I have 2 x 5510's in active/standby mode, things look fine until the active one needs to be failed over and I realize the standby one is dead. I never notice as the lights on the ASA look good, I only nice as I can't telnet or console onto it, how can I debug this issue?
View 1 RepliesIs there a way to access the asa in a failover pair that is in standby mode from the primary asa? IE I am logged into the primary asa via command line and was hoping to access the other asa from here.
View 1 Replies View Relatedi read that you need only one L-ASA5510-SEC-PL for setting up a Active/Standby Failover. I installed the license on the 1st ASA and tried to setup the failover via the ASDM wizard. It always fails, because the 2nd device can't have a 'base' license.So does this mean, i really need another license?
View 5 Replies View RelatedI currently have a LAN-based failover setup between two 5510s. The failover link is a crossover cable. In the current setup, if I unplug the crossover cable both units become active. From what I understood from Cisco documentation, each unit should mark the failover interface as down and there shouldn't be any failover. That's exactly how I want this setup to work.
View 5 Replies View RelatedI have a dual ISP, 1 primary and 1 secondary terminated on fa0 and fa2 on our ASA respectively. ASA was configured so that, when the primary fails, the secondary kicks in. [code]
It was until yesterday that we experienced downtime on the primary ISP that the secondary doesn't do the fail-over. I have to manually configure the device to use the secondary ISP. Currently, I'm looking at maybe this has something to do with the licensing.We are currently using a Base License, should we be upgrading to Security Plus?
I have a 5510 ASA and have been given another an told to make them active and standby. Basically the active one is working great but the second one has no config on it apart from the default one, but is the same firmware level. I guess I need a crossover cable, and what happens with the inside and outside interfaces, would they need to go into a vlan on a switch, one inside vlan where the 2 firewalls inside interface go into and another vlan for the outside? Otherwise if it failsover to the standby ASA the inside and outside interfaces wouldn't work.
View 4 Replies View RelatedI just added a new 5510 failover unit to an existing 5510 and when connecting my new outside interface on an Active/Standby firewall pair, i get errors messages (red x) on each port scan (monitor & syslog) although the error message indicate all ports are good...additionally the firewalls flip between active and standby non stop. I remove the new standby unit outside interface from a shared switch and everything clears up.
View 1 Replies View RelatedWe have 2 ASA 5510's running in a Active/Standby configuration. It appears that most of the changes we make on the active unit are replicated to the standby unit. However, there are 3 AnyConnect Client Profiles on the active unit and none of them show up on the standby, the standby has no AnyConnect Profiles. We also have 1 OnConnect script on the active unit and it does not appear on the standby unit either.
I was under the assumption that all config items on the active unit would replicate to the standby. Is this not correct? Do I need to do something extra to get everything replicated? Are there other items that do not replicate?
We have 2 ASA 5510's setup in an active, standby failover configuration. When the primary fails over to standby, the 3rd party cert does not failover to the standby ASA. The users then receive the CERT missing, invalid message and have to select yes, no to move on. This does not occur when the primary is not in failover mode. It is my understanding that failover fails over certs but in our case it does not apper to be working correctly.
View 1 Replies View RelatedI have three pairs of ASA5510 firewalls, each pair configured as a failover pair. When each pair boots up, even if I boot up the primary first, when they are both up and the primary/active syncs to the secondary/standby, the primary always switches to standby and the secondary thus becomes active.
What would cause this? It happens on all three pairs. Does failover look for the highest ID or IP address to determine which of the pair will be active?
last night I started upgrading our ASA5520 active/standby cluster. Because of lack of memory, I stopped the upgrade process and will continue when the memory modules have arrived... Currently I'm running 8.0(5) on both nodes (Version: Ours 8.0(5), Mate 8.0(5))Whenever I use the "write standby" command on the active ASA, the passive ASA seems to drop it links for a short while. [code]
View 4 Replies View RelatedI have a problem with a ASA 5505. He is crashing multiple times during the day. I've setup a syslog server en I'd noticed that the last two log notification were:
2011-11-08 12:28:19 Local4.Debug 10.0.0.254 %ASA-7-711002: Task ran for 27016 msec, Process = Dispatch Unit, PC = 84745ce, Traceback =
2011-11-08 12:28:19 Local4.Debug 10.0.0.254 %ASA-7-711002: Task ran for 27016 msec, Process = Dispatch Unit, PC = 84745ce, Traceback = 0x084745CE 0x08474942 0x08475511 0x08475DB7 0x08475EDA 0x08508D9B 0x0850908A 0x083AB5B8 0x083A1D55 0x080655C1 0x08895A19 0x08895AD0 0x08952194 0x08978450
It's a 5505 with a 10 user inside host license, wich incidentally is more.
