Cisco Firewall :: ASA 7206 Failover When Primary ISP Goes Down
Apr 4, 2012
I have an outside 7206 router that is configured with BGP. Behind that I have an ASA 5520 with a failover. Everytime my primary ISP goes down I have to failover the ASA to restablish a connection to the secondary ISP. When the primary comes back on line I have to fail it over again. I have had Cisco TAC look at the ASA and they didn't see anything misconfigured on the ASA. Doesn't seem to be any problems with the router config either.
View 11 Replies
ADVERTISEMENT
Nov 28, 2012
I had a working active/passive pair of ASA5510's, and then I had to do a rush firmware upgrade, but didn't have time to do it on the secondary at the same time. Now I have made config changes and upgraded the secondary firmware to be the same, and wish to know if I plug it back in if it will think the secondary has the "correct" config or if it will know that the primary is newer. I disconnected the failover cable because it was complaining about version mismatches constantly.
Is it safe to add the secondary back in or is it possible it will be declared newer and overwrite the config?
View 6 Replies
View Related
Dec 4, 2012
I am having a hard time getting tunnel fail over working. My setup is illustrated below:
I derive my default route on the border routers. The 6513 peers with the 7206's using BGP to get the default route from each ISP into the core. On the core I use BGP weighting to get my primary default to point to ISP1. So far so good. When I look at my core I see to defaults with ISP1 preferred.
Each ASA has an IP Sec tunnel to the head end site configured (Not shown). The head end site has a crypto map entry with ISP1 and ISP2 defined (in that order) using the "set peer" command.
Fail over works great if an ISP drops the connection or my 7206 or ASA fails, but... While testing fail over I had an issue where both tunnels would be active and there were issues with traffic between sites. I could not determine the root cause. I can only guess that some traffic was going out one tunnel and when trying to come back across the other tunnel was dropped from the firewall because there was no connection built for it. After reading I found that in order to use multiple peers in the "set peer" statement, I needed to configure my head end as "originate-only". I have not done this yet as I have concerns. If the head end site is "originate-only" and the tunnel, for whatever reason drops, I cannot wait for interesting traffic at the head end site bound for this site to bring up the tunnel as most of the traffic originates at this site.
I have been reading about IKE keep alives and DPD but that doesn't sound like it will re-initiate the tunnel. Is this correct? If so I'm looking for a way to make this work.
View 10 Replies
View Related
Jul 26, 2012
I have a remote site with 2 WAN links.Link 1 MPLS with telecom provider managing the PE and advertising EIGRP routes to my switch(3750-E stack).Link 2 Directly connected to core site switch (4506) and advertising EIGRP routes.
It looks like this:
-------- Provider MPLS Cloud ------- GI2/0/1Remote Site (3750-E Stack)
Core Site Switch(4506)----
gi4/2------------------------------------------------ GI1/0/1Remote Site (3750-E Stack)
When both links are up MPLS is disrupted from other sites (that have MPLS only) to the core site. I was unable to get a route list to see what exactly was going on before shutting the directly connected link down.What i'd like to have is:Use MPLS as my primary link as it is fully meshed with all my remote sites (and not just the core) and have the directly connected link as my failover in case of issues with the primary. I assumed putting a delay 1000 on the directly connected link at the remote site would have been enough but it looks like both were active and leaking routes all over the place Is there a way to set this up that the MPLS link is favoured and if it loses routes to that specific remote site it would failover to the directly connected link?
Here is my current configuration for EIGRP on the remote and Core sites:
Remote 3750-E
router eigrp 100
redistribute connected
redistribute static
passive-interface default
no passive-interface GigabitEthernet1/0/1
[code]....
View 4 Replies
View Related
Oct 17, 2012
We have Nexus 5K switches at the aggregation layer and VPC domain has been configured on them. VPC domain includes switches at the access layer as an identity.But when primary switch reboots failover didn,t happened. We are attaching architecture diagram for the setup along with show tech for Nexus 5K both switches.
View 2 Replies
View Related
Dec 27, 2012
We have a customer who has a network consisting of two ISPs, one as a primary and the other as a backup. We are trying to create a configuration that would allow the primary link to fail and the secondary link to automatically pick up traffic and begin routing .how to set something like this up. Both routers are non Cisco routers and there for HSRP is out.
