We have ASA running code 8.0.4 with Active/Standby for quite long time. Today when we gave the command wri standby it started sync the config to standby ASA but waited forever.when we checked the show failover, we got the following result.
This host: Secondary - Active
Active time: 1928633 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface PERIMETER-MGMT (10.12.8.1): Normal (Not-Monitored)
Interface OUTSIDE (86.36.xx.xx): Normal (Waiting)
When we console to Standby ASA and tried to save (wri mem), we got the following error and also please note the hostname has become default...?
ciscoasa(config)# wri memory
Command Ignored, Configuration in progress...
and when we tried to give following command we got this error:
I have a pair of ASA5520, each has a CSC-SSM module, all specs and licences match and the ASA failover between active and passive firewalls works as expected. However, I am unable to get the two content modules to sync. ASA are running 8.4... and attach diagram show cabling. Each CSC-SSM uses it's connected port as a gateway, although I've tried using both primary and standby IP.
When I try to sync the devices as per the Trend Micro instructions I get the error: "InterScan for CSC SSM could not establish a connection with the failover peer device. Please verify network connectivity with the peer and that the peer is functioning properly, then try again."
All interfaces are up/up. I cannot see the other CSC-SSM in either ASA's arp table. Neither CSC-SSM can ping the other, and none of the guides I've found so far details the pre sync config of the CSC-SSMs.
According to the link here:[URL]Starting with Version 8.3(1), it no longer needs to install identical licenses. Typically, we only buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active.So I wanna know if there's some additional configuration to synchronize the licenses such as SSL VPN or Context between the primary one and the second one? Or they can just synchronize by default as soon as I finish the failover configuration and when the primary one gets down, the second one will take over the role including licenses automatically?
I just got a new RV042. V3 Hw.For setup and testing before putting it in action, I've attached the WAN1 side to my internal network.But it fails to get an IP address, and the log shows: "Infinite lease time, exiting".My current router on the LAN is giving out DHCP addresses with 3 hour lease time, and I've checked with the PC's on the LAN that this is correct.The routers DHCP status shows that the lease time for the RV042 is 3 hours ahead.So why does the RV042 complain about long lease time ?Is there a way to avoid this error from occurring?
I have tried to change from 'Gateway' to 'Router', but this does not change anything.Also tried a factory reset, with no luck.Fw is upgraded to the latest 4.0.4.02
I just bought a WAP321 Wireless AP. I wonder why it cannot sync with our time server automatically. Every time I reboot it, the system time become "Fri Dec 31 1999 12:00:00 UCT". I have to do the sync manually by clicking on the "Save" button under the menu Administration > Time Setting.
I have 2 PIX 525, which one of them, step and active failover mode the other PIX 525, leaving this off, do not know what happened may have been a power outage, but in any case I can turn it back on? And the other question I have is if I can import a configuration that I have saved on my computer. i have the PIX device manager.
I discover an issue with my CISCO ASA 5550 because I'm looking at the vlans that I have configured and some vlans on the Stand by device had not an IP address configured, checking the configuration of the failover
I have 2 ASA 5540s ver 8.3 in Active/Standby state.I am considering a future hypothetical situation where I might need to rename interfaces or reallocate redundant interface groups. Doing so obviously has a major impact on the current primary configuration. My goal would be to minimize or eliminate network downtime during the interface changes.
I am wondering if it is possible to force the secondary ASA from the standby to active state.Then temporarily disable failover on the primary unit.Make the interface changes on the primary unit Then reactivate failover on the primary unit Force the primary unit back to active and secondary unit to standby My new interface configuration would then sync from the primary to the secondary.
I believe this would work but must ensure that the secondary ASA can function as the active unit while the failover is disabled on the primary unit. Is there a set length of time the secondary unit can remain active without a failover peer?
see issues with operating the secondary unit in this manner while making changes to the primary unit?
We have 2 ASA 5510's setup in an active, standby failover configuration. When the primary fails over to standby, the 3rd party cert does not failover to the standby ASA. The users then receive the CERT missing, invalid message and have to select yes, no to move on. This does not occur when the primary is not in failover mode. It is my understanding that failover fails over certs but in our case it does not apper to be working correctly.