I recently picked up two ASA5510s (ASA5510-SSL50-K9 & ASA5510-SEC-BUN-K) with intentions of creating an Active/Standy configuration. I'm receiving the error message "Mates' license (2 SSL VPN Peers) is not compatible with my license (50 SSL VPN Peers)", but I was under the impression that I didn't have to buy idential SSL VPN licenses post 8.2 in an Active/Standby configuration. am I missing a step that enables the license transfer(sharing?) feature to work correctly before the failover will build correctly?
View 6 Replies View Relatednow i have some problem on Cisco Switch 3750 and ASA 5510, i would like to do loandbalancing on Cisco Switch 3750 and Active/Standby on ASA 5510.
which topology that we can use on this diagram, i mean which protocol connect 3750(2unit) to ASA 5510(2unit) and ASA 5510 to 3750, which protocol 3750.
How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?
I would like to work with two ASA's 5550 in HA (Acitve-Standby) like perimetral firewalls and also work with another ASA 5540 but like a SSL VPN Remote Access to end users.Which will be the best topology to this scenary?. Perhaps i need to put the ASA 5540 SSL VPN together with the ASA's in HA directly in a port.
View 1 Replies View RelatedI'm having an issue where when I upgrade from 8.2(5) to 8.4(2) on an active/passive asa 5585 running in transparent mode I can no longer reach the standby ip. The BVI interface appears to be created properly, the device IP and standby IP are listed in the config under the BVI interface and my inside and outside interfaces are both joined to BVI1-group.
View 1 Replies View RelatedI have this 2x ASA5540 firewall and notice the it is configured with a standby ip. The firewall is run in Active/Passive mode.However, the standby ip of this firewall is not point to the secondary firewall and vice versa for the primary firewall. [code]
1) May i know how is this configuration valid in the first place? I have checked through the configuration. None of the configuration is related to this ip address.
2) Can we remove this standby ip address on both the firewall and correct to the correct primary and seconadary ip address in both firewall?
3) We tried to use this ip address but cannot be used ? Is it related to the configuration of the standby ip address.Do note that the ping to this ip address x.x.x.120 is unreachable.
I have successfully completed HSRP and failover configuration.When both switch are runnign then the failover run successful and wheneber one link fail then the failover run successfully but when down one 6509(total box) the failover not working.....
View 7 Replies View RelatedI can no longer communicate with the standby IP address configured on the inside interface of a secondary ASA5510. Just a couple days ago I could snmp, http, ssh, and ping it.From the switch that is directly connected to the inside interface I'm getting unexpected results when viewing the the arp table. The switch is saying the IP address associated with the ASA's inside interface has mac address 0023.3353.bcc8 but the ASA is saying its inside interface mac address is 0023.33bb.8362?Furthermore when I issue the "sh mac address-table interface f5/46" command on the switch i see multiple macs on the interface that is connected to the inside interface of the ASA...
Unicast Entries
vlan mac address type protocols port
-------+---------------+--------+---------------------+--------------------
135 0023.3353.bcc8 dynamic ip FastEthernet5/46
135 0023.3353.bdc8 dynamic ip FastEthernet5/46
135 0023.3353.bec8 dynamic ip FastEthernet5/46
135 0023.3353.bfc8 dynamic ip FastEthernet5/46
Come across pix 525 with 7.2.4 , 256 MB RAM, experienceing high memory utilization ?.show memory was giving used memory = 97%.All I had done was, i did a reboot of the firewall since we were not able to take the control of the f/w.I wonder why only the standby f/w had this issue and not the primary does not have, just to rule out that it was not due to Traffic.I have searched in bugtool kits and support forums and did not find anything relevant except for a similar issue for ASA CSCsg43844.
