Cisco Firewall :: 5550 - Failed Instead Of Standby / Ready
Mar 4, 2011
Here are the configs for failover:
PRIMARY
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 192.168.3.1 255.255.255.0 standby 192.168.3.2
failover link failover GigabitEthernet0/3
failover
SECONDARY
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 192.168.3.1 255.255.255.0 standby 192.168.3.2
failover lan unit secondary
failover
In the above configs is it i m missing something for failover? when i shut the INSIDE interface of Secondary ASA I get the below output, It shows me secondary failed and primary Active, WHY it is showing me FAILED instead of STANDBY/READY. What i know about firewall failover is when active goes down the other becomes standby unit but in this scenario it is showing me FAILED,
FW0001(config)# sh failover
Failover On
Failover unit Secondary
[Code] ....
View 8 Replies
ADVERTISEMENT
Jun 12, 2011
I would like to work with two ASA's 5550 in HA (Acitve-Standby) like perimetral firewalls and also work with another ASA 5540 but like a SSL VPN Remote Access to end users.Which will be the best topology to this scenary?. Perhaps i need to put the ASA 5540 SSL VPN together with the ASA's in HA directly in a port.
View 1 Replies
View Related
Dec 20, 2012
I am in the process of adding a new ASA 5550 as a standby box to an existing ASA 5550 running on transparent mode. Both are on version ASA 8.0(4) and ASDM 6.2(1). I have set the new ASA 5550 to transparent mode. The configurations are the following for the HA: [code]My questions are the following:
1. The management ip address is different than the ip used for the failover link. Since the firewalls are on transparent mode, does the failover ip needs to be the same as the management ip address?
2. Does any other additional config is needed for HA to work for basic active/stand-by failover?
3. Which is the best method to add the second box without disrupting the active box?
View 3 Replies
View Related
Feb 17, 2013
Customer is running ASA 5550 with software 8.2.5 version.
They continously get the below messages
%ASA-3-210005: LU allocate connection failed
%ASA-3-210007: LU allocate xlate failed
I have already searched in the forums and also BUG toolkit, These issue has either been resolved in prior relases or in 8.4 .x train. I didnt find any bug which says that it has been found in 8.2.5 release.
I have also run "show conn count" and "show xlate count" I see these is difference in count output.
From Standby
COGINBLRMBPB1INTF1# show conn count
6097 in use, 17220 most used
COGINBLRMBPB1INTF1# sh xlate count
[Code].....
View 2 Replies
View Related
Aug 19, 2012
I want to implement Active/Standby cluster with a pair of 5550 ASAs and I have a licensing question. Here is the "sh activation-key detail" output from both devices...
ASA1:
sh activation-key detail:
Serial Number: XXXXX
No active temporary key.
Running Activation Key: XXXXX XXXXX XXXXX XXXXX XXXXX
[code]....
This platform has an ASA 5550 VPN Premium license.The flash activation key is the SAME as the running key.So it looks obvious that I'll have to upgrade the first ASA to support 25 SSL VPN Peers in order to build HA cluster, right?Now I want to know do I need the "ASA5505-SSL25-K9" license or something else.
View 12 Replies
View Related
Sep 22, 2011
last night I started upgrading our ASA5520 active/standby cluster. Because of lack of memory, I stopped the upgrade process and will continue when the memory modules have arrived... Currently I'm running 8.0(5) on both nodes (Version: Ours 8.0(5), Mate 8.0(5))Whenever I use the "write standby" command on the active ASA, the passive ASA seems to drop it links for a short while. [code]
View 4 Replies
View Related
Sep 7, 2011
How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?
