Cisco Firewall :: Two 5505 Redundant With Active Standby Setup?
Oct 21, 2012I have two 5505 ASA. I would like to know can I make two 5505 failover redundant with active standby setup?
View 11 Replies
ADVERTISEMENT
Cisco Firewall :: ASA 5505 Active / Standby Configuration?
Sep 21, 2011i have 2 ASA 5505 running 8.3(1) and ASDM 6.3(1).
the first unit is currently working, and i now wish to configure the second unit as standby. im configuring through the ASDM GUI. Started the HA Wizard, choose Active/Standby configuration and enter the IP of the peer device. checks come back all ok. On the LAN link configuration page (step 3of6) Interface is pre selected as VLAN99, I give it a logical name as iface_fail, and enter 10.0.0.1 as primary address and 10.0.0.2 as standby, subnet as 255.255.255.248, and select port Ethernet0/5
Note that if i click on the buttons next to the IP fields, i get IP addresses of remote hosts!.
Cisco Firewall :: Monitoring ASA 5505 Firewall Active / Standby Pair Using SNMP?
Sep 7, 2011How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?
Cisco Firewall :: To Setup ASA 5525 In Active Standby Failover Mode
Feb 12, 2013I need to setup an ASA 5525 in Active/Standby failover mode. I am setting up the ASA for a company that purchased only one public IP address. The public IP address is assigned to the outside interface. My question is will failover work correctly if I don't use a secondary IP address on the failover configuration on the outside interface?
View 4 Replies View RelatedCisco Firewall :: 6500 Setup In Active / Standby Fail Over Configuration
Feb 29, 2012I have been having an annoying issue for the past few weeks with my ASA setup. We are using the ASA as our Remote Access Gateway and originally had it setup in a Active/Standby failover configuration using 2 x 5520 ASA's.The original setup of the devices was that the 2 x ASA were setup in a failover configuration, with both of them connecting back to the internal network via a 6500 device. Because of using failover I created a VLAN on the 6500 and put the two ports that connect the ASA's into that VLAN. I then configured the VLAN interface to be the EIGRP interface for the neighbour relationship to the ASA's.
The problem I am seeing is that the EIGRP neighbour relationship between the Active ASA and the 6500 keeps flapping. It occurs abour 4-5 times every day at randmon intervals. Sometimes the neighbour relationship will stay up for 6-7 hours, other times it flaps every 1-2 hours. I initially thought it was due to the failover configuration so I removed one of the ASA's and removed all of the failover configuration, but the EIGRP neighbour flapping problem still exisits. [code] Since removing the failvoer configuration I am thinking it could be a physical cable problem?
Cisco Firewall :: 5520 Running 8.4(2) - Setup Active / Standby Failover
Jan 30, 2012I am trying to setup an active/standby failover with 5520's running 8.4(2) and am having problems with it not dropping connections during the failover. I am using a portchannel from the switch to each ASA and using sub-interfaces off that. I'm using the command Failover mac address Port-Channel1 “mac-address on primary Port-Channel1” “mac-address on standby Port-Channel1”.The command goes through but doing a show interface port-channel1 doesn't show a change in the mac address on the secondary unit after a failover when it becomes active.
View 3 Replies View RelatedCisco Firewall :: 5510 Setup In Active / Standby Failover Configuration
May 8, 2012We have 2 ASA 5510's setup in an active, standby failover configuration. When the primary fails over to standby, the 3rd party cert does not failover to the standby ASA. The users then receive the CERT missing, invalid message and have to select yes, no to move on. This does not occur when the primary is not in failover mode. It is my understanding that failover fails over certs but in our case it does not apper to be working correctly.
View 1 Replies View RelatedCisco Firewall :: ASA 5505 Security Plus Licenses - HA Pair Using Active / Standby
Apr 24, 2012I have two ASA 5505's with Security Plus licenses on both.I am trying to force them to becoming an HA pair using active/standby.When I enable failover I get this message:
Mate's license (Licensed Cores ) is not compatible with my license (Licensed Cores ). Failover will be disabled.Do I need to apply new licenses to the ASA's?
Device licence details (same on both):Cisco Adaptive Security Appliance Software Version 8.2(1) [code] This platform has an ASA 5505 Security Plus license.