View 3 Replies View Relatedi have 2 ASA 5505 running 8.3(1) and ASDM 6.3(1).
the first unit is currently working, and i now wish to configure the second unit as standby. im configuring through the ASDM GUI. Started the HA Wizard, choose Active/Standby configuration and enter the IP of the peer device. checks come back all ok. On the LAN link configuration page (step 3of6) Interface is pre selected as VLAN99, I give it a logical name as iface_fail, and enter 10.0.0.1 as primary address and 10.0.0.2 as standby, subnet as 255.255.255.248, and select port Ethernet0/5
Note that if i click on the buttons next to the IP fields, i get IP addresses of remote hosts!.
I have a pair of asa5520's in active/standby configuration. I plan on ugrading the asa/asdm images to 8.4 shortly (currently on 8.0) and would like to do this with zero downtime. Specifically, I would like to upload the new software to the standby unit, upgrade it, swap standby/active units and then upgrade what will become the standby after the swap.The problem I'm having is getting the new images uploaded onto the standby unit. I've read that the routing table is not shared from the primary and the USB ports are "for future use". I have no problem uploading the new images to the active unit via tftp...but can't do the same to the standby.
View 5 Replies View RelatedIs there a document that explains how the configurations are updated to the standby ASA and what needs to be manually added tot he ASA? I have two ASA 5510 running ASA ver 8.3(2) and ASDM 6.4(1). When I add static routes to the primary ASA the routes are not sent to the failover ASA. Is this to be expected or do I have a bug?
View 10 Replies View RelatedI have a problem with failover. On My site I have 2 Firewalls 5580. And I did this configuration on my firewall.interface GigabitEthernet3/0description LAN/STATE Failover Interfacespeed nonegotiate.
View 5 Replies View RelatedI've tried to upgrade a redundant setup from 8.2(4)4 to 8.2(5)22 ending with a stanby ASA continuously crashing after config sync phase. On the first crash it even corrupted the flash, leaving me no choice than initializing the box from scratch.
View 4 Replies View RelatedWe have two PIX515E ( 6.3), one is Primary( Active) and second one is Standby. after configuration of Secondary Firewall as Standby. getting problem.
1. Configuration part everything is fine
2.we have done failover text also .
Aster Some time , we are not able see Standby Firewall its going down .
I would like to ask you about ASA 5510 (Active/Standby). i have two ASA 5510 and i did configuretion failover and it is working ( Active / Standby) but my issue that when primary donw, the standby unit up to primary but the primary came back the standby unit it not switch to standby ( i mean it still up ) . if i want to primary up i type command ( failover active ) on primary unit , so i don't want use manul command i want it auto.Which command that make ASA failover when primary coma back? [code]
View 2 Replies View RelatedHere are the configs for failover:
PRIMARY
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 192.168.3.1 255.255.255.0 standby 192.168.3.2
failover link failover GigabitEthernet0/3
failover
SECONDARY
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 192.168.3.1 255.255.255.0 standby 192.168.3.2
failover lan unit secondary
failover
In the above configs is it i m missing something for failover? when i shut the INSIDE interface of Secondary ASA I get the below output, It shows me secondary failed and primary Active, WHY it is showing me FAILED instead of STANDBY/READY. What i know about firewall failover is when active goes down the other becomes standby unit but in this scenario it is showing me FAILED,
FW0001(config)# sh failover
Failover On
Failover unit Secondary
[Code] ....
I have two ASA 5520 version 8.2 in active Standay Mode. What is a good practice to setup IPS AIM ssm-20 for this setup.
Is IPS should be in Fail-Open or Fail-Close mode ?
Is Mangement ip for both IPS module should be same or diffrent. ?
i have a active/standby pair of asa 5520's, i can access the active asa but not the standby asa via console,
i have tried the password recovery on the standby unit but it does not work, do i need to remove the unit from the network to become a standalone unit to perform the recovery?
I got 2 x 5520 ASAs configured in active/standby mode and they are connected to 2 x 4500 switches in which too configured for failover.Telnet to ASAs is allowed only via subnet 172.18.0.0./24
I can only ping and telnet to the active ASA from subnet 172.18.0.0./24 but not the standby But i can ping and telnet to both the active and standby ASAs within the 4500 switches.
I have just finished setting up two ASA5510s in Active/Standby Staeful failover, using the Management interface for both failover and state. Everything appears to be working well.Configurations were transferred and the "sh failover" on both accurately reports their status before and after a failing the active device.I monitored the inside IP with a continuous ping (using a Windows client) and noticed that there were usually two to three ping responses lost. Is this normal?
View 1 Replies View Related