Cisco Firewall :: ASA 5520 Activating Failover Config Drops Routing Table

May 21, 2012

I'm attempting to configure two ASA 5520 for active/standby failover.When I enter the “failover” command to enable the config on the primary ASA, the entire routing table disappears.There is no routing process running, only static routes are configured.
 
Is this an expected behavior of the failover process and if so, how long should I wait for the routes to come back?

View 5 Replies


ADVERTISEMENT

Cisco Switching/Routing :: 3560E - HSRP Gateway Failover And Routing Table

Nov 12, 2012

We have two Cisco 3560E layer 3 switches at the core of our network. The switches are configured as an HSRP pair and the clients on our network point to the HSRP address as their default gateway. So if CORE-A dies, then CORE-B will pick up the address and the default route for the clients will continue to be available.We also need to specify a few static routes on the core switch to allow us to get to specific networks. Is there a way to do this so that the routes failover in the same way that the default gateway does?

View 2 Replies View Related

Cisco VPN :: 2621 VPN Tunnel Drops Routes Out Of Routing Table

Dec 11, 2011

My main issue was trying to connect virtuelly via GNS3 and my router setup on it. I have three Cisco 2621 XM routers set up. They all came with 2 Fast Ethernet ports. However, only one of them has a Serial port. So, what I'm doing is connecting the routers together with the fast ethernet ports using crossover cables. So, I baselined two routers to start with. Very simple AAA, set up IP HTTP server, IP HTTP Secure Server, etc. Privledge lvl 15 access, etc.
 
I then set my Router A's inside Fa0/1 port with a 192.168.1.0/24 network. The outside port Fa0/0 is 10.0.0.0/30 network.Router B is set up similar, 192. 168. 2. 0/24 insice Fa0/1, Fa0/0 is 10.0.0.0/30 network outside. So, three networks 192.168.1.0, 192.168.2.0, 10.0.0.0 network. [code] I then repeated the same on Router B, just transposing 2.0 network for interesting traffic, and Peer 10.0.0.2 for the Fa0/0 interface on Router A.When I "test" the tunnel, I get an error message. So, since I'm connected to Router B (which was working, had routing, and had Router A's network 1.0 in it's routing table), the error msg says that I need to add a route into the routing table (192.168.1.0). It was there up until I attempted to put the VPN in place. It's like it stopped the routing.
 
At face value, it looks like this should be working! But when I debug the ospf process, it looks like hello packets aren't tranversing across to the other side. Is it because I just have the 192.xxx.xxx.xxx networks as "interesting" traffic? Can I have multiple networks marked as "interesting"? I thought that's what the peer statements were doing to allow the tunnel to be established.

View 6 Replies View Related

Cisco Firewall :: ASA 5520 With Failover NAT With Two ISP?

Jun 20, 2011

Currently we have one ISP1 and all traffic goes to this way. Suppose our isp1 goes down, our outside user cant get the server. All servers are nated to this ISP1.We planned to purchase a another ISP2. Shall we Configure same inside server to map this ISP2? so that one primary ISP1 goes down it will take place the outside trafficISP2.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 Failover With SLA?

Jul 19, 2011

Is it possible to setup 2 x Cisco ASA 5520 that are in an Active/Standby failover using sla monitoring?
 
For example ASA1 outside interface connects to an upstream switch and you setup sla monitor with icmp echo to ping that switch. The switch goes down and you need the other ASA2 to become the Active ASA. Can the sla monitor be automatically integrated with the failover commands for this to happen?

View 5 Replies View Related

Cisco Firewall :: Migrating From ASA 5520 To 5550 - Transfer Config?

Jun 13, 2012

I have ASA 5520 using ios 8.2(2)
 
I received a new ASA 5550 and want to transfert my config from 5520 to 5550

View 2 Replies View Related

Cisco Firewall :: ASA 5520 Failover Did Not Work?

