Cisco Firewall :: ASA5520 - AnyConnect License On Active / Standby Failover Pair?
Mar 6, 2013
Our customer has purchased 2 x L-ASA-AC-E-5520= Anyconnect Essentials VPN Licenses (750 Users)Ive installed both activated licenses as per the cisco guides, I didnt get any errors on the install. I did a reload on both, they are both back up and running as active/standby but when I do a sh ver the license still shows "ASA 5520 VPN Plus License"Am I being dumb and has this worked successfully or should it not now display Anyconnect when I do a sh ver?
View 8 Replies
ADVERTISEMENT
Apr 13, 2011
I currently have two 5540's in an Active/Standby pair. The primary unit failed on February 12th, so the secondary ASA is now the active one. My question is this - we have made a lot of changes since February 12th and I am planning on fixing this failover issue over the weekend. Will the secondary (now active) FW sync it's config to the non-active FW, or will the failed FW sync it's out-of-date config - removing any changes that we've made in the last month or so.
View 1 Replies
View Related
Feb 6, 2012
I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?
View 3 Replies
View Related
Jan 17, 2012
Can I upgrade Active/standby pair from 7.2(4) to 8.0(5)25 directly or need to upgrade to 8.0.2/4 first? Upgrade an Active/Standby Failover ConfigurationComplete these steps in order to upgrade two units in an Active/Standby failover configuration:Download the new software to both units, and specify the new image to load with the boot system command.Refer to Upgrade a Software Image and ASDM Image using CLI for more information.Reload the standby unit to boot the new image by entering the failover reload-standby command on the active unit as shown below:active#failover reload-standbyWhen the standby unit has finished reloading and is in the Standby Ready state, force the active unit to fail over to the standby unit by entering the no failover active command on the active unit.active#no failover activeNote: Use the show failover command in order to verify that the standby unit is in the Standby Ready state.Reload the former active unit (now the new standby unit) by entering the reload command:newstandby#reloadWhen the new standby unit has finished reloading and is in the Standby Ready state, return the original active unit to active status by entering the failover active command:newstandby#failover activeThis completes the process of upgrading an Active/Standby Failover pair.
View 10 Replies
View Related
Jun 1, 2011
I have an ASA5520 in location A with an ISP connection and a matching ASA5520 in location B with a separate ISP connection. We have fiber connecting the two locations and vlans passing back and forth so I will be able to configure the failover via a vlan as well as extend the ISP's to each location via vlans. The Active/Active configuration with the multiple security contexts does not seem to be an issue but how is a redundant ISP configured in this mode?We want to have context A using the ASA in location A with ISP1 as the primary and failing over to ISP 2 in locaiton B We also want to have context B using the ASA in location B with ISP 2 as the primary and failing over to ISP1 in location A Would route tracking provide the desired result? Is there a better option?
View 1 Replies
View Related
Apr 24, 2012
I have two ASA 5505's with Security Plus licenses on both.I am trying to force them to becoming an HA pair using active/standby.When I enable failover I get this message:
Mate's license (Licensed Cores ) is not compatible with my license (Licensed Cores ). Failover will be disabled.Do I need to apply new licenses to the ASA's?
Device licence details (same on both):Cisco Adaptive Security Appliance Software Version 8.2(1) [code] This platform has an ASA 5505 Security Plus license.
View 1 Replies
View Related
Sep 7, 2011
How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?
View 1 Replies
View Related
Apr 15, 2013
I have a running ASA5520 in my network and recently we plan to add a failover pair as a standby unit for the running asa. Both of the ASA have the same specs and software. the only thing that the soon to be secondary ASA does not have is the AnyConnect Essential license. is it still possible for the unit to be the standby unit?
below is the license capture from both of the unit.
Running ASA:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
[Code].....
View 3 Replies
View Related
Dec 21, 2011
I have a problem with failover. On My site I have 2 Firewalls 5580. And I did this configuration on my firewall.interface GigabitEthernet3/0description LAN/STATE Failover Interfacespeed nonegotiate.
View 5 Replies
View Related
Apr 18, 2012
i read that you need only one L-ASA5510-SEC-PL for setting up a Active/Standby Failover. I installed the license on the 1st ASA and tried to setup the failover via the ASDM wizard. It always fails, because the 2nd device can't have a 'base' license.So does this mean, i really need another license?
View 5 Replies
View Related
May 11, 2011
I have just finished setting up two ASA5510s in Active/Standby Staeful failover, using the Management interface for both failover and state. Everything appears to be working well.Configurations were transferred and the "sh failover" on both accurately reports their status before and after a failing the active device.I monitored the inside IP with a continuous ping (using a Windows client) and noticed that there were usually two to three ping responses lost. Is this normal?
View 1 Replies
View Related
Mar 15, 2011
I am getting ready to setup avtice/standby failover on our ASA 5520's and have run in to an issue.I currently only have one External IP address available. My Idea was to use a private/placeholder IP address for the standby external IP Address, will this cause any issues with the failover? I know I won't be able to access the secondary from the outside, but that is not an issue.
