i just received a RMA for failed ASA 5520 that was acting as secondary unit in multicontext configuration. What would be correct procedure to install it back in production? Do i need to restore backed up config of the fallen unit or is it just enough to enable multimode and connect to existing (primary) unit? Any good link for documentation that deal with this issues.
View 5 Replies
We just had an issue with our failover unit reloading. In perusing the logs there were a number of %ASA-3-210007:
LU allocate x late failed, errors prior to the reload. These units had just had their OS upgraded to fix a DOS issue a few weeks ago. I have not seen the error since it reloaded. However, I was asked to report the issue just in case it is a bug in the new version of the OS.Two units in failover.
Cisco Adaptive Security Appliance Software Version 8.0(5)9 Device Manager Version 6.0(2). Compiled on Mon 01-Feb-10 10:36 by buildersSystem image file is
"disk0:/asa805-9-k8.bin"Config file at boot was "startup-config"
CP-ASA up 17 days 21 hoursfailover cluster up 17 days 22 hours
[code]....
I have a single production 5510 with 2 contexts. Now I want to integrate the secondary failover unit. My question is: How much configuration needs to be done on the secondary firewall? How much of the configuration will be sync'd from the primary to the secondary when the secondary is connected?
For example, do I need to add the following on the secondary or will it be sync'd from the primary?
admin-context NAME
context NAME
allocate-interface Ethernet0/0.14
[Code].....
I have an issue bringing up my RMA'd primary ASA unit.
So what happened so far:
1. primary unit failed
2. secondary took over and is now secondary - active (as per sh fail)
2. requested RMA at Cisco
3. got ASA and checked that Lic (SSL), OS (8.2.2) and ASDM are at the same level as the secondary
4. issued wr erase and reloaded
5. copied the following commands to the new (RMA) primary unit:
failover lan unit primary
failover lan interface Failover Ethernet3
failover interface ip Failover 172.x.x.9 255.255.255.248 standby 172.x.x.10
int eth3
no shut
failover
wr mem
6. installed primary unit into rack
7. plugged-in all cables (network, failover, console and power)
8. fired up the primary unit
9. expected that the unit shows:
Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
10. but nothing happened on primary unit
What is a valid and viable approach in replacing a failed primary unit? Is there a missing step that hinders me to successfully replicate the secondary - active config to the primary - standby unit.
I was not able to find anything related to ASA55xx primary unit replacement with a clear guideline or step by step instructions.
our company is going to change its´ ISP. The External Isp are going to obviously change too. We have an Active/Standby Firewall and we would like to make the change with at least connectivity downfall as possible. In our configuration we have nearly all features configured as in a normal Productive Firwall such as , NAT, Site-to Site VPN, Remote Access Webvpn, ACLs and also routing. I have looked up some information in this community and still I am not sure about the steps to be made so to reach our goal.
I have read that changing only the "names" from the old IP Range to the new Ip range would not really make the change. The old Ip range will still be configured in the features using the external Ip address. Therefore we have to first delete all the information (in the running config) connected to these Variables and then re insert them. My biggest worry is that this could be a little bit tricky during the implementation, if some config lines or objects could be left out during the deleting and inserting procedure.
How we could make this change with a low percentage of "copy and paste failures"? I was thinking about in changing the "names" to their new Ips and then afterwards reload the ASA. Will this workout? Primary ASA will be changed first with the secondary shutdown. ASA Firmware 8.2.2 (12).
What process I need to follow to rebuild my failover unit? I've had to turn it off because it seems that both the primary and secondary were thinking they should both be the active unit. I'm not sure why. But in turning off the failover, I had internet access again. So I think I want to rebuild the secondary unit's configuration. Do I need to turn off failover from the primary unit first? Disconnect the secondary unit, console into it and remove the configuration (command to remove from flash?)? Rebuild the interfaces..all interfaces or just STATE between the units? Just trying to get a list of the process
View 1 Replies View RelatedSo i setup a failover active / passive with 2 ASA5520's
Primary asa has 750 Anyconnect vpn licensing and the secondary asa has 2 Anyconnect licenses
I haven't setup the second asa with the new 750 licenses i purchased but when i do a show version it shows that the failover licensed features shows 750...
Does this mean i do not have to install the secondary anyconnect licenses on the standby ASA unit?
output of secondary asa
:
Licensed features for this platform:Maximum Physical Interfaces : Unlimited perpetualMaximum VLANs : 150 perpetualInside Hosts : Unlimited perpetualFailover : Active/Active
[Code]......
i have to replace our zywall with an 5520 asa. [ode]
-connections from inside out outside, inside to dmz and inside to wlan.
-connections from wlan to outside, wlan to dmz
-connections from dmz to outside
connection from outside to dmz only for port 25,110,143,80,443,22 on ip 82.218.135.3.connections from outside 82.218.6.10:3389 to ip 10.1.0.200:3389. [code]
I need to replace a faulty fan unit on the catos WS-6509 switch. this Catos switch does not support show inventory so any other catos commands which will show me this part id?
