Cisco Firewall :: Primary ASA 5510 Turns To Standby When Both Units Power Up
Mar 22, 2011
I have three pairs of ASA5510 firewalls, each pair configured as a failover pair. When each pair boots up, even if I boot up the primary first, when they are both up and the primary/active syncs to the secondary/standby, the primary always switches to standby and the secondary thus becomes active.
What would cause this? It happens on all three pairs. Does failover look for the highest ID or IP address to determine which of the pair will be active?
View 1 Replies
ADVERTISEMENT
Dec 5, 2011
We have 2 ASA 5505s in a data center at a remote site.
Whilst troubleshooting another issue I noticed the below. I don't know much about fail over but this would suggest that the secondary ASA is active and the primary ASA is on standby.
if the primary is "active" then how come the secondary is the active ASA? I would have thought that once the primary ASA became active this would assume the "main" role".
[Code] .....
View 7 Replies
View Related
Feb 28, 2013
Is there a way to access the asa in a failover pair that is in standby mode from the primary asa? IE I am logged into the primary asa via command line and was hoping to access the other asa from here.
View 1 Replies
View Related
Feb 13, 2012
I have 2 x 5510's in active/standby mode, things look fine until the active one needs to be failed over and I realize the standby one is dead. I never notice as the lights on the ASA look good, I only nice as I can't telnet or console onto it, how can I debug this issue?
View 1 Replies
View Related
Apr 18, 2012
i read that you need only one L-ASA5510-SEC-PL for setting up a Active/Standby Failover. I installed the license on the 1st ASA and tried to setup the failover via the ASDM wizard. It always fails, because the 2nd device can't have a 'base' license.So does this mean, i really need another license?
View 5 Replies
View Related
Jun 4, 2012
I currently have a LAN-based failover setup between two 5510s. The failover link is a crossover cable. In the current setup, if I unplug the crossover cable both units become active. From what I understood from Cisco documentation, each unit should mark the failover interface as down and there shouldn't be any failover. That's exactly how I want this setup to work.
View 5 Replies
View Related
Apr 2, 2013
I have a dual ISP, 1 primary and 1 secondary terminated on fa0 and fa2 on our ASA respectively. ASA was configured so that, when the primary fails, the secondary kicks in. [code]
It was until yesterday that we experienced downtime on the primary ISP that the secondary doesn't do the fail-over. I have to manually configure the device to use the secondary ISP. Currently, I'm looking at maybe this has something to do with the licensing.We are currently using a Base License, should we be upgrading to Security Plus?
View 10 Replies
View Related
Oct 14, 2011
I have a 5510 ASA and have been given another an told to make them active and standby. Basically the active one is working great but the second one has no config on it apart from the default one, but is the same firmware level. I guess I need a crossover cable, and what happens with the inside and outside interfaces, would they need to go into a vlan on a switch, one inside vlan where the 2 firewalls inside interface go into and another vlan for the outside? Otherwise if it failsover to the standby ASA the inside and outside interfaces wouldn't work.
View 4 Replies
View Related
Jan 25, 2012
I just added a new 5510 failover unit to an existing 5510 and when connecting my new outside interface on an Active/Standby firewall pair, i get errors messages (red x) on each port scan (monitor & syslog) although the error message indicate all ports are good...additionally the firewalls flip between active and standby non stop. I remove the new standby unit outside interface from a shared switch and everything clears up.
View 1 Replies
View Related
Nov 28, 2012
I had a working active/passive pair of ASA5510's, and then I had to do a rush firmware upgrade, but didn't have time to do it on the secondary at the same time. Now I have made config changes and upgraded the secondary firmware to be the same, and wish to know if I plug it back in if it will think the secondary has the "correct" config or if it will know that the primary is newer. I disconnected the failover cable because it was complaining about version mismatches constantly.
Is it safe to add the secondary back in or is it possible it will be declared newer and overwrite the config?
View 6 Replies
View Related
Jan 18, 2012
We have 2 ASA 5510's running in a Active/Standby configuration. It appears that most of the changes we make on the active unit are replicated to the standby unit. However, there are 3 AnyConnect Client Profiles on the active unit and none of them show up on the standby, the standby has no AnyConnect Profiles. We also have 1 OnConnect script on the active unit and it does not appear on the standby unit either.
I was under the assumption that all config items on the active unit would replicate to the standby. Is this not correct? Do I need to do something extra to get everything replicated? Are there other items that do not replicate?
View 3 Replies
View Related
May 8, 2012
We have 2 ASA 5510's setup in an active, standby failover configuration. When the primary fails over to standby, the 3rd party cert does not failover to the standby ASA. The users then receive the CERT missing, invalid message and have to select yes, no to move on. This does not occur when the primary is not in failover mode. It is my understanding that failover fails over certs but in our case it does not apper to be working correctly.