View 1 Replies
View Related
Mar 3, 2011
i two 5550 firewall set up for redundance purpose . in failover we define two different ip add one for primary and one for secondary .interface Ethernet0/0 nameif outside security-level 0 ip address xxxx.0.0.0.1 255.255.255.0 standby xxxx.0.0.2!interface Ethernet1/0 nameif inside security-level 100 ip address 10.0.0.12 255.255.255.0 standby 10.0.0.11.default gateway for host will be 10.0.0.12 (primary fw address) however in case of failover , the secondary fw will be up with ip address that was assigned for primary .in this case the secondary ip add 10.0.0.11 is actually nerver used? similarly do i need to have two public ip address for outside (one for primary and one for secondary ) ? or in case if primary fails the secondary comes onlie and take the ip of primary fw . hence i only need to purchase just one ip address.
View 6 Replies
View Related
Feb 22, 2013
I have cisco 5550 Firewall, one messages appear in syslog server from Firewall, (warning) i want to stop this message from appearing syslog traps.
View 2 Replies
View Related
Apr 17, 2011
I am having two ASA 5550 firewall running in active/standby mode. With in last two months our secondary firewall got down automatically 3 times. Firewall is running with IOS version 7.1.2. how to proceed further troubleshooting because there are not any logs on firewall.
View 3 Replies
View Related
May 13, 2011
I have ASA5550 ruuning Version 8.3(1) with inside and outside interfaces as below [code] On the inside : I have a server (10.20.10.36) that need to be accessed from an outside host (Y.Y.131.34) , so I have the below NAT/ACL rules. [code] is it right that I have to add two ACL entry for outside host to the NATed IP of the inside server , then again add another ACL entry from the same outside host to the private IP of my inside server o get this communication done?
View 7 Replies
View Related
Jan 31, 2012
we had just installed our ASA 5550 with IOS 8.0(2) a couple of week ago.
2 interfaces from each slot are being used ie 0/0 for Branch users comming via MPLS cloud , 0/1 for internal LAN users comming form Core Switch & 1/0 for Server farm LAN , 1/1 for Internet (outside)
the first 3 interface are considered inside with sec set at 100 while the 1/1 is outside with sec at 0.
Last night it suddenly started dropping all connections without any warning or any noticible log form the ASDM logging.
the connection drop would happen for 2 - 3 minutes and would work fine for the next 15 minutes or so..
after conencting the console , we found out that the IOS would suddelny go abrupt and show this display ...
TP-ASA(config)# TP-ASA(config)# TP-ASA(config)# Thread Name: Dispatch UnitPage fault: Address not mapped vector 0x0000000e edi 0x24d184b0 esi 0x0000000d ebp 0x1c6ceaf8 esp 0x1c6ceae0 ebx 0x09e965e0 edx
[Code]....
View 2 Replies
View Related
Oct 4, 2011
I have looked in the books I have (Cisco ASA, PIX and FWSM; ASA 8.0) and googled a good bit but can't seem to find any specific mention of how to do NAT exemption with v8.4. It seems NAT exemption (NAT 0 access-list) was deprecated. Using ASDM, there's no corresponding menu item for this that is obvious.
We have public addresses inside the ASA and want to allow in/outbound connections using these IP's without NAT. The ASA is a 5550.
View 7 Replies
View Related
Jan 1, 2013
can I install and Cisco WAAS and Cisco Prime Network Analysis Module (NAM) together on a single Cisco Service-Ready Engine (SRE) 910 module? Or it can only run 1 of the software?
View 2 Replies
View Related
Jun 26, 2011
I'm trying to connect to a wireless network provided by a Sprint mobile hotspot. My computer is running XP SP3 and using a wireless USB adapter to do it. (802.1n)I can detect the network but when I try to connect using Windows I get the message "Windows waiting for the network to be ready." And apparently the network is never ready.I can also use the software that come with the adapter. That doesn't work because when I put in the password for WPA 2, the program saves a password that is far longer then the one I entered. Then I get the message "Authentication failed!" Well, duh.Then the computer tries to connect over and over with no results. "Trying to connect ... disconnected ... etc."