View 2 Replies
View Related
May 15, 2011
I have 2 ASA 5540s ver 8.3 in Active/Standby state.I am considering a future hypothetical situation where I might need to rename interfaces or reallocate redundant interface groups. Doing so obviously has a major impact on the current primary configuration. My goal would be to minimize or eliminate network downtime during the interface changes.
I am wondering if it is possible to force the secondary ASA from the standby to active state.Then temporarily disable failover on the primary unit.Make the interface changes on the primary unit Then reactivate failover on the primary unit Force the primary unit back to active and secondary unit to standby My new interface configuration would then sync from the primary to the secondary.
I believe this would work but must ensure that the secondary ASA can function as the active unit while the failover is disabled on the primary unit. Is there a set length of time the secondary unit can remain active without a failover peer?
see issues with operating the secondary unit in this manner while making changes to the primary unit?
View 1 Replies
View Related
Jan 25, 2012
I just added a new 5510 failover unit to an existing 5510 and when connecting my new outside interface on an Active/Standby firewall pair, i get errors messages (red x) on each port scan (monitor & syslog) although the error message indicate all ports are good...additionally the firewalls flip between active and standby non stop. I remove the new standby unit outside interface from a shared switch and everything clears up.
View 1 Replies
View Related
Feb 12, 2013
I need to setup an ASA 5525 in Active/Standby failover mode. I am setting up the ASA for a company that purchased only one public IP address. The public IP address is assigned to the outside interface. My question is will failover work correctly if I don't use a secondary IP address on the failover configuration on the outside interface?
View 4 Replies
View Related
Jan 30, 2012
I am trying to setup an active/standby failover with 5520's running 8.4(2) and am having problems with it not dropping connections during the failover. I am using a portchannel from the switch to each ASA and using sub-interfaces off that. I'm using the command Failover mac address Port-Channel1 “mac-address on primary Port-Channel1” “mac-address on standby Port-Channel1”.The command goes through but doing a show interface port-channel1 doesn't show a change in the mac address on the secondary unit after a failover when it becomes active.
View 3 Replies
View Related
Aug 14, 2011
I have two ASA in failover with Active/standby configuration. When I switch from standby to active from the standby ASA I get a lot (like 100) of error messages like these below: [code] The failover works fine and nothing seems to be wrong with the firewalls function.
-Hardware is ASA5585-SSP-10.
-Software version: ASA 8.2(5),
ASA is in multiple mode with 17 active context. Why these error messages appear and what they mean?
View 2 Replies
View Related
May 8, 2012
We have 2 ASA 5510's setup in an active, standby failover configuration. When the primary fails over to standby, the 3rd party cert does not failover to the standby ASA. The users then receive the CERT missing, invalid message and have to select yes, no to move on. This does not occur when the primary is not in failover mode. It is my understanding that failover fails over certs but in our case it does not apper to be working correctly.
View 1 Replies
View Related
Sep 15, 2011
We configuring ASA 8.4.2 in Active/Standby failover mode with two cables. What would be the best design configuring etherchannel on ASAs or have one active and one standby redundant cable ?
View 1 Replies
View Related
Jan 22, 2013
I am a single ASA-5510 with CSC module.I want to pair it for active/standby mode for failover .... can it be done if second ASA doesn't have the module? Can I assume the in case of a failover, the traffic won't be checked, and primary does in case CSC module fails?
View 2 Replies
View Related
Jun 29, 2011
I have a pair of 5520s running 8.2(3) in failover active/standby, routed mode. I have an issue with SSH as it's stopped worked after a short time, less than 8hrs during the network being installed, telnet is working fine as is https/asdm. I have re-created the crypto key and the ssh access is allowed. When I try to connect I just get a flashing cursor, telnet to the ip and port 22 also works.
View 1 Replies
View Related
Oct 30, 2012
After rebooting a pair of 6504's configured for vss, both switches show active on the sup modules. A show switch virtual redundancy however shows the pair working in an active/standby mode. We have 6509's in vss pairs and they show active on switch1 and standby on switch2 led's. For the 6504's switch 1 was booted first and then the second switch about 30 seconds later. Is there something different with the 6504's? [code]
View 4 Replies
View Related
Aug 19, 2012
I want to implement Active/Standby cluster with a pair of 5550 ASAs and I have a licensing question. Here is the "sh activation-key detail" output from both devices...
ASA1:
sh activation-key detail:
Serial Number: XXXXX
No active temporary key.
Running Activation Key: XXXXX XXXXX XXXXX XXXXX XXXXX
[code]....
This platform has an ASA 5550 VPN Premium license.The flash activation key is the SAME as the running key.So it looks obvious that I'll have to upgrade the first ASA to support 25 SSL VPN Peers in order to build HA cluster, right?Now I want to know do I need the "ASA5505-SSL25-K9" license or something else.
View 12 Replies
View Related
Aug 7, 2012
I am purchasing 2 5512x ASAs to be configured as an Active/Passive pair as a VPN device. Do I need to purchase anyconnect licenses for both devices?
View 2 Replies
View Related
Oct 4, 2012
I recently picked up two ASA5510s (ASA5510-SSL50-K9 & ASA5510-SEC-BUN-K) with intentions of creating an Active/Standy configuration. I'm receiving the error message "Mates' license (2 SSL VPN Peers) is not compatible with my license (50 SSL VPN Peers)", but I was under the impression that I didn't have to buy idential SSL VPN licenses post 8.2 in an Active/Standby configuration. am I missing a step that enables the license transfer(sharing?) feature to work correctly before the failover will build correctly?
View 6 Replies
View Related
Aug 4, 2011
we had such kind of issue: while installing 2 SSM-4GE modules to 2 ASA 5540 (Active/Standby) the firewall is splitted. That's my step:
1) Turn off standby ASA and plug SSM-4GE module
2) Power it On After it was booted up failover relationships were broked and previously stabdby became Active appliance.
3) Turn off active ASA and plug SSM-4GE module
4) Power it On
After the it was booted up failover comes up and previously Active (on step 2) appliance became Standby. Everything is up and running now, but the issue was on step 2, I suppose becouse of distinct in hardware (when one ASA was on SSM reachest than another one). Still have no ideas why so happens and is there any way to plug SSM modules int ASA active/standby cluster without downtime.
View 2 Replies
View Related
Feb 4, 2013
We are planning to upgrade the ASA license in an A/S pair by adding the ASA5500-SC-20= license. The ASA is 5545 and runs 8.6. According to documentation, after 8.3 version, the ASAs can share a license features and do not require the same license on both boxes. I run a test in GNS3 with 8.4(2) images and I saw that by adding the 'activation-key' command only on the primary unit did the job as the 'show activation-key' output shows. In order to be 100% sure would like to verify the following:
Putting the activation-key only on the primary unit is enough and there is no need to do anything elseIn case the primary unit is standby, again we have to put the actication-key command on the primary unit (I am asking this because the 'activation-key' command is not listed under the commands that are not replicated to the other unitk, but doesn't make sense to be replicated since the activation-key is 'tied' with the S/N of the device).
View 4 Replies
View Related
Jul 8, 2010
1) 2 x ASA 5520, running 8.2
2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
View 5 Replies
View Related
Jul 17, 2012
I have a pair of ASA 5520s operating in failover pair as active/standby, having two contexts on them. I am planning to share the load and make it active/active making first context active on the primary unit and second context active on the secondary unit. My question is if this will disrupt any connectivity thru these firewalls when I do "no failover" on the active/standby and assign the contexts to different failover groups and enable the failover back.
View 6 Replies
View Related
Mar 17, 2013
How to Configure ASA5520 for Active/Active
View 8 Replies
View Related
Mar 20, 2012
I am looking at deploying a pair of 5585X's in an active/active multiple context state. I am creating Mulitple contexts that need to be able to route to each other. I was going to deploy a type of Gateway context that has a shared interface to all of the other contexts, instead of sharing interfaces directly between the contexts, i beleive this will work as basically i am just cascadng the contexts and sharing interfaces.
The main problem i have come across, is that if i deploy active/active across two appliances using 2 failover groups i can not see a way to route between them, for example.
I have Context 1, Context 2 and Context GW A including the shared interfaces of Con1 and Con2 in failover group 1 on appliance A with the respective standbys on Appliance 2. I have Context 2, Context 4 and Context GW B including the shared interfaces of Con 3 and Con 4 in failover group 2 on appliance B with the respective standbys on Appliance 1.
I need to be able to route traffic between Context GW A and GW B so that the contexts can communicate in normal operation and in failover. I do not beleive that I can share an interface between contexts in two separate failover groups and to be honest without adding a L3 device between the appliances i am not sure if this is possible.
View 9 Replies
View Related
Mar 30, 2011
I have 2 asa 5520 firewalls including and 1 AIP-SSM-10 module in each of them. the configuration is set using active/active failover and context mode.
Both of them run individualy the IPS module. The IPS is configured using inline mode and fail-open option. However when one of the module fails and the state is changing from up to init or anything else making the IPS to fail then failover is detected and ASA consider it as failover and bounce context to the other unit.
IPS soft is 6.0(4) and ASA soft is 8.0(3)
I have checked cisco doc and it is confusing to me. it says: "The AIP-SSM does not participate in stateful failover if stateful failover is configured on the ASA failover pair." but it really does participate. Running is not really an option because of production network impact matter..
View 2 Replies
View Related
Dec 27, 2011
its possible to set up active/active failover using etherchannel on 5585s?
View 1 Replies
View Related