View 14 Replies
View Related
Jun 23, 2011
We have 2 separate ISP connections with 2 separate routers, during a recent router outage we found that our PIX firewall was not routing to the second default route that I have in the pix configuration. Doing some searches on CCO, I have seen some documents that say that the PIX only supports one default gateway/route. Is this still true, even in version 8 of the PIX software? Is this still true in the newer ASA's? Or will they support multiple default routes?
I'm thinking I'm going to have to setup HSRP on my 7206 Internet routers so the PIX can use one gateway, but wanted to verify before I take the time to set this up.
View 2 Replies
View Related
Sep 23, 2012
I have a strange issue which happened to me last weekend with two ASA 5515X on version 8.6(1)2. There was a planned power shutdown which only affected the primary firewall. Failover was configured and running successfully. The configuration was also saved after every change made. After power was shut and primary firewall went off the secondary took over like it should but unfortunately all configuration was gone. We immediately powered on the primary again but also this one lost the configuration.
While reconfiguring the firewall we ran into another problem. The devices won't pair although it was the correct configuration. After three times removing and adding the same failover configuration the devices accepted the failover and worked together again.
I went through the bug toolkit and white papers regarding ASA 5515x and this particular version but were not able to find anything.
View 2 Replies
View Related
Jun 6, 2011
The client is only interested to have one-WAN(MPLS) and One internet circuit with Dual ASA5510 primary/failover configuration. In the event primary firewall fails, there is no direct WAN/internet connection to failover firewall. I beleived that to mitigate the issue, I needed to add a layer 3 switch , and have each circuit (MPLS/Internet) or (modems/routers) connect to a L3 switch. L3 switch will do the vlan based routing based on the state of firewall. ? am i correct? The client want automatic failover to secondary firewall in the event the actual firewall failed without impacting the day to day business.
View 3 Replies
View Related
Feb 19, 2012
I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
View 1 Replies
View Related
Dec 5, 2011
We have 2 ASA 5505s in a data center at a remote site.
Whilst troubleshooting another issue I noticed the below. I don't know much about fail over but this would suggest that the secondary ASA is active and the primary ASA is on standby.
if the primary is "active" then how come the secondary is the active ASA? I would have thought that once the primary ASA became active this would assume the "main" role".
[Code] .....
View 7 Replies
View Related
Sep 7, 2011
I have an issue bringing up my RMA'd primary ASA unit.
So what happened so far:
1. primary unit failed
2. secondary took over and is now secondary - active (as per sh fail)
2. requested RMA at Cisco
3. got ASA and checked that Lic (SSL), OS (8.2.2) and ASDM are at the same level as the secondary
4. issued wr erase and reloaded
5. copied the following commands to the new (RMA) primary unit:
failover lan unit primary
failover lan interface Failover Ethernet3
failover interface ip Failover 172.x.x.9 255.255.255.248 standby 172.x.x.10
int eth3
no shut
failover
wr mem
6. installed primary unit into rack
7. plugged-in all cables (network, failover, console and power)
8. fired up the primary unit
9. expected that the unit shows:
Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
10. but nothing happened on primary unit
What is a valid and viable approach in replacing a failed primary unit? Is there a missing step that hinders me to successfully replicate the secondary - active config to the primary - standby unit.
I was not able to find anything related to ASA55xx primary unit replacement with a clear guideline or step by step instructions.
View 10 Replies
View Related
Aug 6, 2012
We are running an FWSM on a 6509 with a SUP720. Firmware 3.2(18), in MultiContext Routed Mode, with shared MSFC.Everything runs fine on this baby most of them time, however occasionally without warning and with no specific pattern the Primary node will fail (as in completely stop responding) and the secondary will takover as active. Two get the primary up agian, I reset the hw-module and then no failover active on the secondary to return the primary as active. However, after this event, I start to experience strange issues with connectivity. Certain TCP src dst combinations will just not work.
View 1 Replies
View Related
Mar 22, 2011
I have three pairs of ASA5510 firewalls, each pair configured as a failover pair. When each pair boots up, even if I boot up the primary first, when they are both up and the primary/active syncs to the secondary/standby, the primary always switches to standby and the secondary thus becomes active.