View 13 Replies
View Related
Apr 26, 2011
setup ready share on my WNDR3700? when i log into the router it sees and recognizes my hard drive but it wont let me create a network folder all the buttons are grayed out
View 8 Replies
View Related
May 21, 2013
I need to understand if ASA 5550 ver 8.2(1) is comptible with IPv6, if not what is the upgrade path to make it IPv6 compatible. The requirement is dual stack of IPv4 and IPv6 should run in the same HA cluster and later will shift IPv6 completely.
The existing infrastructure is equipped with ASA with HA Active/Active mode. The command output for required details are attached here in txt mode.
View 2 Replies
View Related
Mar 10, 2013
I have Active Standby ASA5550 setup with VPN premium license. A few days back we had a requirement of SSL VPN connection for and we got a temporary from Cisco for same, this license expired and the ASA reverted to it's original license. 3 4 days after this we saw a sudden increase in CPU utilization (upto 90% + -5%) on the ASA during production hours but were not able to figure out the reason, in order to restore the services we failovered the firewall to secondary and everything worked fine. We were suspecting one of the following but there were no logs for any of this
1. The ASA hardware was haivng problem
2. Some client was doing a DoS attack to bring down the ASA (no logs for this as well).
We took a downtime to look further by failovering the ASA back to primary and it worked fine without any issues ruling out the 1st option. We also came across a licesing doc [URL]
Downgrading any license (for example, going from 10 contexts to 2 contexts).
# Note If a temporary license expires, and the permanent license is a downgrade, then you do not need to immediately reload the security appliance; the next time you reload, the permanent license is restored.
As per this doc, sooner or later a restart was required on the ASA. We restarted secondary ASA and everthing was fine but when we restarted the primary ASA by swtiching over to secondary some of the server (not all) in the DMZ stopped working (even ICMP unreachable) and only came back to normal when the primary ASA was restored and working fine (with failover).
The reboot was done by shuting down the physical link between the Core switch and ASA inside individually.
I am not sure what could be the issue that the servers in the DMZ wen unreachable.
View 0 Replies
View Related
Aug 9, 2010
In my Cisco ASA 5550, I need to set two different syslogs servers, and I need to send the system logs to the first one (only admins login/logout), and the traffic logs and all the rest (informational level) to the second one. Do you know if is it possible or not and, if yes, how to configure it?
View 6 Replies
View Related
Apr 26, 2011
I am using an ASA5550 for a complex secure network that has at least six "outside" networks. Each "outside" network is assigned to a specific port each set at level "0". I also have a DMZ, set to level "50". I am having difficulty with passing traffic from a host in the DMZ to all but one of the "outside" networks. Is there a limit to the number of "outside" interfaces? I will provide a redacted config file as soon as possible.
View 3 Replies
View Related
May 10, 2013
i have Cisco ASA 5550 and i want to do URL filtering using Web sense,can i use Micorsoft Forefront TMG2010 as websense server to do that?
the idea is to filter the HTTP & HTTPS URLs,if the Micorsoft Forefront TMG2010 is not suitable,refer to suitable Websense URL filtering server?
View 2 Replies
View Related
Oct 3, 2011
I have the following problem, right now we have an ASA 5550 connected to the client´s side. A reset is being received on the client´s side, but when we run the sniffers on both extremes of the network, we can see that the reset is not being sent by the server´s side.
We have narrowed it down to the 5550 ASA, but have found no bug that matches the description.
The characateristics of the reset packet are the following:
- It is the only packet with a TTL of 255.
- Both server and client have very different window sizes, and the reset packet even though has the server´s ip and port as source of the packet, it has the client´s window size.
- It has a correct ack number.
-Before the reset is received, there are a couple of retransmissions of the last packet sent.
- We´re handling a VPN tunnel between both servers.
View 1 Replies
View Related
Feb 7, 2011
i m looking for asa 5550 product.Part # ASA5550-BUN-K9 - Cisco ASA 5550 Appliance with SW, HA, 8GE+1FE, 3DES/AES
1) does 5550 contains built in CSC / IPS modules.? why i m asking because the "quick refrence guide " indicates that expansion slots are not available.
