Cisco :: Using Subinterfaces For Failover?
Sep 13, 2011
Does anyone know if it's possible to use a single interface on the ASA for both the failover interface and for stateful failover? Here's my situation.I'm looking to provision a pair of ASAs and I want to do stateful failover.The problem is that I need four interfaces (inside, outside, and two physical DMZ interfaces).I'm looking at either the 5520s or 5540s and these boxes need to run the IDS SSMs, so I can't use the 4-port expansion SSM.
I want to do stateful failover so I need two failover interfaces.What I'm wondering is if I can take one physical interface,run two subinterfaces on it, and then use those two subinterfaces for my failover and stateful failover interfaces.That would leave me with the four interfaces that I need for everything else
View 3 Replies
ADVERTISEMENT
Jan 30, 2013
i have a couple of ASA 5510 in Active/Failover configuration. Failover LAN is configured on management0/0 e the ASA are connected with a back-to-back direct cable.
ASA has an interface in access mode inside with standby ip address and show failover is compliant with expected result in show failover (Normal)
ASA-PRIMARY# sh failover Failover On Failover unit PrimaryFailover LAN Interface: LANfailover Management0/0 (up)Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy
[Code]....
View 2 Replies
View Related
Feb 19, 2012
how to use Subinterfaces on an Etherchannel for a Lan Failover link?I successfully bundled e0/0-1 and e0/2-3 to 2 Port-Channels with a 3750X Stack - and was able to set my "nameifs" and "security level" on Port-Channel Subinterfaces like "Port-channel1.4" As a lan based failover link the subinterfaces seem to be unusable ....
View 1 Replies
View Related
Jun 17, 2012
I have an ASA 5520 running 8.0(3) with two Subinterfaces configured like this:
=================================
interface GigabitEthernet0/1
nameif inside
security-level 100
no ip address
!
interface GigabitEthernet0/1.72
description VLAN 72
[code]....
(notice that they have the same security-level)I need to control the traffic between them with ACLs so I in ASDM unchecked "enable traffic between two or more interfaces with same security level" and "enable traffic between two or more hosts connected to the same interface"Now I cannot ping from one Vlan to the other, as expected,,, but I tried many different ACLs and I cannot ping or telnet to the other side from either one.
View 9 Replies
View Related
May 2, 2012
i have a pix 525 running 8.0(4) and asdm 6.1(5)i have two ethernet interfaces, and two gb ethernet interfaces
i connected both gb ethernet interfaces to a switchport, configured as trunkcan't seem to activate subinterfaces on the gb interface on the pix 525.
View 7 Replies
View Related
Mar 19, 2012
I have problems to configure CBWFQ on a ethernet sub-interface on a Cisco Router ASR 1001. Then I applied the policy in the physical interface but it should be is in the sub-interface. How can I configure CBWFQ on sub-interface in ASR 1001. (version 3.02).
Error Messages:
CBWFQ: Not supported on subinterfaces and efps
This the final output:
interface GigabitEthernet0/0/0
description Conexion WAN
bandwidth 153600
no ip address
load-interval 30
no negotiation auto
[code]....
View 2 Replies
View Related
Jul 3, 2012
I have two C4506 switches and I would like to create two L3 links between them by using only one physical link. I will then assign each L3 link to a different VRF.
I think I have two choices but I'm not sure however that the second one is possible...
---------------
1st choice: creating two VLANs and two SVIs on each switch
interface Vlan10
ip address 10.10.10.1 255.255.255.252
ip vrf forwarding vrf1
interface Vlan20
ip address 10.10.10.5 255.255.255..252
ip vrf forwarding vrf2(code)
View 1 Replies
View Related
Mar 31, 2011
I currently have an ASA 5520 in production without using subinterfaces. I have connected an interface on the ASA to a 4507, the 4507 contains SVIwhich perform the routing for our internal network. I have another ASA 5520 and I am playing around with a few new design scenarios. The problem I am currently having is with SubInterfaces on the inside of the network. I understand the subinterfaces on the outside network, I am using subinterfaces on the outside for dual homing ISPs.
I don't understand the multiple subinterfaces on the inside, for some reason I can't wrap my mind around using them. I have created a few and trunked a port from my 3560X to the ASA interface. Here is my design.
ASA 5520 Config(I realize that this isn't how it would look in CLI, I just don't remember all of the commands)
interface Gi 0/1
nameif Physical Interface
no ip address
interface Gi 0/1.10
nameif Prod_USERS
ip address 172.16.10.1 255.255.255.0
security-level 100
interface Gi 0/1.20
nameif Users
ip address 10.10.16.1 255.255.255.0
security-level 100
Alright so in this scenario I would have a trunk port from my 3560X connected to interface Gi 0/1 on the ASA. On the 3560X I would created the two VLANs (vlan 10 and vlan 20); I also created an SVI on the 3560X as follows.
