Cisco Firewall :: ASA5510 / Can't Communicate With Standby IP
Jul 29, 2012
I can no longer communicate with the standby IP address configured on the inside interface of a secondary ASA5510. Just a couple days ago I could snmp, http, ssh, and ping it.From the switch that is directly connected to the inside interface I'm getting unexpected results when viewing the the arp table. The switch is saying the IP address associated with the ASA's inside interface has mac address 0023.3353.bcc8 but the ASA is saying its inside interface mac address is 0023.33bb.8362?Furthermore when I issue the "sh mac address-table interface f5/46" command on the switch i see multiple macs on the interface that is connected to the inside interface of the ASA...
Unicast Entries
vlan mac address type protocols port
-------+---------------+--------+---------------------+--------------------
135 0023.3353.bcc8 dynamic ip FastEthernet5/46
135 0023.3353.bdc8 dynamic ip FastEthernet5/46
135 0023.3353.bec8 dynamic ip FastEthernet5/46
135 0023.3353.bfc8 dynamic ip FastEthernet5/46
View 1 Replies
ADVERTISEMENT
Aug 21, 2011
Is there a document that explains how the configurations are updated to the standby ASA and what needs to be manually added tot he ASA? I have two ASA 5510 running ASA ver 8.3(2) and ASDM 6.4(1). When I add static routes to the primary ASA the routes are not sent to the failover ASA. Is this to be expected or do I have a bug?
View 10 Replies
View Related
May 11, 2011
I have just finished setting up two ASA5510s in Active/Standby Staeful failover, using the Management interface for both failover and state. Everything appears to be working well.Configurations were transferred and the "sh failover" on both accurately reports their status before and after a failing the active device.I monitored the inside IP with a continuous ping (using a Windows client) and noticed that there were usually two to three ping responses lost. Is this normal?
View 1 Replies
View Related
Feb 6, 2012
I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?
View 3 Replies
View Related
Apr 10, 2011
I have two ASA5510 configured in an active/standby failover configuration. Everything is working well, but I would like to remove DMZ2 as it is no longer needed. On my DMZ2 interface, I have removed the security level and the IP address and shutdown the interface. However, when I do a "show failover" DMZ2 is still showing up. I would like to remove it completely so that failover isn't even "monitoring" this interface. What command am I missing or what do I need to do to completely remove this interface from this "show failover" listing? [code]
View 7 Replies
View Related
Jan 22, 2013
I am a single ASA-5510 with CSC module.I want to pair it for active/standby mode for failover .... can it be done if second ASA doesn't have the module? Can I assume the in case of a failover, the traffic won't be checked, and primary does in case CSC module fails?
View 2 Replies
View Related
Sep 22, 2011
last night I started upgrading our ASA5520 active/standby cluster. Because of lack of memory, I stopped the upgrade process and will continue when the memory modules have arrived... Currently I'm running 8.0(5) on both nodes (Version: Ours 8.0(5), Mate 8.0(5))Whenever I use the "write standby" command on the active ASA, the passive ASA seems to drop it links for a short while. [code]
View 4 Replies
View Related
Jun 6, 2012
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies
View Related
Sep 7, 2011
How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?
View 1 Replies
View Related
Aug 29, 2012
I have a ASA 5515-X-IPS firewall and I want to communicate firewall through ASDM-IDM. Already done the below procedure;
•1. Connect cable to Management port.
•2. Open browser and type https://192.168.1.1/asdmin and download the ASDM-IDM Launcher v1.5(55) and install my laptop(OS: windows 7)
•3. Connect asdm-idm launcher we put IP Address: 192.168.1.1 and username, password enter.
Just whenever we login the wizard then the message shown “ Unable to connect the asdm manager”For your kind information we already setup jre6u7 java software.
View 1 Replies
View Related
Aug 7, 2012
I have an existing ASA Firewall that is configured with an inside interface and an outside interface - communications is working fine in this configuration.I am trying to add a DMZ interface that will be connected to a 3560x switch - the new ASA and Switch configuration are below. [code] I cannot ping from a computer on the LAN (10.10.10.3) to the IP address of the DMZ Switch on VLAN 510 (10.50.10.1).I can, however, ping from the DMZ Switch (10.50.10.1) to the workstation on the LAN (10.10.10.3)
View 11 Replies
View Related
Feb 28, 2013
Is there a way to access the asa in a failover pair that is in standby mode from the primary asa? IE I am logged into the primary asa via command line and was hoping to access the other asa from here.
View 1 Replies
View Related
Jun 12, 2011
I would like to work with two ASA's 5550 in HA (Acitve-Standby) like perimetral firewalls and also work with another ASA 5540 but like a SSL VPN Remote Access to end users.Which will be the best topology to this scenary?. Perhaps i need to put the ASA 5540 SSL VPN together with the ASA's in HA directly in a port.
View 1 Replies
View Related
Oct 18, 2011
I'm having an issue where when I upgrade from 8.2(5) to 8.4(2) on an active/passive asa 5585 running in transparent mode I can no longer reach the standby ip. The BVI interface appears to be created properly, the device IP and standby IP are listed in the config under the BVI interface and my inside and outside interfaces are both joined to BVI1-group.
View 1 Replies
View Related
Aug 6, 2012
I have this 2x ASA5540 firewall and notice the it is configured with a standby ip. The firewall is run in Active/Passive mode.However, the standby ip of this firewall is not point to the secondary firewall and vice versa for the primary firewall. [code]
1) May i know how is this configuration valid in the first place? I have checked through the configuration. None of the configuration is related to this ip address.
2) Can we remove this standby ip address on both the firewall and correct to the correct primary and seconadary ip address in both firewall?
3) We tried to use this ip address but cannot be used ? Is it related to the configuration of the standby ip address.Do note that the ping to this ip address x.x.x.120 is unreachable.
View 1 Replies
View Related
Feb 13, 2012
I have 2 x 5510's in active/standby mode, things look fine until the active one needs to be failed over and I realize the standby one is dead. I never notice as the lights on the ASA look good, I only nice as I can't telnet or console onto it, how can I debug this issue?
View 1 Replies
View Related
May 8, 2011
I have successfully completed HSRP and failover configuration.When both switch are runnign then the failover run successful and wheneber one link fail then the failover run successfully but when down one 6509(total box) the failover not working.....
View 7 Replies
View Related
Jul 3, 2012
Come across pix 525 with 7.2.4 , 256 MB RAM, experienceing high memory utilization ?.show memory was giving used memory = 97%.All I had done was, i did a reboot of the firewall since we were not able to take the control of the f/w.I wonder why only the standby f/w had this issue and not the primary does not have, just to rule out that it was not due to Traffic.I have searched in bugtool kits and support forums and did not find anything relevant except for a similar issue for ASA CSCsg43844.
View 3 Replies
View Related
Sep 21, 2011
i have 2 ASA 5505 running 8.3(1) and ASDM 6.3(1).
the first unit is currently working, and i now wish to configure the second unit as standby. im configuring through the ASDM GUI. Started the HA Wizard, choose Active/Standby configuration and enter the IP of the peer device. checks come back all ok. On the LAN link configuration page (step 3of6) Interface is pre selected as VLAN99, I give it a logical name as iface_fail, and enter 10.0.0.1 as primary address and 10.0.0.2 as standby, subnet as 255.255.255.248, and select port Ethernet0/5
Note that if i click on the buttons next to the IP fields, i get IP addresses of remote hosts!.
View 1 Replies
View Related
Nov 30, 2011
I have a pair of asa5520's in active/standby configuration. I plan on ugrading the asa/asdm images to 8.4 shortly (currently on 8.0) and would like to do this with zero downtime. Specifically, I would like to upload the new software to the standby unit, upgrade it, swap standby/active units and then upgrade what will become the standby after the swap.The problem I'm having is getting the new images uploaded onto the standby unit. I've read that the routing table is not shared from the primary and the USB ports are "for future use". I have no problem uploading the new images to the active unit via tftp...but can't do the same to the standby.
View 5 Replies
View Related
Dec 21, 2011
I have a problem with failover. On My site I have 2 Firewalls 5580. And I did this configuration on my firewall.interface GigabitEthernet3/0description LAN/STATE Failover Interfacespeed nonegotiate.
View 5 Replies
View Related
Mar 8, 2012
I've tried to upgrade a redundant setup from 8.2(4)4 to 8.2(5)22 ending with a stanby ASA continuously crashing after config sync phase. On the first crash it even corrupted the flash, leaving me no choice than initializing the box from scratch.
View 4 Replies
View Related
Jun 28, 2012
We have two PIX515E ( 6.3), one is Primary( Active) and second one is Standby. after configuration of Secondary Firewall as Standby. getting problem.
1. Configuration part everything is fine
2.we have done failover text also .
Aster Some time , we are not able see Standby Firewall its going down .
View 2 Replies
View Related
Feb 8, 2012
I would like to ask you about ASA 5510 (Active/Standby). i have two ASA 5510 and i did configuretion failover and it is working ( Active / Standby) but my issue that when primary donw, the standby unit up to primary but the primary came back the standby unit it not switch to standby ( i mean it still up ) . if i want to primary up i type command ( failover active ) on primary unit , so i don't want use manul command i want it auto.Which command that make ASA failover when primary coma back? [code]
View 2 Replies
View Related
Apr 18, 2012
i read that you need only one L-ASA5510-SEC-PL for setting up a Active/Standby Failover. I installed the license on the 1st ASA and tried to setup the failover via the ASDM wizard. It always fails, because the 2nd device can't have a 'base' license.So does this mean, i really need another license?
View 5 Replies
View Related
Mar 4, 2011
Here are the configs for failover:
PRIMARY
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 192.168.3.1 255.255.255.0 standby 192.168.3.2
failover link failover GigabitEthernet0/3
failover
SECONDARY
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 192.168.3.1 255.255.255.0 standby 192.168.3.2
failover lan unit secondary
failover
In the above configs is it i m missing something for failover? when i shut the INSIDE interface of Secondary ASA I get the below output, It shows me secondary failed and primary Active, WHY it is showing me FAILED instead of STANDBY/READY. What i know about firewall failover is when active goes down the other becomes standby unit but in this scenario it is showing me FAILED,
FW0001(config)# sh failover
Failover On
Failover unit Secondary
[Code] ....
View 8 Replies
View Related
Mar 3, 2013
I have two ASA 5520 version 8.2 in active Standay Mode. What is a good practice to setup IPS AIM ssm-20 for this setup.
Is IPS should be in Fail-Open or Fail-Close mode ?
Is Mangement ip for both IPS module should be same or diffrent. ?
View 6 Replies
View Related
Sep 14, 2011
i have a active/standby pair of asa 5520's, i can access the active asa but not the standby asa via console,
i have tried the password recovery on the standby unit but it does not work, do i need to remove the unit from the network to become a standalone unit to perform the recovery?
View 1 Replies
View Related
Dec 8, 2009
I got 2 x 5520 ASAs configured in active/standby mode and they are connected to 2 x 4500 switches in which too configured for failover.Telnet to ASAs is allowed only via subnet 172.18.0.0./24
I can only ping and telnet to the active ASA from subnet 172.18.0.0./24 but not the standby But i can ping and telnet to both the active and standby ASAs within the 4500 switches.
View 20 Replies
View Related
Jun 4, 2012
I currently have a LAN-based failover setup between two 5510s. The failover link is a crossover cable. In the current setup, if I unplug the crossover cable both units become active. From what I understood from Cisco documentation, each unit should mark the failover interface as down and there shouldn't be any failover. That's exactly how I want this setup to work.
View 5 Replies
View Related
Apr 20, 2011
I have an ASA 5510 working in Routed mode for a company with the following networks. everything works fine as desired. Below are the interfaces, security and ip addresses .
Ethernet0/0 DC_SERVER security-level 100
ip address 172.16.11.12 255.255.255.0
Ethernet0/1 Branches security-level 50
[Code]....
View 1 Replies
View Related
Oct 21, 2012
I have two 5505 ASA. I would like to know can I make two 5505 failover redundant with active standby setup?
View 11 Replies
View Related
Dec 5, 2011
We have 2 ASA 5505s in a data center at a remote site.
Whilst troubleshooting another issue I noticed the below. I don't know much about fail over but this would suggest that the secondary ASA is active and the primary ASA is on standby.
if the primary is "active" then how come the secondary is the active ASA? I would have thought that once the primary ASA became active this would assume the "main" role".
[Code] .....
View 7 Replies
View Related
