Cisco Firewall :: Getting Failover Working Again After Upgrade From 8.2.2 To 8.4.2
Sep 6, 2011
When we had 8.2.2, we bought a Mobile license to make the iPads running AnyConnect happy. I applied it, but since we'd only purchased one license, it broke failover. 8.4 lets you share tracking licenses, and since we were planning on the upgrade to 8.4.x anyway, I figured no big deal, I'll get that straightened out when I do the upgrade.
Did the upgrade this weekend, and I still can't get things happy, the boxes don't see one-another:
Here's a show failover on the primary:
Failover OnFailover unit PrimaryFailover LAN Interface: failover GigabitEthernet0/3 (up)Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1Monitored Interfaces 6 of 160
[Code].....
View 3 Replies
ADVERTISEMENT
Sep 16, 2010
I need to add memory to my ASA 55xx's (running 8.2(2)), some of which are config'd active/active or active/standby. The docs say that ram must be identical, which makes sense for production. My question is this: can I upgrade the standby units first, make them active, and then upgrade their mate? Or must I schedule downtime to take the pair down for the upgrade?
View 4 Replies
View Related
Dec 6, 2012
Preparing to upgrade the IOS on a failover pair of ASA 5580's and was wandering what is gonna happen after I've upgraded the IOS on the standby unit and rebooted. How is the active unit going to react when it sees an IOS mismatch prior to me making the standby the primary and upgrading it's IOS ?
View 2 Replies
View Related
Jun 28, 2011
Since the "zero-downtime upgrade" is not supported, I would like to validate the process I put together for upgrading a failover pair of asa5550 with the characteristics below. Specifically I am concerned with the role of the standby during the upgrade. This is my setup:
.- single context mode
.- active/standby
.- current firmware asa821-k8.bin / asdm-621.bin
.- role: firewall and VPN concentrator for segmented server farm network. Dynamic/static/exemption NAT heavily used.
My target is asa842-k8.bin / asdm-645.bin and I am doing a two step upgrade (8.2(1) -> 8.3(1) -> 8.4(2)) to avoid the "unidirectional" attribute and CSCtf89372 bug issues. This is a short version of what I have in mind:
.- Verify stability of failover pair and make adequate backups before beginning.
.- plug into the console of active, ssh into active and standby.
.- vpn/act(config)# no failover ( disable failover from active )
[Code]....
After reboot, point to 8.4(2) and reload again. Same concern regarding the standby unit.
I understand there might be configuration tweaks needed to the NAT configuration. After second reboot test connectivity and if successful, on active "failover", "write standby" and "failover reload-standby". Otherwise "downgrade" and back to the drawing board.
View 6 Replies
View Related
Apr 12, 2011
I need to upgrade the active/standby failover pair of 5510 ASA's to have1 Gig DRAM each, and I am trying to plan out the upgrade process. I'm looking for a zero downtime upgrade process.
I know that the failover pair has to have the same amount of memory, so how do I perform a zero-downtime upgrade process?Can I power off the standby unit and upgrade it's memory first? Or will it cause a memory mismatch between the active and standby units when it is powered on?
View 2 Replies
View Related
Jul 11, 2012
If we switch from primary to secondary firewall the interfaces on the secondary go to state waitung than to failed. after awhile the secondary gives the control to the primary.
it seem that traffic passes the secondary firewall during this short failover time . we have several context created on the firewall, Switch Ports checked , cabeling check everythink checked
blackhole Interface inside (10.255.102.134): Normal (Waiting)
blackhole Interface shared (10.255.102.134): Normal (Waiting)
blackhole Interface inside (10.255.102.133): Failed (Waiting)
blackhole Interface shared (10.255.102.133): Normal
blackhole Interface inside (10.255.102.133): Normal (Waiting)
blackhole Interface shared (10.255.102.133): Normal
View 5 Replies
View Related
Jun 23, 2011
I have ASA 5510 connected as shown in attached diagram.Ideally when ASA 1 is active and if I boot Switch-1, ASA-2 shood take over. But that is not happening.When I boot SW1 , ASA-2 shows "Failover LAN Interface: failover Ethernet0/0 (Failed - No Switchover)" and remains standby.Fail over works properly If ASA-1 boots.