View 1 Replies
View Related
Sep 22, 2011
last night I started upgrading our ASA5520 active/standby cluster. Because of lack of memory, I stopped the upgrade process and will continue when the memory modules have arrived... Currently I'm running 8.0(5) on both nodes (Version: Ours 8.0(5), Mate 8.0(5))Whenever I use the "write standby" command on the active ASA, the passive ASA seems to drop it links for a short while. [code]
View 4 Replies
View Related
Oct 4, 2012
I recently picked up two ASA5510s (ASA5510-SSL50-K9 & ASA5510-SEC-BUN-K) with intentions of creating an Active/Standy configuration. I'm receiving the error message "Mates' license (2 SSL VPN Peers) is not compatible with my license (50 SSL VPN Peers)", but I was under the impression that I didn't have to buy idential SSL VPN licenses post 8.2 in an Active/Standby configuration. am I missing a step that enables the license transfer(sharing?) feature to work correctly before the failover will build correctly?
View 6 Replies
View Related
Jan 26, 2012
now i have some problem on Cisco Switch 3750 and ASA 5510, i would like to do loandbalancing on Cisco Switch 3750 and Active/Standby on ASA 5510.
which topology that we can use on this diagram, i mean which protocol connect 3750(2unit) to ASA 5510(2unit) and ASA 5510 to 3750, which protocol 3750.
View 6 Replies
View Related
Dec 5, 2012
how can I enable an automatic power-on after a power failure on an ASA 5512-X?
View 5 Replies
View Related
Sep 23, 2012
I have a strange issue which happened to me last weekend with two ASA 5515X on version 8.6(1)2. There was a planned power shutdown which only affected the primary firewall. Failover was configured and running successfully. The configuration was also saved after every change made. After power was shut and primary firewall went off the secondary took over like it should but unfortunately all configuration was gone. We immediately powered on the primary again but also this one lost the configuration.
While reconfiguring the firewall we ran into another problem. The devices won't pair although it was the correct configuration. After three times removing and adding the same failover configuration the devices accepted the failover and worked together again.
I went through the bug toolkit and white papers regarding ASA 5515x and this particular version but were not able to find anything.
View 2 Replies
View Related
Sep 7, 2011
How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?
View 1 Replies
View Related
Apr 4, 2012
I have an outside 7206 router that is configured with BGP. Behind that I have an ASA 5520 with a failover. Everytime my primary ISP goes down I have to failover the ASA to restablish a connection to the secondary ISP. When the primary comes back on line I have to fail it over again. I have had Cisco TAC look at the ASA and they didn't see anything misconfigured on the ASA. Doesn't seem to be any problems with the router config either.
View 11 Replies
View Related
Jun 12, 2011
I would like to work with two ASA's 5550 in HA (Acitve-Standby) like perimetral firewalls and also work with another ASA 5540 but like a SSL VPN Remote Access to end users.Which will be the best topology to this scenary?. Perhaps i need to put the ASA 5540 SSL VPN together with the ASA's in HA directly in a port.
View 1 Replies
View Related
Oct 18, 2011
I'm having an issue where when I upgrade from 8.2(5) to 8.4(2) on an active/passive asa 5585 running in transparent mode I can no longer reach the standby ip. The BVI interface appears to be created properly, the device IP and standby IP are listed in the config under the BVI interface and my inside and outside interfaces are both joined to BVI1-group.
View 1 Replies
View Related
Aug 6, 2012
I have this 2x ASA5540 firewall and notice the it is configured with a standby ip. The firewall is run in Active/Passive mode.However, the standby ip of this firewall is not point to the secondary firewall and vice versa for the primary firewall. [code]
1) May i know how is this configuration valid in the first place? I have checked through the configuration. None of the configuration is related to this ip address.
2) Can we remove this standby ip address on both the firewall and correct to the correct primary and seconadary ip address in both firewall?
3) We tried to use this ip address but cannot be used ? Is it related to the configuration of the standby ip address.Do note that the ping to this ip address x.x.x.120 is unreachable.
View 1 Replies
View Related
May 8, 2011
I have successfully completed HSRP and failover configuration.When both switch are runnign then the failover run successful and wheneber one link fail then the failover run successfully but when down one 6509(total box) the failover not working.....
View 7 Replies
View Related
Jul 29, 2012
I can no longer communicate with the standby IP address configured on the inside interface of a secondary ASA5510. Just a couple days ago I could snmp, http, ssh, and ping it.From the switch that is directly connected to the inside interface I'm getting unexpected results when viewing the the arp table. The switch is saying the IP address associated with the ASA's inside interface has mac address 0023.3353.bcc8 but the ASA is saying its inside interface mac address is 0023.33bb.8362?Furthermore when I issue the "sh mac address-table interface f5/46" command on the switch i see multiple macs on the interface that is connected to the inside interface of the ASA...