Apr 17, 2011

I am having ASA 5520 with active/standby configured. Around 2 days ago, the ASA stopped responding & all of my websites stopped working. when i checked the failover status it said that failover is off. I had to manually turn the failover to start my traffic flow.During this time my secondary ASA was not responding. After some time, the primary stopped responding & secondary became active......to solve this i had to make the secondary unit as failover unit primary & the primary unit as failover unit secondary. i did get a log on ASA :-
 
“(Primary) Disabling Failover” with error message no.105001 which states the below:-
 
Error Message %PIX|ASA-1-105001: (Primary) Disabling failover.
 
Explanation In version 7.x and later, this message may indicate the following: failover has been automatically disabled because of a mode mismatch (single or multiple), a license mismatch (encryption or context), or a hardware difference (one unit has an IPS SSM installed, and its peer has a CSC SSM installed).(Primary) can also be listed as (Secondary) for the secondary unit.

View 1 Replies View Related

Cisco Firewall :: Cannot Run ASDM After Failover Asa 5520

Nov 24, 2011

I have 2 ASA5520's in failover pair.After failing over I cannot run ADSM on the secondary (now active device), I get "unable to launch device manager from [primary address]"
 
I can ASDM to the primary device (now marked as "standby ready") on the failover address. I can SSH to it also.I CANNOT ASDM to the secondary device (now marked as "active") on the primary address. I CAN SSH to it.
 
When I run "sh asdm image" I get valid output (asdm image disk0:/asdm-645.bin) on both.However when I run "sh ver" on each it appears ASDM is not running on the secondary device :
 
Cisco Adaptive Security Appliance Software Version xxxx [only]
 
Compared with :
 
Cisco Adaptive Security Appliance Software Version xxxx
Device Manager Version 6.4(5)
 
It appears as though ASDM is only running on the primary device (regardless of the fact it is now in standby mode). Is this normal?
I am having to run in a failover condition due to a intermittent hardware fault on the primary unit but require access to the ASDM for monitoring/diag purposes during this condition.

View 2 Replies View Related

Cisco Firewall :: Failover Between ASA 5510 And 5520?

Sep 27, 2012

Cisco still doesn't provide failover (active/standby) between two different types of ASA, right?
 
[URL]
 
"The two units in a failover configuration must have the same hardware configuration. They must be the same model, have the same number and types of interfaces, and the same amount of RAM"

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Failover Pair

Oct 31, 2012

i am trying to setup a failover pair on Cisco asa 5520 - need a state full failover. Do i need two ports dedicated to obtain the above - one for LAN based failover and one for state full fail over ? also do i need a switch in between to connect them ?

View 11 Replies View Related

Cisco Firewall :: ASA 5520 - Configured For Failover

Jan 25, 2012

I have 2 Cisco 5520 ASAs and was configured for Fail over. Unfortunately our Primary ASA went down and Secondary becomes Active and network admin made lots of changes on Secondary Active ASA. What is the best practice to rejoin Primary as standby or active without loosing the existing configuration on Secondary Active ?

View 6 Replies View Related

Cisco Firewall :: 5520 - ASA Failover Pair With Different License

Apr 15, 2013

I have a running ASA5520 in my network and recently we plan to add a failover pair as a standby unit for the running asa. Both of the ASA have the same specs and software. the only thing that the soon to be secondary ASA does not have is the AnyConnect Essential license. is it still possible for the unit to be the standby unit?
 
below is the license capture from both of the unit.
 
Running ASA:
Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 150     

[Code].....

View 3 Replies View Related

Cisco Firewall :: Failover License Sync Between Two ASA 5520?

Jun 3, 2013

According to the link here:[URL]Starting with Version 8.3(1), it no longer needs to install identical licenses. Typically, we only buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active.So I wanna know if there's some additional configuration to synchronize the licenses such as SSL VPN or Context between the primary one and the second one? Or they can just synchronize by default as soon as I finish the failover configuration and when the primary one gets down, the second one will take over the role including licenses automatically?