Cisco Firewall :: ASA 5520s From Active / Standby To Active / Active
Jul 17, 2012I have a pair of ASA 5520s operating in failover pair as active/standby, having two contexts on them. I am planning to share the load and make it active/active making first context active on the primary unit and second context active on the secondary unit. My question is if this will disrupt any connectivity thru these firewalls when I do "no failover" on the active/standby and assign the contexts to different failover groups and enable the failover back.
View 6 Replies View RelatedCisco :: LMS 4.0.1 - Duplicate IP Address Caused By ACE Active / Standby Setup?
Dec 17, 2011I am using LMS 4.0.1 to monitor the data center network devices. I have two core switches, each core switch has an ACE module installed on it. I have configured many virtual context on each ACE module, and these ACE contexts are acting as primary and standby roles. The problem i faced with is LMS reports the virtual ip address configured on each ace context as duplicate ip address, and i didn't know how to deal with it. As to my understanding, this should be the normal behavior due to my setup, but how can i remove this alarm on LMS 4.0.1?
View 1 Replies View RelatedCisco VPN :: 6500 VPN To Juniper Redundant Firewall Active
Jul 15, 2012I am using 6500 with VPN Accelerator on this device. I have a dozen other VPN connections GRE and IPSEC to routers and ASA and other Juniper Firewalls.
They all work perfectly.The error I get is map_db_find_best did not find matching map (Never seen this error be for) [code]I can't put the whole config for security reasons.
Cisco Firewall :: ASA 5550 Active / Standby With SSL VPN
Jun 12, 2011I would like to work with two ASA's 5550 in HA (Acitve-Standby) like perimetral firewalls and also work with another ASA 5540 but like a SSL VPN Remote Access to end users.Which will be the best topology to this scenary?. Perhaps i need to put the ASA 5540 SSL VPN together with the ASA's in HA directly in a port.
View 1 Replies View RelatedCisco Firewall :: 5580 Failover Active And Standby
Dec 21, 2011I have a problem with failover. On My site I have 2 Firewalls 5580. And I did this configuration on my firewall.interface GigabitEthernet3/0description LAN/STATE Failover Interfacespeed nonegotiate.
View 5 Replies View RelatedCisco Firewall :: 5510ASA Active / Standby Not Switch
Feb 8, 2012I would like to ask you about ASA 5510 (Active/Standby). i have two ASA 5510 and i did configuretion failover and it is working ( Active / Standby) but my issue that when primary donw, the standby unit up to primary but the primary came back the standby unit it not switch to standby ( i mean it still up ) . if i want to primary up i type command ( failover active ) on primary unit , so i don't want use manul command i want it auto.Which command that make ASA failover when primary coma back? [code]
View 2 Replies View RelatedCisco Firewall :: ASA 5510 Active And Standby Failover
Apr 18, 2012i read that you need only one L-ASA5510-SEC-PL for setting up a Active/Standby Failover. I installed the license on the 1st ASA and tried to setup the failover via the ASDM wizard. It always fails, because the 2nd device can't have a 'base' license.So does this mean, i really need another license?
View 5 Replies View RelatedCisco Firewall :: ASA 5520 Active Standby And IPS Configure
Mar 3, 2013I have two ASA 5520 version 8.2 in active Standay Mode. What is a good practice to setup IPS AIM ssm-20 for this setup.
Is IPS should be in Fail-Open or Fail-Close mode ?
Is Mangement ip for both IPS module should be same or diffrent. ?
Cisco Firewall :: 5510 - ASA Active / Standby Configuration
Jun 4, 2012I currently have a LAN-based failover setup between two 5510s. The failover link is a crossover cable. In the current setup, if I unplug the crossover cable both units become active. From what I understood from Cisco documentation, each unit should mark the failover interface as down and there shouldn't be any failover. That's exactly how I want this setup to work.
View 5 Replies View RelatedCisco Application :: CSM Active / Active In 2 Redundant 6500s
May 7, 2007our application team is mandating, that the solution we should come up with for SLB, should support Active/Active mode of SLB operation.
My question, is this mode of operation supported/accredited by Cisco, and what is the draw back from the traditional active/standby.