3560X config
interface VLAN 10
description PROD_USERS
ip address 172.16.10.2 255.255.255.0
no shut
interface VLAN 20
description USER-NET
ip address 10.10.16.2 255.255.255.0
no shut
Now I create a default route on the 3560X as follows, "ip route 0.0.0.0 0.0.0.0 172.16.10.1". By doing this, I can only route my 172.16.10.0 network out to the internet, not the 10.10.16.0 network? I have to remove the default route above and add ip route 0.0.0.0 0.0.0.0 10.10.16.0 for clients on that network to browse out to the web.
So I am obviously missing something crucial here and I just can't wrap my head around this design scenerio for some reason. the topology necessary for this configuration to function correctly and how I can get both of my VLANs to function properly. I would like for the 3560X to route traffic internally until traffic needs to browse into the DMZ or out to the web, and at such time it should then use the firewall.
View 5 Replies
View Related
May 29, 2011
I've been having a problem with my cisco routers (7600s) where sub-interfaces that we create for ldp tunnels are added automatically to the main ospf process as no passive when created. In order, here is how to reproduce the issue:
- Configure ospf process as "passive-interface default"
- Configure interfaces that have to be active as "no passive-interface blah"
- ospf works as expected.
- Create new sub- interface somewhere with encapsulation on a certain vlan for xconnect.
- New sub-interface gets added as "no passive-interface" in main ospf process.
- When adding a new port-channel interface, behavior is the same.
Is that normal for cisco, should I continue removing sub-interfaces manually every time from the ospf process?
View 4 Replies
View Related
Sep 14, 2012
I have set up a couple of vlans on a cisco 1721 router 4esw card using the vlan database and assigning an ip address of 192.168.1.x and 192.168.2.x for each vlan interface.Strangely enough connected computers can talk to the other vlan and I have not set any subinterfaces on the etherner0 (layer 3) and not even connected a cable.Is there any reason why this should happen since they should not talk to eachother being on seperate vlans.Doing a tracert shows that first the vlan ip address is hit and then straight to the target pc in the other vlan?
View 4 Replies
View Related
Dec 5, 2011
We have two sites connected by a gigaman line. Routing between the two sites is done with a couple of HP routers. We also have two separate Internet connections, one at each site, through different providers. The border firewall at one site is a Cisco 5505 and at the other site it is a Cisco 5510. If the gigaman line goes down, we would like to fail over to a site-to-site VPN. Any clue how to set this up? We can set up the site-to-site VPN. how to make it serve as a failover. Another question is whether the VPN will cause confusion when the gigaman is operational.
View 11 Replies
View Related
May 7, 2013
When I try to put my ASAs in active/standby config here is the error I get.Warning: Failover message decryption failure. Pleas make sure both units have the same failover shared key and crypto license or the system is out of memory.
View 1 Replies
View Related
Apr 14, 2012
The active RP of ASR 1006 router automatically switched over to standby while the standby assumed the active role.Not sure the exact reason for this behaviour. The image version is 122-33.XNB1. We noticed an outage when the switchover happened but the device did not crash.
%CMANRP-6-CMHASTATUS: RP switchover, received fastpath becoming active event%CMANRP-6-CMHASTATUS: RP switchover, received chassis event to become active%REDUNDANCY-3-SWITCHOVER: RP switchover (PEER_NOT_PRESENT)%REDUNDANCY-3-SWITCHOVER: RP switchover (PEER_DOWN)%REDUNDANCY-3-SWITCHOVER: RP switchover (PEER_REDUNDANCY_STATE_CHANGE)%PLATFORM-6-HASTATUS: RP switchover, sent message became active. IOS is ready to switch to primary after chassis confirmation%NETCLK-5-NETCLK_MODE_CHANGE: Network clock source not available. The network clock has changed to freerun%CMANRP-6-CMHASTATUS: RP switchover, received chassis event became active%PLATFORM-6-HASTATUS_DETAIL: RP switchover, received chassis event became active. Switch to primary (count 3)
In the output of "show redundancy switchover history" the switchover reason given is active unit failed.But currently the RPs are working as active and standby hot.
View 4 Replies
View Related
Nov 10, 2011
I got PIX 525 with failover. Due to power issue one Unit was offline for a while. During this time couple of changes was done on the Firewall.