View 4 Replies View Related

Cisco Firewall :: Activation Key For ASA 5520 Failover Pair

Mar 20, 2012

We have recently got 2 of our Cisco ASA 5520 firewalls through RMA. These are supposed to run in a Active/Active Failover Pair. There was only 1 RMA request that was opened for both the firewalls. We have received only 1 Activation key for this RMA request for both the firewalls. Just want to check with you if this Activation key will work on both firewalls or do we need a get a seperate one for the other box.

View 1 Replies View Related

Cisco Firewall :: Failover Transparent Mode ASA 5520?

Sep 19, 2012

Recently, I unable to configure the failover on bridge group in transparent mode . I have five interfaces .out of this only 3 is showing in the show run config . Whether I can config failover on on of the data interfaces.
 
I have the ASA 5520 with the version ASA Version 7.2(4) <context>

View 3 Replies View Related

Cisco Firewall :: 5520 - ASA Phone Proxy After Failover?

Dec 3, 2012

I have a problem with my asa phone proxy. i have two ASA 5520  in HA. I have 10 phone register with ASA active primary. if i execute the command show phone-proxy secure-session. i can see the phone session on the ASA.
 
if i perform the same command on the passive ASA i can't see the session replicated from the active member.
 
If i switch the cluster the phone enter in a registrating loop and can't connect to the ASA now active.
 
If i switch back immediately (the session are still present on the first asa) the phone register again and all works

the ASA have version 8.4(5)

the phone are a 7921g
 
is normal that the skinny don't start again and re-register the phone on the ASA that became active after failover?

View 1 Replies View Related

Cisco Firewall :: Copy Files Between Failover ASA 5520?

Oct 29, 2012

I made an ASDM upgrade for one of my two CISCO ASA 5520. If I copy a file to the primary ASA's flash, is there any command I can  run on the primary ASA to copy a file to the secondary ASA?

View 1 Replies View Related

Cisco Firewall :: Adding New ASA 5520 To Failover Pair

Mar 3, 2011

I have one ASA 5520 up and runnign, with complete configuration (ssl customization, DAP, CSD...) with bunch of files on flash drive, etc. I am using software 8.3Now I received one 5520 that I want to use failover, it is with 8.3, I will make sure that ASDM is also the same on both...
 
So, my question is how to make my running ASA to become primary and to push all info (config, files on flash, etc) to new ASA?
 
I found few examples, but nothing tells me how to force one ASA to be the source for sync.

View 2 Replies View Related

Cisco Firewall :: ASA 5520 Cable Based Failover

Oct 2, 2011

What kind of cable is used for failover in asa 5520 ? 

View 11 Replies View Related

Cisco Firewall :: ASA 5520 8.4 Failover Interface Testing?

Jan 3, 2012

From ASA 5520 we tested the interface failover it not working even the interface are getting monitor . 
 
primary is active.
 
Manually we shut the outside interface of the primary device configuration is getting reflecting in secondary as outside interface shut. Interface failover not happen.
 
ii All the interface are getting monitor when we gave command sh failover. even though when we shut outside interface failove not happening.
  
how to do the interface failover in ASA 8.4 version.

View 3 Replies View Related

Cisco Firewall :: Rebuild ASA 5520 Failover Unit

May 12, 2011

What process I need to follow to rebuild my failover unit? I've had to turn it off because it seems that both the primary and secondary were thinking they should both be the active unit. I'm not sure why. But in turning off the failover, I had internet access again. So I think I want to rebuild the secondary unit's configuration. Do I need to turn off failover from the primary unit first? Disconnect the secondary unit, console into it and remove the configuration (command to remove from flash?)? Rebuild the interfaces..all interfaces or just STATE between the units? Just trying to get a list of the process

View 1 Replies View Related

Cisco Firewall :: ASA 5520 Failover Unit Anyconnect Licenses

Jan 2, 2012

So i setup a failover active / passive with 2 ASA5520's
 
Primary asa has 750 Anyconnect vpn licensing and the secondary asa has 2 Anyconnect licenses     
 
I haven't setup the second asa with the new 750 licenses i purchased but when i do a show version it shows that the failover licensed features shows 750...
 