Unicast Entries
vlan mac address type protocols port
-------+---------------+--------+---------------------+--------------------
135 0023.3353.bcc8 dynamic ip FastEthernet5/46
135 0023.3353.bdc8 dynamic ip FastEthernet5/46
135 0023.3353.bec8 dynamic ip FastEthernet5/46
135 0023.3353.bfc8 dynamic ip FastEthernet5/46
View 1 Replies
View Related
Jun 6, 2011
The client is only interested to have one-WAN(MPLS) and One internet circuit with Dual ASA5510 primary/failover configuration. In the event primary firewall fails, there is no direct WAN/internet connection to failover firewall. I beleived that to mitigate the issue, I needed to add a layer 3 switch , and have each circuit (MPLS/Internet) or (modems/routers) connect to a L3 switch. L3 switch will do the vlan based routing based on the state of firewall. ? am i correct? The client want automatic failover to secondary firewall in the event the actual firewall failed without impacting the day to day business.
View 3 Replies
View Related
Jul 3, 2012
Come across pix 525 with 7.2.4 , 256 MB RAM, experienceing high memory utilization ?.show memory was giving used memory = 97%.All I had done was, i did a reboot of the firewall since we were not able to take the control of the f/w.I wonder why only the standby f/w had this issue and not the primary does not have, just to rule out that it was not due to Traffic.I have searched in bugtool kits and support forums and did not find anything relevant except for a similar issue for ASA CSCsg43844.
View 3 Replies
View Related
Sep 21, 2011
i have 2 ASA 5505 running 8.3(1) and ASDM 6.3(1).
the first unit is currently working, and i now wish to configure the second unit as standby. im configuring through the ASDM GUI. Started the HA Wizard, choose Active/Standby configuration and enter the IP of the peer device. checks come back all ok. On the LAN link configuration page (step 3of6) Interface is pre selected as VLAN99, I give it a logical name as iface_fail, and enter 10.0.0.1 as primary address and 10.0.0.2 as standby, subnet as 255.255.255.248, and select port Ethernet0/5
Note that if i click on the buttons next to the IP fields, i get IP addresses of remote hosts!.
View 1 Replies
View Related
Nov 30, 2011
I have a pair of asa5520's in active/standby configuration. I plan on ugrading the asa/asdm images to 8.4 shortly (currently on 8.0) and would like to do this with zero downtime. Specifically, I would like to upload the new software to the standby unit, upgrade it, swap standby/active units and then upgrade what will become the standby after the swap.The problem I'm having is getting the new images uploaded onto the standby unit. I've read that the routing table is not shared from the primary and the USB ports are "for future use". I have no problem uploading the new images to the active unit via tftp...but can't do the same to the standby.
View 5 Replies
View Related
Aug 21, 2011
Is there a document that explains how the configurations are updated to the standby ASA and what needs to be manually added tot he ASA? I have two ASA 5510 running ASA ver 8.3(2) and ASDM 6.4(1). When I add static routes to the primary ASA the routes are not sent to the failover ASA. Is this to be expected or do I have a bug?
View 10 Replies
View Related
Dec 21, 2011
I have a problem with failover. On My site I have 2 Firewalls 5580. And I did this configuration on my firewall.interface GigabitEthernet3/0description LAN/STATE Failover Interfacespeed nonegotiate.
View 5 Replies
View Related
Mar 8, 2012
I've tried to upgrade a redundant setup from 8.2(4)4 to 8.2(5)22 ending with a stanby ASA continuously crashing after config sync phase. On the first crash it even corrupted the flash, leaving me no choice than initializing the box from scratch.
View 4 Replies
View Related
Jun 28, 2012
We have two PIX515E ( 6.3), one is Primary( Active) and second one is Standby. after configuration of Secondary Firewall as Standby. getting problem.
1. Configuration part everything is fine
2.we have done failover text also .
Aster Some time , we are not able see Standby Firewall its going down .
View 2 Replies
View Related
Feb 8, 2012
I would like to ask you about ASA 5510 (Active/Standby). i have two ASA 5510 and i did configuretion failover and it is working ( Active / Standby) but my issue that when primary donw, the standby unit up to primary but the primary came back the standby unit it not switch to standby ( i mean it still up ) . if i want to primary up i type command ( failover active ) on primary unit , so i don't want use manul command i want it auto.Which command that make ASA failover when primary coma back? [code]
View 2 Replies
View Related