View 7 Replies
View Related
Feb 12, 2012
Turned up a new colo service last week using some PIX 515E firewalls and two Cat 2950 series switches. I have attached a diagram of the layout which I have used elsewhere with good success. Basically I have two switches connected together via port channel (2 ports). The colo facility gives me two HSRP enabled links, of which I plug one into switch A and the other in switch B. The PIxes are a failover pair with the primary plugged into the same switch A as the primary HSRP link.The backup PIX is plugged into the backup switch where the backup HSRP link is. When I unplug the primary HSRP link the PIX can ping the HSRP gateway still, but nothing beyond that. Nothing gets it to work until I plug the link back in.
The only thing I could see that might cause an issue is the 'ip verify reverse-path' command on the PIXes. But even the switches cannot ping out beyond the HSRP gateway. Just seems like all inbound routing stops. I am not sure what the colo facility has going on their side but it seems like they are using just some Cisco 6509s and doing HSRP between them. Seems pretty simple but so far this is proving un-usable as is.
The PIX BTW just uses a default route to the HSRP gateway.
View 3 Replies
View Related
Apr 26, 2011
Just upped our external ASA-5540 pair to 8.4(1), and now one of our nat's is busted.
Here's the lowdown:
Our public IP for our IronPorts ends in .167. That IP is natted to a VIP on our ACE, which load balances to the IronPorts.
The outside interface of the ASA uses .162, which has been the pat for all outbound traffic for a few years... except for the subnet that houses the IronPorts. Due to reverse lookup, that subnet uses the .167 IP address for all outbound traffic.
After the code upgrade, the nat won't work. No email sent or received. Nothing but Deny's on the ASA with flags reading either "SYN" or "RST". IE: Apr 27 12:56:11 10.22.151.41 local5.crit %ASA-2-106001: Inbound TCP connection denied from 69.25.174.17/36917 to 207.236.211.167/25 flags SYN on interface outside
If I return the subnet pat back to the outside interface, then inbound traffic works fine, though reverse lookup fails and anyone running a reasonable spam filter won't send to us.
View 6 Replies
View Related
Mar 2, 2011
I have an ASA5510 which was running version 8.31. SSH was working fine on version 8.31 but since i upgraded it to version 8.41 the SSH stopped working.
View 7 Replies
View Related
Jan 15, 2012
An ASA5510 (with 1 webserver behind it, just starting to build the cluster) was functioning OK with version 8.2: I was able to log in using RDP to the server bhind it from some trusted IP's.
I updated ASDM to the latest version 6.4.7, and then the ASA-software to 8.3.2. After reloading, I could not access the server anymore. I saw that changes were made to the config. Then I updated to version 8.4.3, same results of course, and this is the config. [code]
View 11 Replies
View Related
Jun 2, 2011
we recently upgraded our ASA 5510 active/standby cluster from ASA Version 8.3.2 to 8.4.1(11). Unfortunately the standby ASA is now crashing a few seconds after the configuration was synchronized from the active ASA.
Also completely disabling HA, bringing the default config to standby ASA again and activating HA afterwards did not work. Also tried through the Wizard provided by ASDM to be sure to have no errors with requirements.
How to solve this without doing a downgrade back to 8.3.2. ?
View 4 Replies
View Related
Jun 24, 2012
After I have upgraded our ASA 5510 to 8.4.2 I have problem with the management interface.Our former firmware 8.2.3 had no problem using the management interface as a DMZ zone, but after we upgraded to 8.4.2 we can't make it work.The interface and the protocol is up, when I type: show interface.But when I ping the interface from a computer connectet to the interface, nothing happens.
Even the logging shows nothing.