Does this mean i do not have to install the secondary anyconnect licenses on the standby ASA unit?
 
output of secondary asa
:
Licensed features for this platform:Maximum Physical Interfaces       : Unlimited      perpetualMaximum VLANs                     : 150            perpetualInside Hosts                      : Unlimited      perpetualFailover                          : Active/Active 

[Code]......

View 1 Replies View Related

Cisco Firewall :: Cannot Assign LAN Failover Link As Statefull On ASA 5520

Oct 5, 2011

I was trying to assing statefull link as same as LAN failover link on ASA5520 with VPN Plus license. But i am getting the below error. Is there any restriction in the license itself.

View 1 Replies View Related

Cisco Firewall :: 5520 - Failover ASA LU Allocate Xlate Failed

Oct 10, 2011

we have two ASA 5520, on the failover unit is showing LU allocate xlate failed. We read on [URL] that it could be a memory problem , but have cheked it and we have 85% of memory free on both nodes. We also can see  all xlate on failover unit.
 
We have forced failover this evenig and we can´t stablish outbound connexions by outside interface, we think xlates or nat cant work properly.

View 5 Replies View Related

Cisco Firewall :: ASA 5520 Active / Standby Failover - IP Addressing?

Mar 15, 2011

I am getting ready to setup avtice/standby failover on our ASA 5520's and have run in to an issue.I currently only have one External IP address available. My Idea was to use a private/placeholder IP address for the standby external IP Address, will this cause any issues with the failover? I know I won't be able to access the secondary from the outside, but that is not an issue.

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - Failover In Off State After Applying New License

Mar 24, 2013

We apply a new anyconnect mobile license to our primary asa 5520 and the failover feature went into an off state. WE have now applied a second purchased anyconnect mobile to our secondary asa but the failover is still inactive/off.
 
bcoh1fw50# sh failover state 
State          Last Failure Reason      Date/Time
This host  -   Primary
Disabled       Ifc Failure              14:43:21 EST Jan 30 2013

[Code].....

View 3 Replies View Related

Cisco Firewall :: 5520 Running 8.4(2) - Setup Active / Standby Failover

Jan 30, 2012

I am trying to setup an active/standby failover with 5520's running 8.4(2) and am having problems with it not dropping connections during the failover. I am using a portchannel from the switch to each ASA and using sub-interfaces off that. I'm using the command Failover mac address Port-Channel1 “mac-address on primary Port-Channel1” “mac-address on standby Port-Channel1”.The command goes through but doing a show interface port-channel1 doesn't show a change in the mac address on the secondary unit after a failover when it becomes active.

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Interface Reconfiguration In Active / Passive Failover

Dec 20, 2011

Currently l have two ASA 5520's in a active/passive failover scenario.  Currently the interfaces for the inside and outside are fixed at 100/FULL.I want to repatch them into GigE ports setup as Auto Negotiate.Is there anyway of keeping the connections through the firewall active in this type of scenrio or will l have downtime disconnecting and repatching?  or could l possibly disable failover and reconfigure each ?

View 6 Replies View Related

Cisco Firewall :: ASA 5520 / How To See / Log Drops Due To Inspection

Jan 29, 2013

ASA 5520 running 8.4.5:We had an issue with a remote SMTP connection getting screwed up as a result of ESMPT inspect.It took me 3 hours of troubleshooting the SMTP connection before finally figuring out that the firewall was the culprit. What really through me off was that I saw nothing in the ASA logs (warning and above) that showed packets were being dropped. I'm probably crazy but I thought I remembered seeing entries in the log when packets were dropped due to a type of inspection (specifically, I remember entries in the log saying something to the effect of packet dropped due to ESMPT inspect, packet too big). My quesiton to Cisco TAC was: Is there a simple way to have the log give a warning every time a packet is dropped due to any inspection rule, just like we can see any drops due to ACLs?  So far the only answer has been a complex list of log changes to allow debugging and notifications of certain events. This isn't something I want to roll out to all my ASAs.