What would cause this? It happens on all three pairs. Does failover look for the highest ID or IP address to determine which of the pair will be active?
View 1 Replies
View Related
Aug 25, 2011
Cisco ASA 5505 Security Plus 1 link with PPOE dialup for internet access
desirable situation: Primary link with a PPOE dialup Secondary Link with DHCP address Asignment
Problem: i want to configure Dual ISP Failover modus, but the problem exist when i configure the ip sla syntax it looks good in the running config. but after a reload the secondary line becomes primary
It looks like the ppoe client authentication is busy when the ip sla tracking mechanism becomes active. can i tweak the settings that the ip sla tracking mechanism starts later?
What i the correct config for Dual ISP setup with primary PPOE and secondary DHCP
View 1 Replies
View Related
Nov 10, 2011
I got PIX 525 with failover. Due to power issue one Unit was offline for a while. During this time couple of changes was done on the Firewall.
Which Unit becomes active when I plug the Firewall unit which was offline for a while now. Each Unit has 4 Ethernet Connection
E 0/0 - connects ISP Router
E 0/1 - connects to Lan switch
E 1/0 - connects to DMZ port
E 2/0 - connects to failover unit PIX
View 4 Replies
View Related
Jun 20, 2011
Currently we have one ISP1 and all traffic goes to this way. Suppose our isp1 goes down, our outside user cant get the server. All servers are nated to this ISP1.We planned to purchase a another ISP2. Shall we Configure same inside server to map this ISP2? so that one primary ISP1 goes down it will take place the outside trafficISP2.
View 1 Replies
View Related
Nov 23, 2011
How to configure ASA failover for 8.4.
View 1 Replies
View Related
May 23, 2011
a customer have 2 pix 525 with ver 7.0.1 in a failover configuration with serial cable and 2 sc fiber interface and 2 fastethernet 1 used for failover. the strange behaviour is that when i try to do traffic from inside to dmz or dmz to inside the maximum transfer is 862Kb/s to 1MB/s not more.... i don't understand what's happened. the show mem and show cpu are normal 7% mem used and 1-2% cpu used. attached you will find the configuration.
View 5 Replies
View Related
Jul 19, 2011
Is it possible to setup 2 x Cisco ASA 5520 that are in an Active/Standby failover using sla monitoring?
For example ASA1 outside interface connects to an upstream switch and you setup sla monitor with icmp echo to ping that switch. The switch goes down and you need the other ASA2 to become the Active ASA. Can the sla monitor be automatically integrated with the failover commands for this to happen?
View 5 Replies
View Related
Oct 9, 2011
I have a ASA 5505 which is connected to a remote site which also has a ASA 5505 over a L2L VPN tunel. One of the sites has a WAN failover configured with two ISP which is working successfully.
But, when the WAN connection fails over to the backup connection the VPN link breaks as the peer site IP address has changed and the VPN can not establish a connection.
Would it be possible to configure a VPN failover so that when the connection failovers so will the VPN tunnel?
View 6 Replies
View Related
Jun 20, 2011
There are 2x Cisco ASA 5505 in an active/standby failover config. The primary asa 5505 has been reset and the secondary is now running as active. I would like to reintroduce the primary again but need to know how to do this.
Ideally I would like to remove the failover config and start from scratch. Do I just need to enter the following to disable failover on the active secondary box?
no failover
no failover lan unit secondary
no failover lan interface failover Vlan999
no failover interface ip failover 192.168.254.1 255.255.255.252 standby 192.168.254.2
View 2 Replies
View Related
Sep 24, 2012
I have a pair of ASA 5585 configured with 2 contexts, C1 & C2, C1 is active on ASA-1 & C2 is active on ASA-2 i did failover test, ping was initiated to host residing behind ASA-1 in context C1 i powered of ASA-1 then both context became active on ASA-2, however during this failover.i saw 4 ping packets drop..
View 3 Replies
View Related
May 31, 2011
Configured ASA 5510 ISP failover and working fine.My ASA as configured as DHCP server also. So its serves IP addressing details including mask,default-gateway, DNS server IPs.Here my issue is whenever my ISP failover occurs my ASA sends previous ISP DNS server IPs to my inside clients.