I am trying to establish EIGRP neighborships with my inside switches (3750s) over the "Internal" interface, shown in green. The outside interface is g0/0 and don't worry, I've ensured EIGRP is not running there.The problem I'm having is that I need to monitor the "Internal" link so that if it goes down, the ASA triggers the failover to the secondary firewall connected to the other switch. I was told that the "secondary" keyword was what enabled this:
This is fine since I am able to compare this config to the firewalls that are currently in production elsewhere in the environment and this is what's in use there. However, in order to run EIGRP all the way to the firewall and not rely on something else like HSRP for the inbound traffic, I'd like to run the corresponding links (Gi1/0/22) on the inside switches as routed ports (no switchport) so that I don't have to establish neighborships with SVIs or something like that. I want the routing to be done directly to the port, leaving the interfaces for failover and our DMZ set up as switchports, since those can be layer 2.It's saying the Internal interface has failed now, probably because it cannot send hellos through this, since it's a routed port on the switch side. I'm wondering if this simply is an impossible design, unless there's a way to track this interface and trigger a failover if it goes down using another method.a method that allows me to track that internal interface (Gi0/1) and trigger a failover if it goes down.
I had a working active/passive pair of ASA5510's, and then I had to do a rush firmware upgrade, but didn't have time to do it on the secondary at the same time. Now I have made config changes and upgraded the secondary firmware to be the same, and wish to know if I plug it back in if it will think the secondary has the "correct" config or if it will know that the primary is newer. I disconnected the failover cable because it was complaining about version mismatches constantly.
Is it safe to add the secondary back in or is it possible it will be declared newer and overwrite the config?
I have two sites that each have asa 5505's and each have dual ISP's. Currently I'm using sla monitor to failover to the secondary line when there is a detected outage. After this sla failover occurs which seems to be instant, secondary ISP re-establishes the VPN. This process takes about 30 seconds. My thought is that the side which is healthy does not detect the outage due to a preset amount of timeouts and thats where this 30 second delay comes in to re-negotiate the VPN tunnel. can I create a smaller window of time to heartbeat between the two so that the VPN outagage is detected in around 5-10
I have two asa 5520 firewalls. one at my primary data center connected to our production Internet feed, and one at my fail over data center connected to a backup internet feed. I was wondering if there was an easy way to keep the firewall rules in sync between the two firewalls. We have failover with our isp that will move our public facing address block from our primary site to our dr site in the event of a disaster so the ip addresses will not change if we were to have to fail over to the DR site. currently i just have to do any changes that i make on the fail over server but would like a way to at least simi-automat this if not fully automat this so that i can eliminate the possibility of human error of a change happening at primary but never getting don at DR.
I just recently setup a network in my home and selected the D-Link DIR-655 router to manage traffic. It's not clear to me when this issue first appeared as I've been away so apologies for not having a proper timeline.The router is setup in it's default configuration with only the IP Address being changed due to a conflict with my DSL modem. I don't have any experience with routers and it seemed to be working fine so I didn't mess with it.However, the router goes into what appears to be an endless series of reboots making it completely unusable. This can occur anywhere from immediately upon a cold start power to a few hours into it.I suspected a defective router and since I had been traveling the warranty was of no use so I purchased a brand new router last week which is also a DIR-655. The new router is doing exactly the same thing as the original one.
If I disable the wireless functionality both routers perform flawlessly for extended periods (many days/weeks). As soon as I enable wireless what appears to be warm start reboots begin as mentioned anywhere from immediately to a few hours along.Since I am new to networking in general and routers in particular I thought perhaps am I doing something wrong and hence my post here.The f/w in the new router is 204NA. I don't recall the f/w release of the initial router but I did update it within the last month to whatever was the most current from D-Link. If it's important to know the f/w release of the initial router I will find it for you.
Two (2) DIR 655 routers appear to enter a state of perpetual warm start reboots whenever wireless functionality is enabled. This begins anywhere from immediately to a few hours after a router cold start.Disabling the wireless functionality completely stabilizes both routers.
I know that I've run into this before but I can't remember the fix. I have a 5510. The 3 interfaces involved are INSIDE, OUTSIDE, and GUEST. Corporate users are allowed to put their iPhones on the Guest network, but the problem is that their Exchange ActiveSync stops working. It is tied to the external DNS name of the OWA server (we'll say webmail.abc.com). So the users are funneled out one public IP on the OUTSIDE interface and are trying to communicate with the outside of the OWA server, which is NATed to another public IP on the same outside interface. What do I need to do on the ASA to allow users on the guest network (behind the GUEST interface) to access the mail server using its public IP (behind the INSIDE interface)
We have a setup of FWSMs configured in single mode in 6509 chassis. Both 6509 are configured in VSS. Recently I have upgraded the firmwre from 4.0(3) to 4.1(3).....before upgradation config sync was not having any problem.