View 5 Replies View Related

Cisco Firewall :: ASA 5520 8.3 VPN Tunnel Drops Traffic

Aug 23, 2011

We have a 100 Mbps WAN circuit, we have configured an IPsec tunnel between ASA 5520 and Cisco 3845 Router for our DR site replication via Veeam Backup and Replication, it was working fine before, when we established the 3DES tunnel the traffic for certain subnets is dropped after an hour and it stops the replication, although tunnel remains up and we can access the other subnets, as soon as we clear the crypto SA and ISAKMP sessions on the firewall the traffic starts flowing again and then after an hour the traffic is dropped again.So far the testing and differnet configurations we tried are as under.
 
Tried with a different MTU size both on firewall and ESXi servers but nothing happened.Their is no QOS configuration.Checked the utilization on both ends its Noram although their are subsequent 100% spikes on Cisco 3845 but on average it remians at 30-40%.

View 6 Replies View Related

Cisco Firewall :: Does ASA 5520 Support Dual Network Drops

Oct 9, 2011

We are looking to deploy an ASA 5520, but I need to know if it is possible for it to work in this environment.
 
We have colo space, with two IP ranges. They provide two network drops, one from each switch connected to different routers. One in which has 4 usable IP's for management purposes. This address range will be used only for remote access to the ASA and VPN into the management VLAN. The management VLAN will have all internal devices such as the switches, etc. The second range is for the servers, of which will be assigned directly to the hosts and the ASA will need to act as just a firewall. I can do this on IOS, but not sure about the ASA.
 
I need to answer the following questions:
 
Does the ASA support dual network drops, and would this be a failover port configuration in order for it to work?A management VLAN with outbound internet access only, and VPN/RA capability. NAT will need to be used I'm guessing. Can we have a DMZ VLAN which has defined ports, say 80, 443 and 25 inbound and outbound. I need the hosts to have the public IP assigned to them with no NAT configuration.
 
I know there are some advantaged to using NAT, but I really can't use it because the applications behind prefer public IP's being assigned to them.

View 23 Replies View Related

Cisco WAN :: ASA 5510 Config For Failover

Aug 2, 2011

We have two offices in the US and one in Mexico. Our site in Mexico connects to our headquarters in the US over an AVPN/ MPLS circuit .Mexico has a separate Internet connection through TelMex. There is an ASA 5510 at headquarters and an ASA 5505 in Mexico. We have a fail over VPN set up in the ASAs for times when the MPLS circuit goes down. All Internet traffic in Mexico is supposed to be routed to the TelMex connection. All company traffic is supposed to be routed to the Cisco router. ASA is supposed to be last resort route. We have a fail over VPN set up in the ASAs for times when the MPLS circuit goes down. (Or at least we did until I had someone work on the configuration)  Everything had been working fine for the last 4 years.
 
Yesterday when the MPLS went down, so did their Internet connection. I realized the Internet traffic is now coming through the MPLs circuit to head quarters and out our ASA. Obviously there is a problem with the configuration. I do not have enough experience to figure this out. I have attached the configs and the routes for both the ASA and the router.

View 11 Replies View Related

Cisco WAN :: Failover Routers Config 857

Feb 20, 2011

I’m currently training to take my CCNA, So for the reason I’m here, I have just been asked to take over the company network.And I need to know how I go about configuring some base level routers.I have 3 remote sites and 1 main site, all these routers are using 857’s, with a VPN tunnel between them, this is running all OK and working fine,But my boss has decided to have a second ADSL line installed in the main site for failover.How do I go about configuring this, ie how do the VPN’s terminate on the other router when the main one goes down?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved