Cisco Firewall :: PIX 525 Cluster
Mar 15, 2012
We currently had to RMA both PIX 525s due to increasing crc errors. After swapping the old ones with the new we are still seeing crc errors on all gig interfaces. We have swapped the gig nic's and the sfp's and the fiber patch cables, yet still the crc errors continue to climb.
Another thing that's interesting is that when we disconnect the secondary we see an increase in throughput.
View 2 Replies
ADVERTISEMENT
Apr 26, 2013
I'm working on a BoM for a customer and i need to offer an ASA5525-X pair in HA with AVC and WSE subscritption, I've two question:
1) In order to use AVC and WSE I need the ASA bundle that includes the SSD HD right? (ASA5525-SSD120-K9)
2) In order to have both ASA's in HA, do i need to order two Suscriptions (ASA5525-AW3Y-PR) or only one that is "shared" in the cluster?
View 1 Replies
View Related
May 23, 2011
a customer have 2 pix 525 with ver 7.0.1 in a failover configuration with serial cable and 2 sc fiber interface and 2 fastethernet 1 used for failover. the strange behaviour is that when i try to do traffic from inside to dmz or dmz to inside the maximum transfer is 862Kb/s to 1MB/s not more.... i don't understand what's happened. the show mem and show cpu are normal 7% mem used and 1-2% cpu used. attached you will find the configuration.
View 5 Replies
View Related
Aug 19, 2012
we are going to upgrade our 5580 ASA Cluster from 7.2 to 8.2 and want to do it like this way ( which worked for all 7.x upgrades ) :download asa8.2 Image to primary + secondary Firewallreboot primary ( message come up " mate version ...)reboot secondary.Does it works any experience? Does it work if both firewall can see each other during the boot process ?
Do I have to bring the secondary into the monitor mode so the fw is not visible for the primary ?
View 2 Replies
View Related
Feb 24, 2011
Just looking for some good reasons why I should upgrade a Cisco PIX 515e cluster to an ASA Cluster to present to the business.
View 1 Replies
View Related
Feb 26, 2013
We have the following setup on our Cisco ASA version 8.6.1 One to one NAT rule from outside to our Exchange 2010 cluster IP address (DAG group). This is working fine for clients on the internet accessing their emails via Exchange using their phones. The ASA has the MAC address of the active node from the cluster but when the cluster failover it cache the IP address and are not updating the new MAC when the cluster failover. So users from the outside are unable to connect to the new node from outside the ASA as the MAC address from the passive node is in the MAC table. The MAC address on all the switches update within 2 seconds on the internal network and users don't notice any outage.
View 4 Replies
View Related
Feb 11, 2013
I have 2 cisco asa 5540's configured in active/standby mode. I need to change the hostname and domain name as per our standards. Does changing the hostname has any impact on the traffic flow?
View 1 Replies
View Related
Jun 6, 2012
I have a active-active setup with 2 cisco asa 5585x running 8.4 - the boxes ahve each 2 sec context's build-in - which gives 4 sec context in the cluster. I have 2 x 5 extra licenses (2 x ASA5500-SC-5) which I haven't applied yet - will this give me a total of 10 or 14 security contextes? I am a bit in doubt because if I only get 10 sec contextes in this cluster then could I instead get a single 10 security context license (1 x ASA5500-SC-10) and add this - hereby I would get 12 then.
View 1 Replies
View Related
Jan 6, 2013
I have a misanderstand about management interface configuration in cluster. So I have a cluster asa 5515X with management interface. i Would like to be able to connect to any of the member of my cluster on management interface, so i would like to fix a different ip on management interface on each of my node ip 92 and 91. I think it is the only way to make asa firmware update to access local flash on each node.
my config
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
[Code].....
View 9 Replies
View Related
Jul 21, 2011
last night we tried to upgrade our cluster (2x ASA5520) from 8.0(4) to 8.2(3) and failed miserably.
1. Both units got the new image, but when we reloaded the secondary unit then we got the following strange message:
"Mate's license (10GE I/O Enabled) is not compatible with my license (10GE I/O Disabled). Fail over will be disabled."
After this message fail over was not there anymore and both units became active (!!!) which killed everything. Of course ASA5520 doesn't have 10GE and we have exactly the same units. What could be the problem here? Currently we run with a single unit with 8.2(3) and the secondary unit is switched off.
2. After the upgrade we cannot connect with multiple VPN sessions from the same client, this gets logged:
"Multiple sessions per tunnel are not supported"
This was working just fine with 8.0(4) and doesn't work with 8.2(3). Do we have to update something in the config or what is causing this? If you ask why we went with 8.2(3) instead of 8.2(5) then the answer is because we were testing that for several month in our secondary data center, but unfortunately only on a single ASA and not on a cluster. We couldn't go higher due to the 512MB RAM we have in all units.
