Ongoing problem I have been having regarding a l2l VPN connection between our ASA 5510 and a client's ASA 5505. The client's main ISP is Comcast and he uses a secondary AT&T internet connection as a failover. When Comcast goes down, AT&T comes up and everything works great...except for the VPN to our ASA5510. I have not been able to get the VPN connection to work on the failover network. I have set up a separate, "Backup_WAN", interface in the firewall for AT&T. All of the same rules are in place for AT&T as there are for the primary Comcast connection (the VPN for Comcast works just fine) but I still cannot get the VPN to work with the failover.
We have two offices in the US and one in Mexico. Our site in Mexico connects to our headquarters in the US over an AVPN/ MPLS circuit .Mexico has a separate Internet connection through TelMex. There is an ASA 5510 at headquarters and an ASA 5505 in Mexico. We have a fail over VPN set up in the ASAs for times when the MPLS circuit goes down. All Internet traffic in Mexico is supposed to be routed to the TelMex connection. All company traffic is supposed to be routed to the Cisco router. ASA is supposed to be last resort route. We have a fail over VPN set up in the ASAs for times when the MPLS circuit goes down. (Or at least we did until I had someone work on the configuration) Everything had been working fine for the last 4 years.
Yesterday when the MPLS went down, so did their Internet connection. I realized the Internet traffic is now coming through the MPLs circuit to head quarters and out our ASA. Obviously there is a problem with the configuration. I do not have enough experience to figure this out. I have attached the configs and the routes for both the ASA and the router.
Configured ASA 5510 ISP failover and working fine.My ASA as configured as DHCP server also. So its serves IP addressing details including mask,default-gateway, DNS server IPs.Here my issue is whenever my ISP failover occurs my ASA sends previous ISP DNS server IPs to my inside clients.
Here i like to configure my ASA to serve IP addresses dynamically.Or is there any global DNS IP addresses which will work for all ISPs?
Can I run Cisco ASA failover with dual ISP run active/standby configuration and SLA monitor to monitor the primary ISP gateway and failover to the secondary gateway but not failover to the failover firewall unless an actual event occurred that required a ASA failover?
I have two ASA 5510's that I want to setup in a Active/Standby configuration. My only question is on how to connect the inside ports to my LAN. I have 5 Catalyst 3750's stacked together that connect to the ASA's. Should I run the inside interface on ASA1 to a port on switch 1. Then run the inside interface on ASA2 to a port on switch2? And make sure both those ports are in the same VLAN? But, then when failover occured, how to I automatically make it clear the arp cache so the traffic starts flowing out of the right port?
I have a customer with two ASA 5510s. All four ports are used by the following interfaces: inside, outside, dmz, and failover. This customer is looking at getting redundant internet connections, but we don't have any ports to the redundant connection. What I'd like to know is it possible to configure sub interfaces on one of the currently occupied ports (I'm thinking inside) and use one for inside and one for failover. This way I could have the other port free for the redundant internet connection.
Cisco still doesn't provide failover (active/standby) between two different types of ASA, right?
[URL]
"The two units in a failover configuration must have the same hardware configuration. They must be the same model, have the same number and types of interfaces, and the same amount of RAM"
We are going to buy a new Firewall ASA5510 to use failover possibilities.I just need to be sure it will be possible to implement as I have the following output after a "show ver" command: Cisco Adaptive Security Appliance Software Version 8.3(1) [code]
As you can see the failover line is set as "Disabled perpetual".We are actually using base license as i have not been able to find any contact for CISCO to get official support or new license.
I have a customer who has purchased a Cisco 5510 and after we received it and all the necessary VPN, 3DES etc. licensing for it, then informed us that they order 2 T1 lines so they can have Internet failover.
My question is: Does this require an additional specialized license from Cisco in order to enable and configure it? And if so, what that part number is?
I am planning to achieve the failover either of the following ways -
1) Configuring both ASA FW as active/standby method .
2) configuring ASA FW 1 tracking command pointing to the ISP end ip address so the traffic would be moved to secondary firewall by putting a AD as 1 on ASA FW ......pointing to the ISP ip address and other floating route ( with a higher AD value) to the secondary firewall interface.
I'm looking for automating a couple failover scenarios. Both VPN redundancy and black hole internet traffic redundancy.I currently use the more reliable T1 connection for the VPN connection and the DSL for internet traffic.My current configuration is working but requires a manual update to get the VPN or black hole back up and operational when either link fails.
I am looking for redundant asa deployment for fail over set up . however both units have csc cards. does this product ASA5510-CSC10-K9 has license for fail over ? what's the part no for asa failover license ?
The MPLS connection is currently down, I'm trying to run a failover Site-to-Site VPN over the internet. All of the examples I've read have both connections involved in the failover coming out of one device. Since I'm not working that way, what is going to be the best way to failover? Do I need to set up some sort of IP SLA in the config? Or can I somehow weight routes in EIGRP in a way that the connection will failover from Internet to MPLS when the MPLS goes down and vice versa when the MPLS connection comes back up?
i read that you need only one L-ASA5510-SEC-PL for setting up a Active/Standby Failover. I installed the license on the 1st ASA and tried to setup the failover via the ASDM wizard. It always fails, because the 2nd device can't have a 'base' license.So does this mean, i really need another license?
I have two ASA 5510, The one which I just got shows the CPU speed to be 1599MHz While the previous device (which is also 5510) reads the CPU as 1600 MHz.According to Cisco, for Failover redundant configuration, both devices must have same hardware configuration. Technically, this slight difference should not be an issue but I need to confirm that thess devices will work fine with failover configuration.
I have ASA 5510 connected as shown in attached diagram.Ideally when ASA 1 is active and if I boot Switch-1, ASA-2 shood take over. But that is not happening.When I boot SW1 , ASA-2 shows "Failover LAN Interface: failover Ethernet0/0 (Failed - No Switchover)" and remains standby.Fail over works properly If ASA-1 boots.
i have a couple of ASA 5510 in Active/Failover configuration. Failover LAN is configured on management0/0 e the ASA are connected with a back-to-back direct cable.
ASA has an interface in access mode inside with standby ip address and show failover is compliant with expected result in show failover (Normal)
ASA-PRIMARY# sh failover Failover On Failover unit PrimaryFailover LAN Interface: LANfailover Management0/0 (up)Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy
I am adding a failover asa to an a firewall that is already in production. They are both 5510's, they both have the same abount of ram, have the same code versions. Will there be any downtime while adding the secondary in?
What I am attempting to do is setup snmpv3 on two failover 5510's .The problem I am running into, the snmp management software rejects one of the devices as it sees it as having a duplicate engine ID since the two devices share the same config. Would like to know how this would work in an active/active setup being able to poll both devices.
we are running two failover pairs of asa (5510, 5505) in two different locations in active/standby configurations.Is it possible to access the inside ip of the standby unit via vpn terminated by the active unit? It's only for monitoring.With our configuration here it is not.Is that possible in general?
understanding clear about new Cisco ASA 5515-x, 5525-x.I know that this device supports IPS which is included to this appliance without any additional modules.But can this box support IPS and content-filering (Cisco ASA CX or so..) in the same time.
The problem also in next. Can two ASA 5510 with diffrent modules (in one AIP-SSM and in other CSC-SSM) be in active/active failover design?
I have a single production 5510 with 2 contexts. Now I want to integrate the secondary failover unit. My question is: How much configuration needs to be done on the secondary firewall? How much of the configuration will be sync'd from the primary to the secondary when the secondary is connected?
For example, do I need to add the following on the secondary or will it be sync'd from the primary?
admin-context NAME context NAME allocate-interface Ethernet0/0.14
I used to have this situation where I need to replace faulty ASA5510 (this FW did not failover to standby FW) with the new one.
But the problem is the new ASA5510 came with Base License only not with Security Plus License which is needed to allow this brand new device to be configure failover.
how do I pull out Security Plus License from old FW and switch it to new FW (Base License) and activate to Security Plus License.
I just added a new 5510 failover unit to an existing 5510 and when connecting my new outside interface on an Active/Standby firewall pair, i get errors messages (red x) on each port scan (monitor & syslog) although the error message indicate all ports are good...additionally the firewalls flip between active and standby non stop. I remove the new standby unit outside interface from a shared switch and everything clears up.
I have two Cisco ASA 5510s that I would like to configure in an active passive failover setup. The ASAs are at the top of our rack and handle all our routing. We have been only using one ASA unit with one line from our ISP connected to the WAN/outside interface of the ASA. We recently had our ISP setup two lines into our rack using HSRP. I do not know what equipment they are running upstream of our ASAs but it is HSRP so it should be a set of Cisco routers/switches. Originally I thought I could just connect the 2nd new line to our 2nd ASAs WAN/outside port and setup failover using a crossover cable between the ASAs. After doing this config I had problems accessing some of our IPs in the subnet that the HSRP is part of. If I disconnected the 2nd ASAs WAN/outside line everything was fine. After talking with my ISP they explained that I need to connect both of my lines into our L2 network and then from there into the ASAs. Currently below the ASAs I have two Catalyst 3560-X switches. They are connected together with an ISL trunk and ASA-1s inside network connects to switch-1 and ASA-2 to switch-2. One idea was to connect each of the HSRP lines to each of my current switches and then from the switches to the ASA's WAN/outside interface. Finally back down from the ASA's to the switches via the inside interface that we have currently. This kind of seems messy and a poor choice. The other idea is to get two switches that would sit above the ASAs and connect the HSRP lines to them with the switches connected together. They would then connect to the ASAs. I like this idea better but I don't like having to buy two more full switches for this. These switches would only use a couple of ports and only handle just the HSRP ISP lines to the ASAs. Putting in two more 3560-Xs would be a big waste of money and space for this. So I was thinking of using two Cisco SG200-08, 8 port gigabit basic managed switches for this.
We have 2 ASA 5510's setup in an active, standby failover configuration. When the primary fails over to standby, the 3rd party cert does not failover to the standby ASA. The users then receive the CERT missing, invalid message and have to select yes, no to move on. This does not occur when the primary is not in failover mode. It is my understanding that failover fails over certs but in our case it does not apper to be working correctly.
I'm currently working on setting up 2 ASA 5510's with redundancy/failover. I'm not an expert when it comes to the ASA's so I'm not 100% sure if I can do what I need to.I have 2 inside networks that need to remain separate, a DMZ network,and an outside network. Since each network connects via ethernet to one of the 4 ethernet ports on the ASA 5510's, all 4 ethernet ports on the ASA 5510 will be in use. If I wanted to setup one firewall as Active and the other as standby, how would I go about doing that? Do I need a direct ethernet connection between the 2 firewalls to use something such as HSRP? Or would the Standby firewall be able to tell if the Active firewall is OK since they would both be connected on each of their interfaces to the same networks?
I had a working active/passive pair of ASA5510's, and then I had to do a rush firmware upgrade, but didn't have time to do it on the secondary at the same time. Now I have made config changes and upgraded the secondary firmware to be the same, and wish to know if I plug it back in if it will think the secondary has the "correct" config or if it will know that the primary is newer. I disconnected the failover cable because it was complaining about version mismatches constantly.
Is it safe to add the secondary back in or is it possible it will be declared newer and overwrite the config?
Currently, my customer has 2 units of Cisco PIX 515E running on Active/Standby mode. As for the heartbeat link, there are 2 dedicated switches placed in between both the Cisco PIX 515E i.e. FW1 --> SW1 --> SW2 --> FW2.
My customer will be changing both the Cisco PIX 515E to Cisco ASA 5510. Now, they are asking me, since they will be using Cisco ASA 5510 eventually, can the heartbeat link be a direct UTP cross cable or must the 2 switches in between still exist?
I remember I have tested this before, few years back, in the event I were to pull out the UTP cross cable that's connecting both the Cisco ASA 5510 Firewalls directly (without any switches in between), the Active/Standby mode still works fine. It doesn't go bad whereby both the Cisco ASA 5510 suddenly becomes Active/Active, and causes network issue.
Are switches required for the heartbeat link in a Cisco ASA environment or can a direct UTP cross cable connection be adequate.
I have a pair of ASA 5510s configured in active/standby mode. I have already configured the fail over settings on the firewalls. Both firewalls are connected to a 2960G. I made a change to the interfaces on the 2960 to allow 2 mac addresses on each port. [code]
Upon testing failover via the failover active command, I get port-security errors on the outside interface for each device:%PORT_SECURITY-2- PSECURE_ VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port GigabitEthernet0/8. After a few minutes, the error goes away and I can then connect to each firewall. It seems that it still waits for the aging time to expire before allowing the other MAC address. Shouldn't the "maximum 2" setting allow for both mac addresses?
I'd rather not have to hardcode the firewall's MAC addresses on each switchport because I could see this causing problems for us down the road. Is there anything else that can be done?
I have a pair of ASA5510s in a failover configuration where I see these 2 logs repeated every 15 seconds.
105008 1 Nov 27 2012 10:39:27 (Primary) Testing Interface management 105009 1 Nov 27 2012 10:39:28 (Primary) Testing on interface management Passed
I have read other threads where these are accompanied by "105005, Lost Failover communications with mate on interface". But I'm only getting these 2. The other thing that is confusing is that the "management" interface is not the failover interface. So why do I see 105008/9 logs about it?