View 7 Replies
View Related
Feb 11, 2013
I have 2 ASA 5540 in our network. I want to upgrade it from 8.0.4 to 8.4.3. I want assistance in the configuration because I know that there is a change a configuration while migrating from 8.0.4 to 8.4.3.Is there any tool available on Internet that facilitates me to convert the current configuration computable to 8.4.3.
View 2 Replies
View Related
Mar 24, 2011
Below is the config has done on my 881g but the dual NAT failover is not working.I have a easy vpn over NAT (easy vpn firewall: 10.10.10.2 behind the router).
1. After completed the config, I shut down the FastEthernet4, cleared the nat translations, found that nat translations are happening on to Cellular0 with error ( Incomplete ESP translations: 0 esp_conn=0x85A91FF0, hanging off nat entry 0x85A7D1D0)But still the easy vpn is not up as I am not able to ping the remote devices.
2. If I reboot the router then the nat translations are happening with no above error and easy vpn is up and I am able to ping the remote servers. Below is the config, what needs to be done to achieve the NAT failover and easy VPN up.
interface FastEthernet4 bandwidth 2048 ip address 206.206.206.2 255.255.255.240 ip flow ingress ip nat outside ip virtual-reassembly duplex auto speed auto interface Cellular0 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer in-band dialer string gsm dialer-group 1 async mode interactive ppp chap hostname. [code]
View 5 Replies
View Related
May 1, 2012
We have 2 ACEs configured as Active/Standby. FT vlan is configured directly using a crossover cable , not using a switch for the FT vlan.ACE is setup in routed mode ,vlan 29 is client vlan and 28 is server vlan ,both are being trunked on ACE-- trunk 3750 switch.
When I shutdown the port on 3750 for the primary ACE , data connectivity wise ,primary ACE is down ,but the secondary is not taking over ,and also when I do sh ft group status on the secondary ACE,I see the status of STANDBY_HOT and the peer state: ACTIVE.
View 5 Replies
View Related
Feb 19, 2012
I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
View 1 Replies
View Related
Nov 10, 2011
I got PIX 525 with failover. Due to power issue one Unit was offline for a while. During this time couple of changes was done on the Firewall.
Which Unit becomes active when I plug the Firewall unit which was offline for a while now. Each Unit has 4 Ethernet Connection
E 0/0 - connects ISP Router
E 0/1 - connects to Lan switch
E 1/0 - connects to DMZ port
E 2/0 - connects to failover unit PIX
View 4 Replies
View Related
Jun 20, 2011
Currently we have one ISP1 and all traffic goes to this way. Suppose our isp1 goes down, our outside user cant get the server. All servers are nated to this ISP1.We planned to purchase a another ISP2. Shall we Configure same inside server to map this ISP2? so that one primary ISP1 goes down it will take place the outside trafficISP2.
View 1 Replies
View Related
Nov 23, 2011
How to configure ASA failover for 8.4.
View 1 Replies
View Related
May 23, 2011
a customer have 2 pix 525 with ver 7.0.1 in a failover configuration with serial cable and 2 sc fiber interface and 2 fastethernet 1 used for failover. the strange behaviour is that when i try to do traffic from inside to dmz or dmz to inside the maximum transfer is 862Kb/s to 1MB/s not more.... i don't understand what's happened. the show mem and show cpu are normal 7% mem used and 1-2% cpu used. attached you will find the configuration.
View 5 Replies
View Related
Jul 19, 2011
Is it possible to setup 2 x Cisco ASA 5520 that are in an Active/Standby failover using sla monitoring?
For example ASA1 outside interface connects to an upstream switch and you setup sla monitor with icmp echo to ping that switch. The switch goes down and you need the other ASA2 to become the Active ASA. Can the sla monitor be automatically integrated with the failover commands for this to happen?
View 5 Replies
View Related
Oct 9, 2011
I have a ASA 5505 which is connected to a remote site which also has a ASA 5505 over a L2L VPN tunel. One of the sites has a WAN failover configured with two ISP which is working successfully.
But, when the WAN connection fails over to the backup connection the VPN link breaks as the peer site IP address has changed and the VPN can not establish a connection.