Cisco Firewall :: ASA5510 Active / Standby Failover Speed
May 11, 2011I have just finished setting up two ASA5510s in Active/Standby Staeful failover, using the Management interface for both failover and state. Everything appears to be working well.Configurations were transferred and the "sh failover" on both accurately reports their status before and after a failing the active device.I monitored the inside IP with a continuous ping (using a Windows client) and noticed that there were usually two to three ping responses lost. Is this normal?
View 1 Replies View RelatedCisco Firewall :: IPS Modules In ASA5510 Active / Standby Pair
Feb 6, 2012I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?
View 3 Replies View RelatedCisco Firewall :: 5505s - Secondary ASA Active And Primary Is On Standby
Dec 5, 2011We have 2 ASA 5505s in a data center at a remote site.
Whilst troubleshooting another issue I noticed the below. I don't know much about fail over but this would suggest that the secondary ASA is active and the primary ASA is on standby.
if the primary is "active" then how come the secondary is the active ASA? I would have thought that once the primary ASA became active this would assume the "main" role".
[Code] .....
Cisco Firewall :: Cat6500 FWSM Active / Standby IP Address
Jul 24, 2011I have 2 FWSM running on 2 Cat6500 chassis, they work as a Active/Stanby group. Firewall mode is transparent. [code] HA is running well, but I can not ping the standby IP (10.98.1.248). So what could be the problem?
View 3 Replies View RelatedCisco Firewall :: ASA 5550 Transparent Active / Standby Configuration
Dec 20, 2012I am in the process of adding a new ASA 5550 as a standby box to an existing ASA 5550 running on transparent mode. Both are on version ASA 8.0(4) and ASDM 6.2(1). I have set the new ASA 5550 to transparent mode. The configurations are the following for the HA: [code]My questions are the following:
1. The management ip address is different than the ip used for the failover link. Since the firewalls are on transparent mode, does the failover ip needs to be the same as the management ip address?
2. Does any other additional config is needed for HA to work for basic active/stand-by failover?
3. Which is the best method to add the second box without disrupting the active box?
Cisco Firewall :: Can Upgrade Active / Standby Pair From 7.2(4) To 8.0(5)25 Directly
Jan 17, 2012Can I upgrade Active/standby pair from 7.2(4) to 8.0(5)25 directly or need to upgrade to 8.0.2/4 first? Upgrade an Active/Standby Failover ConfigurationComplete these steps in order to upgrade two units in an Active/Standby failover configuration:Download the new software to both units, and specify the new image to load with the boot system command.Refer to Upgrade a Software Image and ASDM Image using CLI for more information.Reload the standby unit to boot the new image by entering the failover reload-standby command on the active unit as shown below:active#failover reload-standbyWhen the standby unit has finished reloading and is in the Standby Ready state, force the active unit to fail over to the standby unit by entering the no failover active command on the active unit.active#no failover activeNote: Use the show failover command in order to verify that the standby unit is in the Standby Ready state.Reload the former active unit (now the new standby unit) by entering the reload command:newstandby#reloadWhen the new standby unit has finished reloading and is in the Standby Ready state, return the original active unit to active status by entering the failover active command:newstandby#failover activeThis completes the process of upgrading an Active/Standby Failover pair.
View 10 Replies View RelatedCisco Firewall :: ASA 5520 Active And Standby Preempt Functionality
Aug 6, 2012Is the preempt option available in active standby ASA firewall setup with single context...somewhere i have read that same is available in active-active setup or active/standby setup with multiple context.If i active the multiple context mode on product environnement with two ASA5520 in Active/Standby mode, what are the impacts on the the production?
View 1 Replies View RelatedCisco Firewall :: 3900 - Configuring Active / Standby With Dual ISP
Jan 12, 20131. We have Two 3900 Router on the core layer which are terminated with one ISP on one Router and Secondary ISP on Second Router.
2. Can we configure my ASA 5520 with Active/Standby termenating two IPS providers one on Active ASA 5520 and Other ISP on Standby ASA 5520, so that when Active ISP fail ASA Secondary can become Active and send the Traffic throough Secandary ISP.
3. The reasion behind giveing Public IP on Firewall is to Terminate VPN on our Firewall i.e. SSL and IPSEC VPN.
Few Clarification If we can achive the above:
1. How will the DMZ Servicec nated with my Primary ISP on my Primary ASA will be routed when the Secondary ASA is acting as Active Firewall.