And we had to upgrade, because we had crashes with 8.0(4) which was working fine for a long-long time.
View 7 Replies
View Related
Jun 4, 2012
I have a pair of ASA 5520s in active/standby failover mode, single context. I'll be migrating to multiple context mode later this week. Do I need to break failover first? Or if I don't need to, should I? Or can I do this while maintaining failover? Can either of these scenarios will work (or fail). I'll be remote, doing my work via SSH, but have somebody local who can console in if needed.
Migration option #1
Log into active/primary ASA
Configure Multiple Context mode
Reboot both devices
Login to active/primary ASA
[code]....
View 1 Replies
View Related
Apr 15, 2013
We have a faulty FWSM module in Cisco 6509 switch in Active/Standby cluster mode
We have purchased a refurbished FWSM module to replace it. It has the same FWSM OS 4.0 (4) and is in factory default configuration
What procedures should I follow to make this unit live and sync the config between the current active unit to this one.
View 1 Replies
View Related
Mar 26, 2013
Our subscriber is suffering from bug CSCti52867. The file system check repairs errors but we are still experiencing the read-only file system. We can ssh into sub but there is no prompt to enter commands. None of the services are started so there is no web interface. Firmware update cd updated firmware to 3.6 but problem still exists.We have successful backups from pub. How to reinstall/restore sub after hardware failure? This is the first time I've ever had to work with dr.
View 5 Replies
View Related
Aug 27, 2011
I have a cluster of three layer three switches. Is it possible to build just one IPsec/GRE tunnel to the entire switch cluster or will I have to build an independent tunnel for each switch? I'm pretty sure you can't terminate GRE to an HSRP address, and I think that's the only way to build routing redundancy into a switch cluster.
View 2 Replies
View Related
Feb 16, 2011
How many Ap's I can have in a 541N Cluster? I have heard 6 or 10.
View 2 Replies
View Related
Jun 15, 2011
I have a 3750 cluster and I want to know what are the recommended snmp traps to be sent. We definitely want to know when one of the switches in the cluster fails.
I've read about snmp-server enable traps stackwise and snmp-server enable traps cluster. What do these traps actually do?
View 2 Replies
View Related
Jul 14, 2011
We have two Web Servers and configured as Network Load Balancing in a cluster for failover.
WEB1 IP: 192.168.1.50
WEB2 IP: 192.168.1.51
Both configured with Cluster IP: 192.168.1.100 on Multicast mode.
TEST ON LAB USING ORDINARY 10/100 UNMANAGED SWITCH I can ping all the IP addresses on the LAN and when I http://192.168.1.110 on any PC on the LAN works no problem.
TEST ON PRODUCTION USING CISCO SG200 50/50 PORT SWITCH I can ping all the IP addresse on the LAN and when I http://192.168.1.110 on a different machine i did not work, but on the server itself will work as expected.
NOTE: Both tests are on LAN only.
I wonder if this is something to do with the switch because of Cluster IP MAC address. Do I need to configure something on the switch?
View 1 Replies
View Related
Jan 22, 2012
will the AP 541N work without cluster if i purchase one AP.Does it support the bridge mode?
View 4 Replies
View Related
May 10, 2012
My company has a lot of thier business relying on the wireless network and I am trying to reduce the single points of failulre in my network infrastructure. We have a single Cisco 2112 controller with 10 AP's that I am wondering if it's possible to cluster this with another controller for redundancy purposes?
View 3 Replies
View Related
Nov 25, 2011
I am looking to cluster the aforementioned switches using the CLI. All the documentation that I have found all speak to performing the cluster configuration using CMS. I can only get to these switches via remote console so a GUI is out of the question for me. My ultimate goal is to configure these (2) switches for HSRP. Howver, everything that I found leads me to believe that I have to cluster in order to confiure the HSRP on these switches.
View 1 Replies
View Related
Feb 14, 2012
I have one AP541N and need to extend the wireless network with a second wireless AP. Which models of AP can I use with the AP541N to achieve a 'cluster', please? Is it just with a second AP541N or can I use other Cisco APs to achieve the cluster?
Am I correct in thinking that doing this will allow wireless clients to 'roam' seamlessly between the two APs?
View 2 Replies
View Related
Jan 16, 2011
have 2 routers connected in cluster ith serial dte link. screenis locked. I need to draw a topology of Internet cluster, but i don't know how to discover whats is in it, because i don't have set ip
View 2 Replies
View Related
Sep 10, 2012
How does Replication of cucm servers and other servers like unity presence and all in a cluster take place?