Which Unit becomes active when I plug the Firewall unit which was offline for a while now. Each Unit has 4 Ethernet Connection
E 0/0 - connects ISP Router
E 0/1 - connects to Lan switch
E 1/0 - connects to DMZ port
E 2/0 - connects to failover unit PIX
View 4 Replies
View Related
Mar 17, 2013
Ongoing problem I have been having regarding a l2l VPN connection between our ASA 5510 and a client's ASA 5505. The client's main ISP is Comcast and he uses a secondary AT&T internet connection as a failover. When Comcast goes down, AT&T comes up and everything works great...except for the VPN to our ASA5510. I have not been able to get the VPN connection to work on the failover network. I have set up a separate, "Backup_WAN", interface in the firewall for AT&T. All of the same rules are in place for AT&T as there are for the primary Comcast connection (the VPN for Comcast works just fine) but I still cannot get the VPN to work with the failover.
Why the VPN would not be working?
View 11 Replies
View Related
May 3, 2011
We have a customer requirement of providing secure connectivity from Remote Office to HQSame time to provide certain level of layer 3 redundancy via secondary link should the primary link fail We are looking at ASA5500 series firewall for both Remote office and HQ.Can this be done?
View 3 Replies
View Related
Aug 24, 2011
We are trying to make a VPN failover over two ASA's. However the 2 ASA's have different version and our smartnet have already expired. I was wondering if this VPN failover would work even if they are different? Or should I get a smartnet first to be able to download an updated ios?
ASA Version 8.0(3)6
ASA Version 7.0(6)
View 8 Replies
View Related
Apr 28, 2011
My Location CanadaI would like to connect to separate VPN’s located in England which connect to servers located outside of the UK.I would like to set the 2nd VPN as a failover.If 2nd VPN fails I would like the connection to break and not failover to my Canada connection.
View 4 Replies
View Related
May 16, 2011
I need to configure one interface in failover because the client has 2 ISP.[CODE]
View 2 Replies
View Related
Jun 20, 2011
Currently we have one ISP1 and all traffic goes to this way. Suppose our isp1 goes down, our outside user cant get the server. All servers are nated to this ISP1.We planned to purchase a another ISP2. Shall we Configure same inside server to map this ISP2? so that one primary ISP1 goes down it will take place the outside trafficISP2.
View 1 Replies
View Related
May 18, 2011
I thing that i find some bug in the newest IOS 15.1.4M.
The case is falow:
I start to configure failover for the costomer - make default route, make the default path but i cant find the comand IP SLA monitor. Is some meet this problem with this IOS or just Cisco make some chenge in the CLI commands?
Tomorrow i will try with IOS version 15.1.1T.
View 2 Replies
View Related
Sep 10, 2012
I have an ASA5515 and our remote sites which have a mesh topology of VPN. At some times of the day router to particular links are down do to the ISP core, but the tunnels from the same firewall can communicate to other sites. Is it possible to have a way where you could route traffic to another ASA which has a connection to both the ASA which want to communicate and have the traffic hairpinned, I know this is possible but is it possible to make this automated.
View 5 Replies
View Related
Nov 23, 2011
How to configure ASA failover for 8.4.
View 1 Replies
View Related
Aug 2, 2011
We have two offices in the US and one in Mexico. Our site in Mexico connects to our headquarters in the US over an AVPN/ MPLS circuit .Mexico has a separate Internet connection through TelMex. There is an ASA 5510 at headquarters and an ASA 5505 in Mexico. We have a fail over VPN set up in the ASAs for times when the MPLS circuit goes down. All Internet traffic in Mexico is supposed to be routed to the TelMex connection. All company traffic is supposed to be routed to the Cisco router. ASA is supposed to be last resort route. We have a fail over VPN set up in the ASAs for times when the MPLS circuit goes down. (Or at least we did until I had someone work on the configuration) Everything had been working fine for the last 4 years.
Yesterday when the MPLS went down, so did their Internet connection. I realized the Internet traffic is now coming through the MPLs circuit to head quarters and out our ASA. Obviously there is a problem with the configuration. I do not have enough experience to figure this out. I have attached the configs and the routes for both the ASA and the router.
View 11 Replies
View Related
May 23, 2011
a customer have 2 pix 525 with ver 7.0.1 in a failover configuration with serial cable and 2 sc fiber interface and 2 fastethernet 1 used for failover. the strange behaviour is that when i try to do traffic from inside to dmz or dmz to inside the maximum transfer is 862Kb/s to 1MB/s not more.... i don't understand what's happened. the show mem and show cpu are normal 7% mem used and 1-2% cpu used. attached you will find the configuration.
View 5 Replies
View Related
Jul 19, 2011
Is it possible to setup 2 x Cisco ASA 5520 that are in an Active/Standby failover using sla monitoring?