Would it be possible to configure a VPN failover so that when the connection failovers so will the VPN tunnel?
View 6 Replies
View Related
Jun 20, 2011
There are 2x Cisco ASA 5505 in an active/standby failover config. The primary asa 5505 has been reset and the secondary is now running as active. I would like to reintroduce the primary again but need to know how to do this.
Ideally I would like to remove the failover config and start from scratch. Do I just need to enter the following to disable failover on the active secondary box?
no failover
no failover lan unit secondary
no failover lan interface failover Vlan999
no failover interface ip failover 192.168.254.1 255.255.255.252 standby 192.168.254.2
View 2 Replies
View Related
Sep 24, 2012
I have a pair of ASA 5585 configured with 2 contexts, C1 & C2, C1 is active on ASA-1 & C2 is active on ASA-2 i did failover test, ping was initiated to host residing behind ASA-1 in context C1 i powered of ASA-1 then both context became active on ASA-2, however during this failover.i saw 4 ping packets drop..
View 3 Replies
View Related
May 31, 2011
Configured ASA 5510 ISP failover and working fine.My ASA as configured as DHCP server also. So its serves IP addressing details including mask,default-gateway, DNS server IPs.Here my issue is whenever my ISP failover occurs my ASA sends previous ISP DNS server IPs to my inside clients.
Here i like to configure my ASA to serve IP addresses dynamically.Or is there any global DNS IP addresses which will work for all ISPs?
View 1 Replies
View Related
Feb 17, 2013
So we currently have a T1 connection at our location. We were looking to add a high speed cable internet and add an ASA 5505 with Security plus license to do failover between the two. I have found a few examples on how this would work but curious about a couple things.
We would want the Cable to be the primary, T1 as a backup.Currently the IAD that handles our T1 does dhcp, dns, and NAT.. Who/what would handle these items with the setup above?
View 5 Replies
View Related
Aug 3, 2011
I've seen you can configure stateful failover between two routers running ip inspect classic firewall: url...Can the same be done yet for zone-firewall? I cannot find any documentation on it.
View 1 Replies
View Related
Mar 27, 2011
I have 2 PIX 525, which one of them, step and active failover mode the other PIX 525, leaving this off, do not know what happened may have been a power outage, but in any case I can turn it back on? And the other question I have is if I can import a configuration that I have saved on my computer. i have the PIX device manager.
View 11 Replies
View Related
Sep 27, 2011
I got a problem with a cisco asa 5580 like two days ago and the device stop working (there was a mainteinance window and after that the device didn't work). Now we receive the RMA and we are trying to configure the failover so the new device get the configuration form the one that is working.
But this is the message that I gettin:
Failover message decryption failure. Please make sure both units have the same failover shared key and crypto license or system is not out of memory
We already changed the shared key and crypto license but the failover is still down, what are the features that the cisco need to activate to enable the failover?
View 5 Replies
View Related
Nov 28, 2011
Can I run Cisco ASA failover with dual ISP run active/standby configuration and SLA monitor to monitor the primary ISP gateway and failover to the secondary gateway but not failover to the failover firewall unless an actual event occurred that required a ASA failover?
View 3 Replies
View Related
Jun 5, 2011
I have this firewall working as active/standby. Everything seemed to be ok, but we noticed that confirgurations are not being replicated by saving configuration either copy run start or write. The workaround here is write standby command. Below the configs and stats, plus the show version, which is the same in both equipments:
Header 1
failover
failover lan unit primary
[Code].....
View 9 Replies
View Related
Apr 4, 2012
I have an outside 7206 router that is configured with BGP. Behind that I have an ASA 5520 with a failover. Everytime my primary ISP goes down I have to failover the ASA to restablish a connection to the secondary ISP. When the primary comes back on line I have to fail it over again. I have had Cisco TAC look at the ASA and they didn't see anything misconfigured on the ASA. Doesn't seem to be any problems with the router config either.
View 11 Replies
View Related