View 1 Replies
View Related
Jun 6, 2011
I have a cluster of 5 AP541Ns. I accidentally started the auto update of IP addresses based on reduction of interference, and it changed the wireless channels on all of the APs. I disabled it, but he channel settings did not change.Now if I remember correctly, before making this setting, they were all on the same channel, 6. Should they all be on the same channel? If so what setting or procedur do I have to do to get them all back on the same channel? (do I have to manually set the channel?)
View 8 Replies
View Related
Dec 18, 2011
I need a L3 conection between a VSS Cluster and 2 Nexus 7000. Is ECMP the best solution ?
View 3 Replies
View Related
Jul 1, 2012
This is a newbie question regarding CSS11500 series loadbalancers as I trying to get up to speed with managing them as part of my job. I noticed that there are a couple of CSS "clustered together" since I see they are managed using a single ip address.
My question is around how to establish a session to each individual device in this cluster, if at all possible? If is not possible, how do manage the secondary device in this cluster to perform tasks such as copying new software to it, backing it up, etc.?
View 1 Replies
View Related
Nov 6, 2012
We have a vPC cluster of two Nexus 7009 that needs to be connected with a VSS cluster of two Catalyst 6509s. The VSS has been working fine for a while and the vPC cluster is new equipment.
Attached there is a detailed diagram of the connections; the VSS cluster connects the interfaces Ten1/2/8 and Ten 2/2/8 using the PortChannel 28 going to the the vPC cluster to the interfaces Eth 4/18 of each switch.
Both the vPC and the VSS are well configured; last night we tried to brought up the connection between the two clusters but only the first interface comes up within the etherchannel; the secondary one did not come up and shows (not receiving LACP packets).
We know Layer 1 is fine because if we remove the interface from the EtherChannel it does come up; but causes some STP loop and bring the network down; thus the solution is to form a EtherChannel.
At the VSS Clúster we see LACP packets being sent with sh lacp counters but we DO NOT see LACP packets being received in the interface of the secondary Nexus.
Right now, this is not possible to troubleshoot since it is a production enviroment; so I'm looking for problems with the configuration or recommendations to follow in order to apply them tomorrow night during a new maintenance window.
These are the configurations:
#######vPC cluster of Nexus 7009######
--N7K-1--
interface port-channel418
description Uplink 20 GE hacia VSS
switchport
switchport mode trunk(code)
View 3 Replies
View Related
Jun 28, 2011
I have a CAS array for Exchange 2010 configured to loadbalance on my Cisco ACE 47XX. My question is: Can I run a mixed VMware cluster version 3.5 and 4.1 on my ACE? I am experiencing is dropped RPC connections and I was wondering if that could be the cause of it or maybe I am misconfigured something on the ACE
Another question:Should I seperate the two cluster versions on their own serverfarm and than loadbalance the farms? What I mean is serverfarm 3.5 and serverfarm 4.1 and than loadbalance them.
View 3 Replies
View Related
May 21, 2012
How can we restore ACS config from an existing backup file, in an ACS cluster deployment? is it through CLI? with"restore"or"acs restore" command? and should I restore only the ACS config or both ACS and ADE-OS config?
View 4 Replies
View Related
Jul 25, 2012
we operate an active/passive cluster with 2 ASA5510 in Routed Mode. Is it possible to add another node, so that we have one active and two standby nodes in the cluster? Unfortunately, I have found no documentation on this .... The data sheet say only up to 10 nodes can be mentioned as a VPN load balancing cluster.
View 1 Replies
View Related
Feb 3, 2012
ap541n in cluster access point exists a master ?
View 3 Replies
View Related
Feb 20, 2013
I have a 6500 serious switch that one port (portfast enabled) hold a server .This server has sort of a Cluster configured for high availability .
During primary server failure the failover server acquires the cluster IP address (ie virtual IP).
Cluster IP 192.168.10.1
Primary server =192.168.10.2 Failover server =192.168.10.3
when failover happen , i am unable to learn arp. need to reboot the server for arp . After reboot i am getting different mac address(secondary) with cluster IP.
query:-normal clustering how mac address generating(means logicaly any mac address will be created or LAN card mac address)? Is ther any issue with portfast configuration(with out portfast configuration TCN will generate and max age timeout decrease 15 second from 300second) ?
Note : we checked a scenario same ip address with two system(ipconflit) and removed arp learned system from network and same thing happen we need to clear the arp manually in L3switch
View 3 Replies
View Related
Jun 21, 2012
I support an active VSS cluster using 2 x 6509E chassis with single Supervisor 3C modules in each chassis. I want to replace these with Supervisor 2T modules. All my service modules and line cards are supported with the Sup2Ts (I will also be implementing 6908 modules). Is there a document on the Cisco site for this? I haven't found one though I can find plenty that describe how to do a software upgrade.
(Note, I have a 3rd (non VSS) 6509E chassis that is also part of this core network and that will maintain VTP/V LAN's etc).
View 9 Replies
View Related