For example ASA1 outside interface connects to an upstream switch and you setup sla monitor with icmp echo to ping that switch. The switch goes down and you need the other ASA2 to become the Active ASA. Can the sla monitor be automatically integrated with the failover commands for this to happen?
View 5 Replies
View Related
May 29, 2012
Overview Firewall is ASA 5510 running 8.4(9)Core network at Head Office uses OSPFStatic routes on ASA are redistributed into OSPFStatic routes on ASA for VPN are redistributed into OSPF with Metric of 130 so redistributed BGP routes are preferredCore network has a static route of 10.0.0.0/8 to Corporate WAN, which is redistributed into OSPFBranch Office WAN uses BGP - Routes are redistributed into OSPFThe routers at the Branch Office use VRRP for IP redundancy for the local clients default gateway.Primary Branch Office router will pass off VRRP IP to backup router when the WAN interface is downBackup BO router (.253) only contains a default route to internetUnder normal operation, traffic to/from BO uses Local Branch Office WANIf local BO WAN link fails, traffic to/from BO uses IPSec VPN across public internet I'm trying to configure dynamic routing on our network for when a branch office fails over to the IPsec VPN. What I would like to happen (not sure if it's possible) is for the ASA to advertise the subnet at the remote end of the VPN back into OSPF at the Head Office.
I've managed to get this to work using RRI, but for some reason the VPN stays up all the time when we're not in a failover scenario. This causes the ASA to add the remote subnet into it's routing table as a Static route, and not use the route advertised from OSPF from the core network. This prevents clients at the BO from accessing the Internet. If I remove the RRI setting on the VPN, the ASA learns the route to the subnet via the BO WAN - normal operation is resumed.I have configured the metric of the static routes that get redistributed into OSPF by the ASA to be higher than 110. This is so that the routes redistributed by BGP from the BO WAN into OSPF, are preferred. The idea being, that when the WAN link is available again, the routing changes automatically and the site fails back to the BO WAN.
View 7 Replies
View Related
Oct 9, 2011
I have a ASA 5505 which is connected to a remote site which also has a ASA 5505 over a L2L VPN tunel. One of the sites has a WAN failover configured with two ISP which is working successfully.
But, when the WAN connection fails over to the backup connection the VPN link breaks as the peer site IP address has changed and the VPN can not establish a connection.
Would it be possible to configure a VPN failover so that when the connection failovers so will the VPN tunnel?
View 6 Replies
View Related
Feb 13, 2012
I have 2 Cisco routers 3945. Use HSRP for links failover. Does exist any possibility (any protocol) which makes routers configuration's automatic synchronization (as failover for ASA firewalls)? I mean, if I will make any configuration changes on the Active router, automticly will taken this changes by the Standby router.
View 3 Replies
View Related
Sep 20, 2012
I have got a Branch Office with two redundant links connecting from Head Office A and Head Office B. Both links are LES 100MB and carry only VLAN 33 traffic. Head Office A has an ASR 1002, Head Office B has Cat3550 and the Branch Office has Cat3560. Both Cat3550 and Cat3560 at L3 switches.At the moment if one link fails i have to manually disable or activate ports/interface on either Head Office A or Head Office B devices and ammend the default gateway on Branch Office switch to either Head Office A or B device, which ever is working.I am looking for an automated and reliable solution for this so that i dont have to make any changes on the devices and failover happens automatically.
View 1 Replies
View Related
Aug 24, 2011
I'd like to configure HA between an ISP router and a firewall ASA like shown in the document. I was thinking about HSRP but can I use HSRP between a router and a firewall?Another information.I have 1 asa 5520 on my site connected to an ISP 1, and a second asa 5520 at a second ISP's datacenter. My aim is that if the 2nd ISP is not available, all trafic go through the asa on site and to the first ISP.
View 4 Replies
View Related
Feb 20, 2011
I’m currently training to take my CCNA, So for the reason I’m here, I have just been asked to take over the company network.And I need to know how I go about configuring some base level routers.I have 3 remote sites and 1 main site, all these routers are using 857’s, with a VPN tunnel between them, this is running all OK and working fine,But my boss has decided to have a second ADSL line installed in the main site for failover.How do I go about configuring this, ie how do the VPN’s terminate on the other router when the main one goes down?
View 1 Replies
View Related
Aug 29, 2010
I have a Cisco 2851 (c2800nm-advipservicesk9-mz.124-25d.bin) Router configured with one site-to-site vpn. Is it possible to configure a failover vpn tunnel on this router?
View 8 Replies
View Related