Here i like to configure my ASA to serve IP addresses dynamically.Or is there any global DNS IP addresses which will work for all ISPs?
View 1 Replies
View Related
Feb 17, 2013
So we currently have a T1 connection at our location. We were looking to add a high speed cable internet and add an ASA 5505 with Security plus license to do failover between the two. I have found a few examples on how this would work but curious about a couple things.
We would want the Cable to be the primary, T1 as a backup.Currently the IAD that handles our T1 does dhcp, dns, and NAT.. Who/what would handle these items with the setup above?
View 5 Replies
View Related
Aug 3, 2011
I've seen you can configure stateful failover between two routers running ip inspect classic firewall: url...Can the same be done yet for zone-firewall? I cannot find any documentation on it.
View 1 Replies
View Related
Sep 6, 2011
When we had 8.2.2, we bought a Mobile license to make the iPads running AnyConnect happy. I applied it, but since we'd only purchased one license, it broke failover. 8.4 lets you share tracking licenses, and since we were planning on the upgrade to 8.4.x anyway, I figured no big deal, I'll get that straightened out when I do the upgrade.
Did the upgrade this weekend, and I still can't get things happy, the boxes don't see one-another:
Here's a show failover on the primary:
Failover OnFailover unit PrimaryFailover LAN Interface: failover GigabitEthernet0/3 (up)Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1Monitored Interfaces 6 of 160
[Code].....
View 3 Replies
View Related
Mar 27, 2011
I have 2 PIX 525, which one of them, step and active failover mode the other PIX 525, leaving this off, do not know what happened may have been a power outage, but in any case I can turn it back on? And the other question I have is if I can import a configuration that I have saved on my computer. i have the PIX device manager.
View 11 Replies
View Related
Sep 27, 2011
I got a problem with a cisco asa 5580 like two days ago and the device stop working (there was a mainteinance window and after that the device didn't work). Now we receive the RMA and we are trying to configure the failover so the new device get the configuration form the one that is working.
But this is the message that I gettin:
Failover message decryption failure. Please make sure both units have the same failover shared key and crypto license or system is not out of memory
We already changed the shared key and crypto license but the failover is still down, what are the features that the cisco need to activate to enable the failover?
View 5 Replies
View Related
Nov 28, 2011
Can I run Cisco ASA failover with dual ISP run active/standby configuration and SLA monitor to monitor the primary ISP gateway and failover to the secondary gateway but not failover to the failover firewall unless an actual event occurred that required a ASA failover?
View 3 Replies
View Related
Jun 5, 2011
I have this firewall working as active/standby. Everything seemed to be ok, but we noticed that confirgurations are not being replicated by saving configuration either copy run start or write. The workaround here is write standby command. Below the configs and stats, plus the show version, which is the same in both equipments:
Header 1
failover
failover lan unit primary
[Code].....
View 9 Replies
View Related
Aug 27, 2008
Is there a way to trigger stateful (or stateless) failover on ASA 55xx (8.0.3) when there's a failure on the IPS unit? I understand the fail open/fail close and its application on a single firewall, but the better solution for an IPS failure in a redundant pair would seem to be a stateful failover to the other ASA, and I don't see that as a documented feature.
View 8 Replies
View Related
Apr 17, 2011
I am having ASA 5520 with active/standby configured. Around 2 days ago, the ASA stopped responding & all of my websites stopped working. when i checked the failover status it said that failover is off. I had to manually turn the failover to start my traffic flow.During this time my secondary ASA was not responding. After some time, the primary stopped responding & secondary became active......to solve this i had to make the secondary unit as failover unit primary & the primary unit as failover unit secondary. i did get a log on ASA :-
“(Primary) Disabling Failover” with error message no.105001 which states the below:-
Error Message %PIX|ASA-1-105001: (Primary) Disabling failover.
Explanation In version 7.x and later, this message may indicate the following: failover has been automatically disabled because of a mode mismatch (single or multiple), a license mismatch (encryption or context), or a hardware difference (one unit has an IPS SSM installed, and its peer has a CSC SSM installed).(Primary) can also be listed as (Secondary) for the secondary unit.
View 1 Replies
View Related
