I have a pair of ASA 5520s operating in failover pair as active/standby, having two contexts on them. I am planning to share the load and make it active/active making first context active on the primary unit and second context active on the secondary unit. My question is if this will disrupt any connectivity thru these firewalls when I do "no failover" on the active/standby and assign the contexts to different failover groups and enable the failover back.
Currently we are using a single connection to our ISP and in the coming months will be moving to a two seperate connections (to same ISP). In our current setup we utilize active/passive ASA's (5520, single context) and would like to utilize that going forward as well, the reason being is our DMZ's all hang off of these ASA's and we have fiber connectivity between our datacenters.Our main datacenter and DR Datacenter are basically one big LAN with fiber between them, so we have our DMZ networks at both locations currently with both terminating in our ASA's. That way if the ASA at our current site fails the DMZ's are still accessible via the secondary firewall at our DR facility.
I am looking at deploying a pair of 5585X's in an active/active multiple context state. I am creating Mulitple contexts that need to be able to route to each other. I was going to deploy a type of Gateway context that has a shared interface to all of the other contexts, instead of sharing interfaces directly between the contexts, i beleive this will work as basically i am just cascadng the contexts and sharing interfaces.
The main problem i have come across, is that if i deploy active/active across two appliances using 2 failover groups i can not see a way to route between them, for example.
I have Context 1, Context 2 and Context GW A including the shared interfaces of Con1 and Con2 in failover group 1 on appliance A with the respective standbys on Appliance 2. I have Context 2, Context 4 and Context GW B including the shared interfaces of Con 3 and Con 4 in failover group 2 on appliance B with the respective standbys on Appliance 1.
I need to be able to route traffic between Context GW A and GW B so that the contexts can communicate in normal operation and in failover. I do not beleive that I can share an interface between contexts in two separate failover groups and to be honest without adding a L3 device between the appliances i am not sure if this is possible.
I have two ASA 5510s running in Active/Active mode. I need to make config changes on them. How do I go about it? Do I power off the secondary ASA and make the config changes on the primary and then power on the secondary ASA ? Or this another way to do this?
I have an ASA5520 in location A with an ISP connection and a matching ASA5520 in location B with a separate ISP connection. We have fiber connecting the two locations and vlans passing back and forth so I will be able to configure the failover via a vlan as well as extend the ISP's to each location via vlans. The Active/Active configuration with the multiple security contexts does not seem to be an issue but how is a redundant ISP configured in this mode?We want to have context A using the ASA in location A with ISP1 as the primary and failing over to ISP 2 in locaiton B We also want to have context B using the ASA in location B with ISP 2 as the primary and failing over to ISP1 in location A Would route tracking provide the desired result? Is there a better option?
I am working on a network which has two ISP connections (Active/Active) terminating on router (ASR1000). From the LAN side (6500 switch) all the traffic need to be route on ISP1 but some of the specific subnets like 10.250.0.0/16 need to be route on ISP2 connection.
I am planning to use PBR and NAT with route maps. any documents or refrences are provided.
I faced one problem in our core switch 4507 R . Active sup lost connection and standby came active. We got lot of errors/alerts on console shown below. [Code] Also when I reloaded the switch with reload command only both sups got reloaded but I want to reload all the modules but reload command do not gives any options for that.
I have 2 asa 5520 firewalls including and 1 AIP-SSM-10 module in each of them. the configuration is set using active/active failover and context mode.
Both of them run individualy the IPS module. The IPS is configured using inline mode and fail-open option. However when one of the module fails and the state is changing from up to init or anything else making the IPS to fail then failover is detected and ASA consider it as failover and bounce context to the other unit.
IPS soft is 6.0(4) and ASA soft is 8.0(3)
I have checked cisco doc and it is confusing to me. it says: "The AIP-SSM does not participate in stateful failover if stateful failover is configured on the ASA failover pair." but it really does participate. Running is not really an option because of production network impact matter..
We have an Active/Active ASA 5520 setup, as i know in Active/Active setup there is no remote VPN access, So i could overcome this limitations?I have a solution but i dont know if it is ablecable or not? we have a spare ASA 5510, so i can use it behind Active/Active Firewalls and assign a public static NAT IP address to it and open all IPSEC and VPN ports and let the remote users to connect to it, is this ablecable setup or not?
I would like to add a vlan to a second context on a pair of redundant ACE modules. As soon as I open up that shared vlan box we will expose ourselves to mac conflicts until the shared-vlan-hostid commands can be implemented and the module reloaded. Adding the commands is not a big deal but I may not be able to schedule a reload until next week. What I would like to do is confirm the mac pools in use by each module right now. My hope is that they grabbed unique pools when they last booted and a conflict will not be a concern now.
We have an ACE 4710 that has two web servers in an active/passive scenario. The issue is that if node 1 fails and node 2 takes over connections to node 2 stay active even if node 1 becomes available again. Is there are way to ensure that node one is not placed back into service if it becomes available again.
how active/passive failover shoudl be configured, so I can make sure I have it set up correctly;
I am completely new to the Cisco ACE devices but have been asked to look at deploying them. I have read the ACE virtual partioning paper which covers the ACE module, and it mentions the following;"In an active/active high-availability design, both the primary and backup Cisco ACE modules are active simultaneously. The active virtual partitions are distributed across both modules, such that approximately half are active on the primary module and the remaining are active on the backup module."does the same resilience model work the same using the Cisco 4710 appliances? I.e. can we split virtual partions across two physical devices thereby having an active/active scenario.
I have a GSS 4490 but only want it to be authoratative for certain hosts. Sysadmins don't want to lose control of their DNS records.How do I point active directory to the GSS to look up the host?I need to keep the AD domain as authorative for the DNS records, but to pass on DNS requests to the GSS for certain hosts.
implementation of the cisco CSS 11501 boxes available as spare on our site into production for an application evry thing worked as expected. i was able to telnet the active/master box and was able to console both master and backup box from the console port.however a week post the activity im faced with this weird problem where im not able to take console or the telnet access of my primary/active box.The boxes are working in BOX-to-BOX redundancy and now im not able to telnet or console my active/master box. The telnet and console window prompts me for username and password and after entering the credentials nothing happens. no prompt or no error message is displayed.
The telnet primary authentication is via tacacs and secondary is via local. however for console im not using any method for primay authentication and local for secondary authentication. however i can successfully console my backup box. below are my obsrvations 1. the left and right status LED on the active CSS box is OFF.- it means my CSS 11501 failed and has no power. 2. upon firing the rcmd command with show line command on backup box i see that the telnet sessions and console session is established with the master box3. the redundancy state of the active box says it is master and has not changed state since my last activity, no application issue reported, all the services are active on the active box and also i can ping the active box ip address from my backup box over which box to box redundancy is established. This confirms the active box is functioning well 4. i initially thought the telnet sessions are not getting cleared, however the show line cmd with the rcmd cmd on the backup box confirms this is not happening. now im stuck as the active box cannot be accessed at all via console or telnet. i was thinking of below steps to be carried out.1. to failover the boxes and make the backup as master2. then try to take the faulty box off the network and troubleshoot (are there any other commands that i should use to troubleshoot)3. if nothing works try rebooting the box and check
NOTE: the software running is version 126.96.36.199 with standard feature set. we are not using cvdm or the CSS GUI. we could access the css initially on CSS gui and that is also not working now.
I have a problem in the ACE 4710. In view of the connections of a web environment. When I view connections on Config> Operations> Real Servers, Conns column values appear very high connections (Example. 1606317769078).Already in Config> Operations> Virtual Server the number of connections appear normal. Version 4710 ACE Device manger A4 (2.1a)
I require to connect a "css11501" two core switches to provide redundancy to the load balancing service and would like to verify this possible (Does the spanning-tree protocol officer for load balancing?)
I have a pair of ACE 4710's that I am deploying within a datacenter. The primary and secondary ACE appliances have identical configurations except for the IP addressing and priorities for FT. The FT peer is going into a TL error state.
On the primary ACE appliance, I am able to ping and telnet from/to it without any issues. All of the routing works as it should and everything is seen in the ARP table as it should. The secondary appliance is able to ping everywhere, but telnet out of or into that appliance does not work.
I am able to see the IP addresses in the arp table and can successfully ping end to end from the secondary device, just unable to telnet into or out of it. When I try to telnet out of the secondary device, it reports that there is no route, even though the IP's I am trying to telnet to are directly connected and those interfaces are up and working (otherwise ping would fail). The exact same filters (access-lists, service-policies) are configured in the exact same format and applied to the exact same interfaces.
I tried removing all of the fault tolerance configurations and just created a Layer 3 vlan interface for management and I am still unable to telnet into or out of the appliance. This is not a complicated setup and I have to think there is something obvious that I'm missing, but I'm hung up on the fact that the config's are almost identical while one works exactly as intended and the other reports no route to host for a directly connected interface.