View 2 Replies View RelatedWe already have a subnet defined to inside interface and is in produciton. the default gateway is this interface ip. In that setup now I have to add one more subnet and as the first subnet is been defined in ASA indside interface, I have to assign secondary Ip to the inside interface so that new subnet users can easily reach here and go outside.
View 1 Replies View RelatedI have a working DMVPN solution. I am trying to stand up a secondary DMVPN hub at our disaster recovery site. We are trying to deply to a Dual HUB SIngle DMVPN solution. The HUB2 DMVPN router has an INSIDE trusted interface and has an OUTSIDE UNTRUSTED interface.
The inside is 10.248.11.X...the Untrust/public is 192.168.93.11 which is connected to our DMZ 3 on the ASA 5520.....then I am trying to NAT the 192.168.93.11 to an outside public IP 199.248.30.X....just not working...have had 2 tickets open with Cisco this week and they still are unable to resolve. I am sure it is the ASA5520 is not configured correctly.
I have new ASA 5520 from the box and i have configured already int g0/1 with ip 10.15.14.5 255.255.255.0 nameif inside kindly see details below the config
[code]....
I restored the HA pair back to Active/Standby.
1 remaining issue.
I have 3 IPsec Site-to_SIte tunnels.
I noticed that when the NEW UNIT becomes ACTIVE that I am unable to pass traffic over the VPN tunnels.When I failback I am able to pass traffic.
we have two ASA 5520, on the failover unit is showing LU allocate xlate failed. We read on [URL] that it could be a memory problem , but have cheked it and we have 85% of memory free on both nodes. We also can see all xlate on failover unit.
We have forced failover this evenig and we can´t stablish outbound connexions by outside interface, we think xlates or nat cant work properly.
After unable to connect to my wireless network, I did a restore - but got a message: System restore failed to replace the file (C:WindowsServiceProfilesLocalServiceAppDataRoamingPeerNetworking98c An unspecified error occurred during System Restore (0x80070002)I've tried 3 restores to get the same message.Am at a loss to get the computer back on line.Running win7 (32Bit) with Norton 360.
View 9 Replies View RelatedI have been tasked to replace a failed sup on a 6500 Sup32 running IOS. Now, the primary sup doesnt have a compact flash. I don't have any CF on me. The replacement sup i received also doesnt have a CF.From the cisco website it says that the moment I insert the secondary sup into the chassis. it will automatically download the IOS and boot details from the primary to the secondary sup.
[code]....
I've just had to rebuild my ACS appliance with new hardrives but I am unable to register the devices to each I get a system error. I thought it may have had something to do with the rebuilt device not being joined tothe domain but it has now been joined albeit using a different ad account, but still cannot register to primary.
View 11 Replies View RelatedI have 6509 with dual sups, the secondary sup has failed and I am not able to bring it up even after reboot. the state says unknown/other. What that state" unknown" means?. I could not find any documentation about this state. [code]
View 5 Replies View RelatedI am currently getting a strange error when trying to use and crypto services on our ASA 5520 (8.0.3)Initially I observed that a connected VPN had dropped.Then when I attempted to use ASDM or SSH I was blocked.
In the end I opened telnet as a test and this was successful. Syslog also shows that traffic is passing as normal.The only obvious error I can see when observing various debug traces is this;
FW02# CTM: rsa session with no priority allocated @ 0xCF1FBBA0
CTM: Session 0xCF1FBBA0 uses a nlite (Nitrox Lite) as its hardware engine
CTM: rsa context allocated for session 0xCF1FBBA0
CTM: rsa session with no priority allocated @ 0xCE7A5EA8
[code]....
We have an ASA 5520 in production with a brand new internet feed we've just finished installing. We connect to our corporate office via a VPLS. In our corporate office we have a Cisco 1841 (I think that was the year it's made! ) with an ADSL feed with a static IP address plugged in directly.
We have a user VPN that we integrate with our user directory on the router, which connects via the ADSL. The users get an IP addres at the tail end of the 172.31.14.0/24 range, which is the same as one of our corporate subnets (we just reserver a few address, we don't have many VPN users).
Both the ASA and the router connect to each other (via the VPLS) on the internal subnet 10.255.255.0/24.
-The ASA is 10.255.255.1
-The router is 10.255.255.100
Currently the default route for the corporate office goes out the Dialer interface for the ADSL, which means that's where our internet goes out there (all proxying aside, we'll leave that out of this one). ip route 0.0.0.0 0.0.0.0 Dialer1
We'd like to change that default route to go via the VPLS to the ASA, and then out to the internet using the new feed. All the ACLs and rules are in place at both ends for this to work. If I change the default route on the router to: ip route 0.0.0.0 0.0.0.0 10.255.255.1Then it works as expected.
The problem is that then the user VPN breaks. I had hoped I wouldn't have to do any configuration on this but it looks to be so. I'm guessing that the VPN packets are coming in via the ADSL and back out via the new internet. It would be simple if the remote client had a static IP address as I could put in a static route for each user, but it's always going to be dynamic.
What do I need to put in place to get this working? I thought maybe I could leave the default route via the ADSL and put in a next hop rule to go via the VPLS for the specific subnets that need the new internet, i.e. have a subnet specific default gateway, is this possible? (I gave it a go but it didn't seem to work, I think I didn't implement it properly though as it still went via the ADSL, maybe because there is a nat route-map as well?).