After upgradation...If any one of the FWSM reload..while coming up it gets stuck in config sync and no command we can run on any of the unit and get the error as.. Configuration update in progress by another process. Also on stannby fwsm no running-config displays.
If we used # failover suspend-config on primary and then reloads the standby fwsm...standby boots up with startup config and when # no failover suspend-config command runs on active fwsm..the sync started and completing succssfully within 15 sec..
Also failover works well..with #no failover active..
What I currently have is a Cisco 891W Router as well as two ISP's (both with dynamic IP's) in. I'm currently just running one of my modems into the 891 through the FE8 port and then if for some reason I have an internet failure switching the ISP modems. What I'm wondering is if there is a fairly simple way to configure (and attach) both modems to this router and then set it up to handle this failover automatically?
I have a 3925 Router with a 48 port switch module (part number SM-D-ES3G-48-P). I have no problem accessing the 3925 Router, but when I go into the 48 port, I get an error that reads
Error Hardware not supported by firmware. Try loading a newer software instead. System Resetting...
I know that the wrong IOS is installed on the switch, but the problem is that this is an endless loop. The switch resets then comes back to the same error. How to get the switch out of this loop so that I can load the correct IOS.
Does Cisco ASA5510 or 5520 can protect DDos attack and sync flood ?I have problem on this, so how can i protect on this, some time i saw on my log like this"sync flood " or "ddos to xxx.xxx.xxx.xxx" the ip address random .
does cisco 2811 support?if no, can i make it work for BGP?also, i want to know the configuration of bGP for twoo ISPs for link failover.it will be google if u tell me step by step approach for configuring it
sample configuration for internet failover . i have 2 ISPs with one coming in thought a serial cable and another through internet and would wish one take over after the other has failed .The router is Cisco 1921 .
Client has an ASA5505 anchoring an MPLS network. One of their branch offices is experiencing frequent circuit outages due to theft of copper lines. I am looking at an 881G with wireless aircard as a backup solution and creating a VPN tunnel to the ASA but am unsure about how to handle routing on the ASA. There will already be a route for the branch subnet for the MPLS network.
I have a two fiber connection from our Central Office(6513) to Remote office (6509). I have a requirement that on the remote office if one of the fiber goes down, the second fiber should work as a failover. I am planning to use SUP720-3B SFP to connect to the CO.
Can I connet one fiber to Sup720-3b G5/1 & another fiber connection to G5/2? or Can I connet one fiber to Sup720-3b G5/1 & another fiber connection to G6/2? I am running EIGRP between sites. Any sample config.
I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
4402 Wireless LAN Controller running 188.8.131.52 versión. The equipment is working fine, but after a hard reset i lost date and time configuration.No other configuration is affected, only date and time. What can be the cause of this?
I have been working on my ASA 5510 version 8.2(1) trying to change the maximum connection time. Originally the custom "Group Policy" for IPSEC (Remote Access VPN) was set to inherit the settings from the default system Group Policy (DfltGrpPolicy). The custom group policy for the sake of this discussion is called "ABCD". I have modified the settings on the default (DfltGrpPolicy) as the custom policy (ABCD) was inheriting the configuration from default to disconnect after 1200 minutes. I changed the setting "maximum connection time" to 1200 minutes. I saved the configuration and what not then connected my VPN client, after two (2) hours I was disconnected. Something just doesn't add up.
I went ahead and deselected all inherited properties and manually configured them for the ABCD custom policy. No longer was the ABCD custom policy configured to use the inherited properties/settings. I saved the configuration again tested but instead of having a 1200 minute connection limit, I have 120 minute connection limit. Inside Monitoring --> VPN --> Sesssions : I can click on my session and see Session details". The Group Policy and Connection Profile properly list the "ABCD" custom profile. However, the "Conn Time Out" setting is: 120 minutes. I am completely stumped as to what is going on.
In the actual running config I see: group-policy abcd attributes banner none wins-server value 184.108.40.206 dns-server value 220.127.116.11 dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 60 vpn-session-timeout 1200
What I need to do next to get this working short of a recycle of the ASA.
I need to estimate the installation and configuration time of Cisco NAC (NAC Network Module spare for 2800, 3800 ISR) and Cisco NAC Manager(NAC Appliance 3315 Manager -max 3 Servers. There is some Cisco tool to estimate the installation and configuration time?