2. Can Web SSL and Client To Site IPSEC VPN users access service via the Secondary ISP- ASA when my Primary ASA and ISP is down.
Cisco Firewall :: ASA 5540 - Active / Standby Failover Pair
Apr 13, 2011I currently have two 5540's in an Active/Standby pair. The primary unit failed on February 12th, so the secondary ASA is now the active one. My question is this - we have made a lot of changes since February 12th and I am planning on fixing this failover issue over the weekend. Will the secondary (now active) FW sync it's config to the non-active FW, or will the failed FW sync it's out-of-date config - removing any changes that we've made in the last month or so.
View 1 Replies View RelatedCisco Firewall :: Active / Standby Fail Over Config On ASA5510
Apr 10, 2011I have two ASA5510 configured in an active/standby failover configuration. Everything is working well, but I would like to remove DMZ2 as it is no longer needed. On my DMZ2 interface, I have removed the security level and the IP address and shutdown the interface. However, when I do a "show failover" DMZ2 is still showing up. I would like to remove it completely so that failover isn't even "monitoring" this interface. What command am I missing or what do I need to do to completely remove this interface from this "show failover" listing? [code]
View 7 Replies View RelatedCisco Firewall :: ASA 5520 Active / Standby Failover - IP Addressing?
Mar 15, 2011I am getting ready to setup avtice/standby failover on our ASA 5520's and have run in to an issue.I currently only have one External IP address available. My Idea was to use a private/placeholder IP address for the standby external IP Address, will this cause any issues with the failover? I know I won't be able to access the secondary from the outside, but that is not an issue.
View 2 Replies View RelatedCisco Firewall :: Upgrade ASA 5520 In Active / Standby Configured From 7.2(4) To 8.3(1)
Oct 9, 2011I have been asked to look at upgrading two 5520 ASA configured in a HA pair Active/Standby, from version 7.2(4) to version 8.3(1) to bring it in line with some other ASA firewalls in the organisation.
My question is can I simply upgrade straight from 7.2(4) to 8.3(1) or will I have to step the upgrade from 7.2(4) => 8.2(x) => 8.3(1)
Having read a few articles on the forums and the release notes I think I should be able to go from 7.2(4) => 8.3(1) .
The second part of my query is around the upgrade itself, having researched this a little there seems to be various views on how to go about upgrading a HA pair and I cannot find anything specific on the website.
The approach I am thinking of is simply as follows;
- upload images onto both firewalls in the HA pair
- On the standby from the CLI
clear configure boot
[Code].....
Cisco Firewall :: ASA 5510 Dual ISP Active / Standby Fail Over
Apr 2, 2013I have a dual ISP, 1 primary and 1 secondary terminated on fa0 and fa2 on our ASA respectively. ASA was configured so that, when the primary fails, the secondary kicks in. [code]
It was until yesterday that we experienced downtime on the primary ISP that the secondary doesn't do the fail-over. I have to manually configure the device to use the secondary ISP. Currently, I'm looking at maybe this has something to do with the licensing.We are currently using a Base License, should we be upgrading to Security Plus?
Cisco Firewall :: SSM-4GE Module Installation On Active And Standby Firewalls
Jul 23, 2011We are planning to install a new SSM-4GE module on both Active and Standby firewalls. how can we install an new SSM-4GE with a minimum outage. I was planning to install the module in the following steps.
1. Power off the secondary firewall(FW02).
2. Install a new module.
3. Power up the secondary firewall
4. Power off the primary firewall(FW01)---> in this step will the secondat firewall become active as there is a hardware conflict.
5. Install a new module.
6. Power up the Primary firewall(FW01)
or do i need to power down both the firewalls and then install the modules?i have is that after the installation only one port on the new SSM-4GE module would be in use on Primary firewall(FW01) which is a terminating link from a router. No link would be terminating on the new SSM-4GE module on secondary firewall. Will the firewalls still fail over in this case or does it require a link going to the secondary firewall on new SSM-4GE module(same port as on primary firewall) from the router.
Cisco Firewall :: 6500 FWSM Active / Standby In VSS Mode
May 10, 2012i do have two 6500 in VSS mode , and one FWSM module on each 6500, i want to configure these modules as Active/Standby, how do i start , should i follow this (not in VSS mode): url..
View 1 Replies View Related