My question is very simple is there any way or feature that could allow us to have a backup VPN tunnel on at the secondary ISP at the asa 5520? Lets assume if the primary isp goes down is there any way for the VPN tunnel come online at the backup isp ? [code]
View 2 Replies View RelatedI have a pair of ASA5520s in active/active failover - this works fine. Both primary and secondary ASAs are running 8.2(2) code.I have a 30-day temp 50 seat SSL license that I applied to the primary. I then started having problems with L2L tunnels.
I noted that if the 'show crypto isakmp sa' state for an L2L was MM_STANDBY, then the remote protected net could not reach my side. However, I could ping across to the other side at which time the state changed to MM_ACTIVE as I would expect and the remote could then reach my side.
I believe this results from the differences between the two licenses. When I applied the 50 seat SSL lic. it disabled failover, but I was willing to risk that for a few days to do show my customer the benifits of SSL connectivity. Note license differences. Is this causing the MM_STANDBY IKE issue and if so can I overcome it and use the 50 SSL VPN Peers lic.
[code]...
My bussines have an old PIX 515e and im about to install it in a "testing" eviorment but no one can remeber the password for this old equipment. Is there a way to reset the password?
But when it reboots and I write "enable" in the console it asks for a password, and the password isn't "cisco" as factory default. I really need this firewall up and runing ASAP.
How to reset the "enable"-password?
I'll be upgrading an HA pair of ASA 5520s next week, and wanted to clarify the procedure. I read "Upgrading an Active/Standby Failover Configuration" at [URL] which suggests placing the image on both units, updating boot statements, then issuing failover reload-standby. But I was wondering if there's a way to a way to be a bit safer. I'd like to modify the standby unit, without affecting the config on the active. So I'd like to modify the boot statement on the standby without modifying the active config. That way incase there's a problem and the active reboots, it won't upgrade.
Can I modify the config on the standby without affecting the active? Then I'd like to test the newly upgraded unit with our production traffic. Would that simply be no failover active, and then once the standby becomes active -- test traffic? Once everything is okay, I would upgrade the second unit, and fail traffic back.
I have some technical consultations that I would like to know which would be a better implementation.
I am seeking for clarifications whether putting VPN and firewall in a single software or separating both into separate software.
i check ASR 1006 config with ESP-40, the firewall permonce can reach 40G, ASA 5580 is 20G, can ASR 1006 replace ASA 5580, is there any function feature problem?
View 1 Replies View RelatedI've tried to upgrade a redundant setup from 8.2(4)4 to 8.2(5)22 ending with a stanby ASA continuously crashing after config sync phase. On the first crash it even corrupted the flash, leaving me no choice than initializing the box from scratch.
View 4 Replies View RelatedI'm trying to do some research on the Dispatch Unit process. It seems High CPU and this process go hand in hand. I haven't figured out an effective way of determining what underlying issue is the actual source. How to understand what the Dispatch Unit process is doing? I have an ASA 5550. I have seen the cpu hover around 85% +- 5% for sustained long periods, 30 - 60 min +. I have always been under the impression that around 80% cpu and you're probably dropping packets (that could be an out-dated belief).
View 58 Replies View RelatedDid setup iaw instructions. got to step 9 where it went into configure mode. last few messages
192.168.1.5 to 192.168.1.1 (BUILT IN BOUND TO TO IDENTIFY), then
192.168.1.5 START SSL HANDSHAKE FOR TLSW1 SESSIN, THEN
192.168.1.5 COMPLETED HANDSHAKE, THEN
[Code].....
now i am unable to do anything with the 5505. can not log in , can not get a ping of 192.168.1.1, can not get into the unit and do a factory reset
I have just noticed that my Cisco ASA 5510 cpu utilization increasing upto 30-35 % and when i issue sh processes cpu-usage, i have found dispatch unit occupied most of utilization.
View 4 Replies View Relatedwe are running two failover pairs of asa (5510, 5505) in two different locations in active/standby configurations.Is it possible to access the inside ip of the standby unit via vpn terminated by the active unit? It's only for monitoring.With our configuration here it is not.Is that possible in general?
View 6 Replies View RelatedI am normally only doing IOS config. I have little problem when trying to setup this unit.,It boots ASA software 8.0.4 fine.,When i go to enable mode and into configuration mode and try to configure ip on an interface i have a problem.,
ciscoasa(config)# intciscoasa(config)# interface manciscoasa(config)# interface management 0/0ciscoasa(config-if)# ?,Interface configuration commands: default Set a command to its defaults description Interface specific description dhcp Configure parameters for DHCP client duplex Configure duplex operation exit Exit from,interface configuration mode Interactive help for interface subcommands no Negate a command or set its defaults shutdown ,Shutdown the selected interface speed Configure speed operationciscoasa(config-if)#
I did try to upload the new software 8.4.2 from rommon using TFTP. ,It boots 8.4.2 fine, but have same problem as in 8.0.4.,I did try to create a user haveing priv 15 and logging on as that user. It gives the same.,The firewall is not in transparent mode.
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