We are preparing to upgrade from LMS 3.2 where we run 2 seperate independant instances in seperate locations for redundancy. Each instance forwards syslog traps to a seperate Openview system in the associated location. Device updates are manually done on each system.
To reduce costs and administrative overhead we are considering switching to an active-standby environment when we upgrade to LMS 4.2 where the active system would forward traps to both Openview systems.
Any experience with an active-standby Ciscoworks LMS 4.2 environment, specifically; When one system becomes unavailable (due to network, system or application issues) is promoting the standby system to active automatic?How long does it take?
Does the standby system still monitor syslog events and initiate automated actions? Where the active system stops working or hangs and the standby system does not go active?
Are there any reliability issues with database updates or synchronization from the active system to the standby system? Is there a way to test communications from the standby system for new device turn-ups without making it active?
The onboard NIC on my Asrock Extreme6 Z77 has stopped working. I had recently moved my system in to a newer and better home, and after moving it in to the new case the NIC stopped working. I had originally thought that I may have zapped it, but looking at the device manager I saw that it was enabled and recognized by Windows. So I tried some trouble shooting.
- Uninstall and re-install drivers.
- Different cables (5 in total, 3 of which work on other machines)
- Disable and re-enable.
- Went out and bought a wireless USB, allowed me to connect to the internet this way.Then yesterday it started to work again after not using the computer for most of the day.Could play some Battlefield 3, and about 2 hours in to gameplay it stopped working.Ran trouble shoot on Windows, something quickly popped up saying something about ip wasn't reconfigured/updated/some BS like that.Finished for the night happy it was working again and then came back on tonight and now it's not working again.
- Updated BIOS. - Deleted McAfee - Verified it was turned on in UEFI (doesn't show connected in system browser in UEFI)
We are running ACE 20 modules in highly available active / standby (all active contexts on one module) mode. Currently they are on A2 (2.4) version. We are going to upgrade them to A2 (3.6a). The question is that how ling can we run them in two different SW levels? In otherwords can we have few days between upgrading both modules?
I would like to know if I can connect 4 sets of NX5596 (each NX 5596 will have 5 NX2K attached) to one set of NX7010 (each NX7K has 4 X N7K-F248XP-25 modules) and using 16-way port-channel for each set? I did some digging on the Cisco website and noticed on some of the old document stated that the NX7K only support up to 8 active vPC ports between both vPC peers.
I've recently installed a Cisco 2504 WLAN Controller with (5) AIR-LAP1042N-A-K9 Access Points. Everything is working fine as far as the APs connecting to the controller, and clients being able to connect to the WiFi and get network access, etc. The one problem I have is that one AP's b/g/n radio is not active.
If I go to the WLAN Controller management web page, and look at the Access Point Summary, it shows that I have five (5) 802.11 a/n radios active but only four (4) 802.11 b/g/n radios active. I know which AP is affected and clients can indeed connect to that radio using wireless 'B' but not 'N'.I have only one WLAN configured on the 2504 (WLAN ID 1), and one AP group name (default-group) so there are no special groupings of APs. I have been through every page of the Controller management page with a "fine tooth comb" and cannot find any place where I could accidentally be turning off the a/n radio for a single controller.
Having problems configuring an SR520 to support SSL VPN with Active Directory authentication. I set up the domain and a user in the SR520. and get the login prompt remotely but when attempting to login using the active directory account i get a login error. I can login fine using local authentication.
I wonder if there is a dos command in XP that can display all current active IPs that are on the local network's router. So that i don't need to login to router's interface and still learn all current active IPs on the local network.
I have installed ACS 5.2 and configured it to join the Company's Domain as an External database with Active directory 2008. I'm facing a problem that the user once authenticated using it's active directory account it's cached in the ACS and take a while for the ACS to clear this username. For example, if user TEST authenticates and then we removed this user from the AD and then tried again; it authenticates although this users is removed from the AD !!! same thing happens when we change the user group on the AD, it takes a while for the ACS to clear the old user attributes and get the new ones from the AD.
it there an aging time for this caching mechanism, or can i clear the dynamic users manually just like in ACS 4.X ?
I am not sure why but when I try to connect with my IPSEC VPN client, authentications are failing. The ldap test passes on the ASA but when I try to login, the VPN client gives me authentication failure even though debugs show authentication was successful.User 'test1' should be able to authenticate based on group membership.User 'test2' shouldn't be able to.I already removed the attribute-map to see if that was the problem but I am still failing authentication.