a set of firewalls in active standby configuration running an ospf process injecting a default route into the rest of my network.I noticed when i was testing the failover that the asa's do not actually pass the route tables on failover, thus forcing the need to wait for routes to converge and for the default route to be advertised back into the network. This of course is not acceptable.
 
Is there a way around this or do I have to setup static default routes on every device in my network. I am trying to avoid setting up default routes on all of the devices because due to the setup of my network I have equal cost links configured in the event of hardware or link failure. So the devices then see an advertised default route from multiple paths.

View 4 Replies View Related

Cisco VPN :: ASA 5520 / Failover Between Two Remote Locations?

Dec 5, 2011

I have 2 dual ASA 5520 devices running VPN at two geographically different locations. What is the best way to do failover between the two remote locations?i.e. can Cisco GSS / Cisco CSM/ACE be used and if so how would this work.

View 3 Replies View Related

Cisco Firewall :: Failover Between ASA 5510 And 5520?

Sep 27, 2012

Cisco still doesn't provide failover (active/standby) between two different types of ASA, right?
 
[URL]
 
"The two units in a failover configuration must have the same hardware configuration. They must be the same model, have the same number and types of interfaces, and the same amount of RAM"

View 1 Replies View Related

Cisco VPN :: ASA 5520 - Load Balancing And Failover

Jul 25, 2011

We have two asa5520 configured as primary and standby unit in fail over configuration, and all is working properly. Is it possible, with this configuration (fail over), to configure vpn load balancing/clustering?

View 7 Replies View Related

Cisco Firewall :: ASA 5520 - Failover Pair

Oct 31, 2012

i am trying to setup a failover pair on Cisco asa 5520 - need a state full failover. Do i need two ports dedicated to obtain the above - one for LAN based failover and one for state full fail over ? also do i need a switch in between to connect them ?

View 11 Replies View Related

Cisco Firewall :: ASA 5520 - Configured For Failover

Jan 25, 2012

I have 2 Cisco 5520 ASAs and was configured for Fail over. Unfortunately our Primary ASA went down and Secondary becomes Active and network admin made lots of changes on Secondary Active ASA. What is the best practice to rejoin Primary as standby or active without loosing the existing configuration on Secondary Active ?

View 6 Replies View Related

Cisco Firewall :: 5520 - ASA Failover Pair With Different License

Apr 15, 2013

I have a running ASA5520 in my network and recently we plan to add a failover pair as a standby unit for the running asa. Both of the ASA have the same specs and software. the only thing that the soon to be secondary ASA does not have is the AnyConnect Essential license. is it still possible for the unit to be the standby unit?
 
below is the license capture from both of the unit.
 
Running ASA:
Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 150     

[Code].....

View 3 Replies View Related

Cisco Firewall :: Failover License Sync Between Two ASA 5520?

Jun 3, 2013

According to the link here:[URL]Starting with Version 8.3(1), it no longer needs to install identical licenses. Typically, we only buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active.So I wanna know if there's some additional configuration to synchronize the licenses such as SSL VPN or Context between the primary one and the second one? Or they can just synchronize by default as soon as I finish the failover configuration and when the primary one gets down, the second one will take over the role including licenses automatically?

View 4 Replies View Related

Cisco Firewall :: Activation Key For ASA 5520 Failover Pair

Mar 20, 2012

We have recently got 2 of our Cisco ASA 5520 firewalls through RMA. These are supposed to run in a Active/Active Failover Pair. There was only 1 RMA request that was opened for both the firewalls. We have received only 1 Activation key for this RMA request for both the firewalls. Just want to check with you if this Activation key will work on both firewalls or do we need a get a seperate one for the other box.

View 1 Replies View Related

Cisco Firewall :: Failover Transparent Mode ASA 5520?

Sep 19, 2012

Recently, I unable to configure the failover on bridge group in transparent mode . I have five interfaces .out of this only 3 is showing in the show run config . Whether I can config failover on on of the data interfaces.
 
I have the ASA 5520 with the version ASA Version 7.2(4) <context>

View 3 Replies View Related

Cisco Firewall :: 5520 - ASA Phone Proxy After Failover?

Dec 3, 2012

I have a problem with my asa phone proxy. i have two ASA 5520  in HA. I have 10 phone register with ASA active primary. if i execute the command show phone-proxy secure-session. i can see the phone session on the ASA.
 
if i perform the same command on the passive ASA i can't see the session replicated from the active member.
 
If i switch the cluster the phone enter in a registrating loop and can't connect to the ASA now active.
 
If i switch back immediately (the session are still present on the first asa) the phone register again and all works

the ASA have version 8.4(5)

the phone are a 7921g
 
is normal that the skinny don't start again and re-register the phone on the ASA that became active after failover?

View 1 Replies View Related

Cisco Firewall :: Copy Files Between Failover ASA 5520?

Oct 29, 2012

I made an ASDM upgrade for one of my two CISCO ASA 5520. If I copy a file to the primary ASA's flash, is there any command I can  run on the primary ASA to copy a file to the secondary ASA?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved