Cisco Firewall :: FSWM Active / Standby Installed In 6509-E Core Switches
May 9, 2011
I have FSWM active/standby installed in 6509-E core switches running following FWSM Firewall Version 3.1(3) Device Manager Version 5.0(2)F..I want to upgrade to latest FWSM version as well as ASDM, I downloaded asdm-622f.bin and c6svc-fwm-k9.4-1-5.bin from cisco portal. When i checked the show version of FWSM, it says..The Running Activation Key is not valid, using default settings: Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000
I have gone through threads on CSC about how to upgrade FWSM in failover mode, now my concern is, Do i have to take care about activation key or keep as it is ? I have maintenance contract with cisco for all devices.
I have a pair of ASA 5520s operating in failover pair as active/standby, having two contexts on them. I am planning to share the load and make it active/active making first context active on the primary unit and second context active on the secondary unit. My question is if this will disrupt any connectivity thru these firewalls when I do "no failover" on the active/standby and assign the contexts to different failover groups and enable the failover back.
I have 2 6509 chasis with one SUP720-3B in each and current IOS is s72033-ipservicesk9_wan-mz.122-18.SXF4 and 2 FWSM with version is 3.3.1 I need to upgrade FWSM system software to 4.1, after checking FWSM 4.1 release notes, I thought of upgrading IOS to latest version to 12.2(33)SXJ.I got new 2 CF of 512MB and downloaded the new IOS on them and need to upgrade 6509 IOS first to meet the requirement for FWSM upgrade.
The 6509 Series Switches support the scenario VSS Active-Active Chassis, I would like to setup both switch's as one virtual switch but working at the same time, not with Active - Stand By Chassis.
My plans it to create PortChannel accross both Switches 6509 in order to have 2 links one connected to one slot/switch and the other connected to slot/switch in the second 6509 for servers redundancy.
If I have two stackable switches were only one stackable switch has two uplinks one uplink goes to one core 6509 switch and the other uplink goes to the other 6509 core switch can a Layer 3 etherchannel be used if each uplink go to a different core switch, by the way hsrp is running between both switches and also can you give an example how data will be routed from the stackable switch through the ethernetchannel to one of the core switch accross the WAN to another core switch?
now i have some problem on Cisco Switch 3750 and ASA 5510, i would like to do loandbalancing on Cisco Switch 3750 and Active/Standby on ASA 5510.
which topology that we can use on this diagram, i mean which protocol connect 3750(2unit) to ASA 5510(2unit) and ASA 5510 to 3750, which protocol 3750.
we are using cisco 6509 series switches as core switches. and Cisco 4510,4507 series switches as edge switches. all the vlans are created at core switches and propogating to edge switches through VTP. we are using OSPF as routing protocol at core switch for internal routing. till now we are using 4510,4507 switches as layer 2 switches. Since, 4510 & 4507 switches are hign end swithces i want use them as layer 3 switches instead of layer 2.if i change these switches from layer 2 to layer 3 does it make any impact on our network or better to keep them as layer 2 switches.if i change these switches to layer 3 is there any advantage i will have.
I would like to work with two ASA's 5550 in HA (Acitve-Standby) like perimetral firewalls and also work with another ASA 5540 but like a SSL VPN Remote Access to end users.Which will be the best topology to this scenary?. Perhaps i need to put the ASA 5540 SSL VPN together with the ASA's in HA directly in a port.
the first unit is currently working, and i now wish to configure the second unit as standby. im configuring through the ASDM GUI. Started the HA Wizard, choose Active/Standby configuration and enter the IP of the peer device. checks come back all ok. On the LAN link configuration page (step 3of6) Interface is pre selected as VLAN99, I give it a logical name as iface_fail, and enter 10.0.0.1 as primary address and 10.0.0.2 as standby, subnet as 255.255.255.248, and select port Ethernet0/5
Note that if i click on the buttons next to the IP fields, i get IP addresses of remote hosts!.
I have a problem with failover. On My site I have 2 Firewalls 5580. And I did this configuration on my firewall.interface GigabitEthernet3/0description LAN/STATE Failover Interfacespeed nonegotiate.
I would like to ask you about ASA 5510 (Active/Standby). i have two ASA 5510 and i did configuretion failover and it is working ( Active / Standby) but my issue that when primary donw, the standby unit up to primary but the primary came back the standby unit it not switch to standby ( i mean it still up ) . if i want to primary up i type command ( failover active ) on primary unit , so i don't want use manul command i want it auto.Which command that make ASA failover when primary coma back? [code]
i read that you need only one L-ASA5510-SEC-PL for setting up a Active/Standby Failover. I installed the license on the 1st ASA and tried to setup the failover via the ASDM wizard. It always fails, because the 2nd device can't have a 'base' license.So does this mean, i really need another license?
I currently have a LAN-based failover setup between two 5510s. The failover link is a crossover cable. In the current setup, if I unplug the crossover cable both units become active. From what I understood from Cisco documentation, each unit should mark the failover interface as down and there shouldn't be any failover. That's exactly how I want this setup to work.
connecting a 5548 pair to our core 6509s. Just want to be sure we don't introduce any issues into the network.The 6509's are connected and perform all the routing. Essentially, we're moving away from a 3750 stack in the data center and the 5548s are the replacement. We'd want to limit the vlans to the specific server network vlans. Our current setup is a port channel between the 3750 and each of the 2 6509s for redundancy. I'd like to use the same functionality when we connect the 5548's but I'm looking for what the config should look like to ensure no spanning tree loops are introduced and that it is configured optimally.
I have just finished setting up two ASA5510s in Active/Standby Staeful failover, using the Management interface for both failover and state. Everything appears to be working well.Configurations were transferred and the "sh failover" on both accurately reports their status before and after a failing the active device.I monitored the inside IP with a continuous ping (using a Windows client) and noticed that there were usually two to three ping responses lost. Is this normal?
I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?
We have 2 ASA 5505s in a data center at a remote site.
Whilst troubleshooting another issue I noticed the below. I don't know much about fail over but this would suggest that the secondary ASA is active and the primary ASA is on standby.
if the primary is "active" then how come the secondary is the active ASA? I would have thought that once the primary ASA became active this would assume the "main" role".
I have 2 FWSM running on 2 Cat6500 chassis, they work as a Active/Stanby group. Firewall mode is transparent. [code] HA is running well, but I can not ping the standby IP (10.98.1.248). So what could be the problem?
I am in the process of adding a new ASA 5550 as a standby box to an existing ASA 5550 running on transparent mode. Both are on version ASA 8.0(4) and ASDM 6.2(1). I have set the new ASA 5550 to transparent mode. The configurations are the following for the HA: [code]My questions are the following:
1. The management ip address is different than the ip used for the failover link. Since the firewalls are on transparent mode, does the failover ip needs to be the same as the management ip address?
2. Does any other additional config is needed for HA to work for basic active/stand-by failover?
3. Which is the best method to add the second box without disrupting the active box?
Can I upgrade Active/standby pair from 7.2(4) to 8.0(5)25 directly or need to upgrade to 8.0.2/4 first? Upgrade an Active/Standby Failover ConfigurationComplete these steps in order to upgrade two units in an Active/Standby failover configuration:Download the new software to both units, and specify the new image to load with the boot system command.Refer to Upgrade a Software Image and ASDM Image using CLI for more information.Reload the standby unit to boot the new image by entering the failover reload-standby command on the active unit as shown below:active#failover reload-standbyWhen the standby unit has finished reloading and is in the Standby Ready state, force the active unit to fail over to the standby unit by entering the no failover active command on the active unit.active#no failover activeNote: Use the show failover command in order to verify that the standby unit is in the Standby Ready state.Reload the former active unit (now the new standby unit) by entering the reload command:newstandby#reloadWhen the new standby unit has finished reloading and is in the Standby Ready state, return the original active unit to active status by entering the failover active command:newstandby#failover activeThis completes the process of upgrading an Active/Standby Failover pair.
Is the preempt option available in active standby ASA firewall setup with single context...somewhere i have read that same is available in active-active setup or active/standby setup with multiple context.If i active the multiple context mode on product environnement with two ASA5520 in Active/Standby mode, what are the impacts on the the production?
1. We have Two 3900 Router on the core layer which are terminated with one ISP on one Router and Secondary ISP on Second Router.
2. Can we configure my ASA 5520 with Active/Standby termenating two IPS providers one on Active ASA 5520 and Other ISP on Standby ASA 5520, so that when Active ISP fail ASA Secondary can become Active and send the Traffic throough Secandary ISP.
3. The reasion behind giveing Public IP on Firewall is to Terminate VPN on our Firewall i.e. SSL and IPSEC VPN.
Few Clarification If we can achive the above:
1. How will the DMZ Servicec nated with my Primary ISP on my Primary ASA will be routed when the Secondary ASA is acting as Active Firewall.
2. Can Web SSL and Client To Site IPSEC VPN users access service via the Secondary ISP- ASA when my Primary ASA and ISP is down.
I currently have two 5540's in an Active/Standby pair. The primary unit failed on February 12th, so the secondary ASA is now the active one. My question is this - we have made a lot of changes since February 12th and I am planning on fixing this failover issue over the weekend. Will the secondary (now active) FW sync it's config to the non-active FW, or will the failed FW sync it's out-of-date config - removing any changes that we've made in the last month or so.
I have two ASA5510 configured in an active/standby failover configuration. Everything is working well, but I would like to remove DMZ2 as it is no longer needed. On my DMZ2 interface, I have removed the security level and the IP address and shutdown the interface. However, when I do a "show failover" DMZ2 is still showing up. I would like to remove it completely so that failover isn't even "monitoring" this interface. What command am I missing or what do I need to do to completely remove this interface from this "show failover" listing? [code]
I am getting ready to setup avtice/standby failover on our ASA 5520's and have run in to an issue.I currently only have one External IP address available. My Idea was to use a private/placeholder IP address for the standby external IP Address, will this cause any issues with the failover? I know I won't be able to access the secondary from the outside, but that is not an issue.
I have been asked to look at upgrading two 5520 ASA configured in a HA pair Active/Standby, from version 7.2(4) to version 8.3(1) to bring it in line with some other ASA firewalls in the organisation.
My question is can I simply upgrade straight from 7.2(4) to 8.3(1) or will I have to step the upgrade from 7.2(4) => 8.2(x) => 8.3(1)
Having read a few articles on the forums and the release notes I think I should be able to go from 7.2(4) => 8.3(1) .
The second part of my query is around the upgrade itself, having researched this a little there seems to be various views on how to go about upgrading a HA pair and I cannot find anything specific on the website.
The approach I am thinking of is simply as follows;
- upload images onto both firewalls in the HA pair - On the standby from the CLI clear configure boot
I have a dual ISP, 1 primary and 1 secondary terminated on fa0 and fa2 on our ASA respectively. ASA was configured so that, when the primary fails, the secondary kicks in. [code]
It was until yesterday that we experienced downtime on the primary ISP that the secondary doesn't do the fail-over. I have to manually configure the device to use the secondary ISP. Currently, I'm looking at maybe this has something to do with the licensing.We are currently using a Base License, should we be upgrading to Security Plus?
We are planning to install a new SSM-4GE module on both Active and Standby firewalls. how can we install an new SSM-4GE with a minimum outage. I was planning to install the module in the following steps.
1. Power off the secondary firewall(FW02). 2. Install a new module. 3. Power up the secondary firewall 4. Power off the primary firewall(FW01)---> in this step will the secondat firewall become active as there is a hardware conflict. 5. Install a new module. 6. Power up the Primary firewall(FW01)
or do i need to power down both the firewalls and then install the modules?i have is that after the installation only one port on the new SSM-4GE module would be in use on Primary firewall(FW01) which is a terminating link from a router. No link would be terminating on the new SSM-4GE module on secondary firewall. Will the firewalls still fail over in this case or does it require a link going to the secondary firewall on new SSM-4GE module(same port as on primary firewall) from the router.
i do have two 6500 in VSS mode , and one FWSM module on each 6500, i want to configure these modules as Active/Standby, how do i start , should i follow this (not in VSS mode): url..