Options

ASA 5505 failover help

Young GrasshopperYoung Grasshopper Member Posts: 51 ■■□□□□□□□□
in CCNP Security
hi everyone,

im trying to get failover to work on 2 ASA 5505 units. i believe the failover is configured correctly, but for some reason i cant access the standby asa thru the wan ip. i can log into the primary unit, initiate the failover. the 'active' light on the primary unit goes amber but it loses wan connectivity because the second asa has no connectivity thru its outside interface. here is the config of the primary, ill get the seconary asa config on sunday:


hi everyone,

im trying to get failover to work on 2 ASA 5505 units. i believe the failover is configured correctly, but for some reason i cant access the standby asa thru the wan ip. i can log into the primary unit, initiate the failover. the 'active' light on the primary unit goes amber but it loses wan connectivity because the second asa has no connectivity thru its outside interface. here is the config of the primary, ill get the seconary asa config on sunday:


: Saved
: Written by enable_15 at 01:01:00.765 EST Fri Jan 2 2009
!
ASA Version 7.2(4)
!
hostname UROLOGY
enable password XHCTaUjazfhY.RfC encrypted
passwd vnMeNJLgzCgeqnAn encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.100.1 255.255.255.0 standby 10.1.100.2
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xxx.194 255.255.255.224 standby xx.xx.XXX.222
!
interface Vlan3
description LAN Failover Interface
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
failover lan unit primary
failover lan interface failover Vlan3
failover interface ip failover 10.150.1.1 255.255.255.0 standby 10.150.1.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any unreachable inside
icmp permit any time-exceeded inside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonatvpn
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:269fcf8a28d713537e0113658b041498
: end
· Share on FacebookShare on Twitter

Comments

  • Options
    larkspurlarkspur Member Posts: 235
    I was under the impression that 5505s don't support the failover feature. You may want to check Cisco site.

    these models support a/a and a/s failover
    5510 (requires security plus license)
    5520 included
    5540 included


    curious as to where you read that 5505 will support failover?
    just trying to keep it all in perspective!
    · Share on FacebookShare on Twitter
  • Options
    mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    larkspur wrote: »
    curious as to where you read that 5505 will support failover?

    Cisco ASA 5505 Getting Started Guide, Version 7.2
    The ASA 5505 adaptive security appliance supports active and standby failover, but not Stateful Failover.
    :mike: Cisco Certifications -- Collect the Entire Set!
    · Share on FacebookShare on Twitter
  • Options
    AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    First up you really REALLY need to scrub that config. We now have your complete IP scheme (incl. publics,mostly), access-list details and your VPN pre-shared keys. Seriously as soon as you read this pull that config down and only repost minus these details.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    I would be more interested in the output of a "show failover" command.
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Options
    Young GrasshopperYoung Grasshopper Member Posts: 51 ■■□□□□□□□□
    i edited out the config with anything i thought was irrelavant. and how did you see the preshared keys? i masked them with xxx. anyway here is the 'show failover' command:

    pix# show failover
    Failover Off
    Failover unit Primary
    Failover LAN Interface: failover Vlan3 (up)
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 5 seconds, holdtime 25 seconds
    Interface Policy 1
    Monitored Interfaces 3 of 250 maximum
    · Share on FacebookShare on Twitter
  • Options
    kalebkspkalebksp Member Posts: 1,033 ■■■■■□□□□□
    I don't know much of anything about this stuff, but your config has "no failover", you may want to enter "failover" in global config.
    · Share on FacebookShare on Twitter
  • Options
    Young GrasshopperYoung Grasshopper Member Posts: 51 ■■□□□□□□□□
    if i enter that in it initiates the failover but i lose connectivity sicne i am unable to access the second asa/.
    · Share on FacebookShare on Twitter
  • Options
    kalebkspkalebksp Member Posts: 1,033 ■■■■■□□□□□
    Young Grasshopper wrote: »
    if i enter that in it initiates the failover but i lose connectivity sicne i am unable to access the second asa/.

    Ah, sorry, I guess I misunderstood what was happening.
    · Share on FacebookShare on Twitter
  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    You shouldn't lose connectivity by enabling failover on the primary unit, is will remain primary. Are both units configured to be primary for some reason?
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Options
    cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    you do need to issue the failover command. this enables failover. your show failover indicates that failover is not enabled. once you enable failover, you will see the devices sync their configs if you have done it properly. your standby device shouldn't have much configuration on it when configuring for a failover pair. you are basically only going to configure the failover commands.

    once all this is done and the configs have sync'd, both devices will appear to have the same config with the exception that you have one marked as primary and the other is not.

    try this: PIX/ASA : Active/Standby Failover Configuration Example - Cisco Systems

    and this DOES work on the 5505s if you have the correct license. I have this working in the lab as we speak.
    · Share on FacebookShare on Twitter
  • Options
    cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    I'm curious if you got this working....
    · Share on FacebookShare on Twitter
Sign In or Register to comment.