2) can asa 5550 natively protects natively against networks attacks against virus / worms etc with out CSC OR IPS MODULE.?
View 9 Replies
View Related
Apr 23, 2013
I am about to carry out a migration from ASA 5550 to ASA 5555-X, however I cannot find any detailed document or reliable tool for this migration.
View 4 Replies
View Related
May 22, 2012
I cannot logon with adsm anymore.when I run adsm, I type in my pw, and the screen keeps displaying "contacting the device". No timeout, just stays this way.I've updated the java version, no luck.I can connect with SSH with no problem. device = asa5550, 8.2(1) asdm 6.2(1) [code]
notice that there is no "with cookie-based authentication" here -- is this relevant?
Rebooting the device is not really an option.
View 7 Replies
View Related
May 2, 2012
I have an issue were thousands of connections on the ASA are marked with flags E, below is a visual of the connection. Any ideas what could cause this marking? Also, I can't grasp what the meaing of an outside back connection (ie flags E).
TCP DMZ:X.X.X.X/139 Inside:X.X.X.X/1828, flags E, idle 9h37m, uptime 9h37m, timeout 15s, bytes 0
View 0 Replies
View Related
Jan 10, 2011
i'm installing a Firewall Cisco ASA 5550 with 8 Gigabit interfaces.
I have installed firmware 8.2.3.
Is it possible to make link aggregation on ASA to have more bandwith?
View 7 Replies
View Related
Aug 7, 2011
I have a couple of ASA5520 and ASA5550, and I wanted to know if it is worth it to upgrade the software from 8.2(4) to 8.2(5)? Because of the RAM I cannot upgrade to 8.3 for now.
View 1 Replies
View Related
Jan 8, 2013
I just got a brand new ASA 5550, i configured the port g0/0 on asa with an ip address 192.168.10.1 then configure my computer with ip 192.168.10.2 and default gateway is 192.168.10.1. I'm able to ping the asa from my computer. I remote to ASA thru the console port and try to copy iOS from flash to my pc but it doesn't work.
Cisco asa# copy flash tftp://192.168.10.2/asa804-k8.bin
Source file name []? asa804-k8.bin
Address or name of remote host [192.168.10.2]?
Destination file name [asa804-k8.bin]?
Writing file tftp://192.168.10.2/asa804-k8.bin...
!%Error writing tftp://192.168.10.2/asa804-k8.bin (Timed out attempting to connect)
Cisco asa#
View 3 Replies
View Related
Apr 6, 2011
I have two box cisco asa 5550 in multiple context mode and failover.
My network topology is:
Outside Network
•
•
•
DMZ2 Network • • • • (CISCO ASA 5550) • • • • DMZ1 Network
•
•
•
Inside Netowork
My interface "Inside Network" is full(I think).I can't diagnose this, based on command "sh interface gigabitEthernet"
109042974565 packets input, 100691006385765 bytes
94097614769 packets output, 59002295942465 bytes
999339444 packets dropped
My interface is 1GB, based on the above command, it is full?If interface is full, i have a problem! All the ports on asa firewall are using, how do resolve this? I can compress all data on this interface with class maps and policy maps?
View 4 Replies
View Related
Apr 22, 2013
We are having Cisco ASA 5550 appliance. from some days i am not able to access this ASA using ASDM. I am able to access ASA using SSH.[code]
At the same time standby firewall works perfectly fine with ASDM. I have tried by reloding the firewall, then it worked for 2 days & again stopped working.
View 6 Replies
View Related
May 1, 2012
Our users are using Xmanager to connect to a NNM connection which is going through a Cisco ASA5550 with 8.3. The session of Xmanager is getting terminated exactly after 1 hour and the users have to reconnect it again. How can we make the session to be up always, when I am bypassing the Firewall its always up.
View 2 Replies
View Related
Oct 25, 2011
Is it possible to use ports from 2 SFP and 2 RJ45 Interface on ASA 5550 Module 1.
View 5 Replies
View Related
