3015 concentrator active - standby problems

Similar Questions

• Procedure to upgrade (Active-Standby) ASA

  Hi all

  I just want to check if our upgrade scheduled SAA causes no problems during the procedure.

  Material: ASA5525-X

  Existing IOS: 9.1.2

  Update to: 9.4.2 (11)

  Setup: Active standby

  We intend to be upgraded the first start, after that, is the day before still will to resume after we force a failover him so that we can then pass the main firewall.

  Thank you very much!

  Yes, it's the process. I did it several times it it works perfectly when you follow the documented procedure.

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

• ASA (Active standby) site-to-Site VPN Question

  Hello

  I had the question as below

  Site A - 1 unit of VPN Netscreen firewall

  Site B - 2 units of ASA VPN firewall

  

  I'm trying to set up a VPN from Site to Site, but a problem with the configuration of the active standby.

  Initially, I tried Site A 1 unit Netscreen and Site B 1 unit ASA vpn site-to-site. There's no problem.

  but joins another ASA at site B and configure it as active / standby then I saw a few questions that I need help from here

  Things that confuse me.

  (1) do I need to use 2 public IP address on the SAA? (public IP for assets and the other a public IP ensures IP. it seems like a waste of the public IP address.)

  (2) link failover and dynamic failover can be configured on the same interface?

  Please help in this case, configuring VPN from Site to Site with active configuration / standby.

  just to add to this,

  just be careful when you dedicate an interface for dynamic failover, make sure that it is the highest capacity, or at least the same ability as an interface offers th

  so if you use concert for passing traffic interface uses a concert for dynamic failover port, several times we saw people using the management for steful interface when they ports of concert and they run into issues where the dynamic function does not work as expected

  You can read more here

  https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/failover.html#wp1051759

• on the stateful failover active / standby

  Hello guys.

  I have two ASA, same model and material. ASA have configured stateful failover active / standby by someone a few years ago. It worked normally until recently and no one changed the configuration. Then the secondary unit can't. Ping between 2 interfaces is ok. Please help me solve this problem.

  on the main site

  interface Management0/0

  STATE failover Interface Description

  management only

  interface GigabitEthernet1/1

  Failover LAN Interface Description

  failover

  primary failover lan unit

  failover lan interface failover GigabitEthernet1/1

  The link with failover Management0/0 status

  failover failover interface ip 172.16.1.1 255.255.255.0 ensures 172.16.1.2

  State of the failover interface ip 172.16.0.1 255.255.255.0 ensures 172.16.0.2

  on the secondary site

  interface Management0/0

  STATE failover Interface Description

  management only

  interface GigabitEthernet1/1

  Failover LAN Interface Description

  output of the show failover on PRIMARY

  Show execution of failover

  failover

  primary failover lan unit

  failover lan interface failover GigabitEthernet1/1

  The link with failover Management0/0 status

  failover failover interface ip 172.16.1.1 255.255.255.0 ensures 172.16.1.2

  State of the failover interface ip 172.16.0.1 255.255.255.0 ensures 172.16.0.2

  See the resumption of F1 #.

  Failover on

  Unit of primary failover

  Failover LAN interface: GigabitEthernet1/1 failover (maximum)

  Frequency of survey unit 1 seconds, 15 seconds holding time

  Survey frequency interface 5 seconds, 25 seconds hold time

  1 political interface

  Monitored 5 256 maximum Interfaces

  Version: Our 8.2 (2), Matt 8.2 (2)

  Last failover to: 08:03:11 ULAST January 1, 2003

  This host: primary: enabled

  Activity time: 5755203 (s)

  slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)

  Interface Backup2 (10.2.5.1): Normal (pending)

  Internet (202.131.225.90) interface: No link (pending)

  Interface Backup1 (10.3.5.1): Normal (pending)

  The interface server (192.168.227.1): Normal (pending)

  Bank interface (10.20.1.1): Normal (pending)

  Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)

  Another host: secondary - failed

  Activity time: 0 (s)

  slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)

  Backup2 (0.0.0.0) interface: no connection (pending)

  Interface (0.0.0.0) Internet: No link (pending)

  Interface (0.0.0.0) Backup1: Normal (pending)

  The interface server (0.0.0.0): Normal (pending)

  Bank interface (0.0.0.0): Normal (pending)

  Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)

  Failover stateful logical Update Statistics

  Link: State Management0/0 (top)

  Stateful Obj xmit rcv rerr xerr

  General 76184539 0 767513 6

  sys cmd 767328 0 767326 1

  up time         0          0          0          0

  RPC services 0 0 0 0

  25878669 0 11 5 TCP Conn

  Conn UDP 40545710 0 40 0

  ARP 8987688 0 136 tbl 0

  Xlate_Timeout 0 0 0 0

  Tbl IPv6 ND 0 0 0 0

  VPN IKE upd 1140 0 0 0

  VPN IPSEC upd 4004 0 0 0

  VPN CTCP upd 0 0 0 0

  VPN SDI upd 0 0 0 0

  VPN DHCP upd 0 0 0 0

  SIP session 0 0 0 0

  Logical update queue information

  Heart Max Total

  Q: recv 0 7 6522961

  Xmit Q: 0 34 106685671

  output of the secondary recovery

  See the resumption of F1 #.

  Failover on

  Secondary failover unit

  Failover LAN interface: GigabitEthernet1/1 failover (maximum)

  Frequency of survey unit 1 seconds, 15 seconds holding time

  Survey frequency interface 5 seconds, 25 seconds hold time

  1 political interface

  Monitored 5 256 maximum Interfaces

  Version: Our 8.2 (2), Matt 8.2 (2)

  Last failover at: 03:36:23 ULAST December 15, 2013

  This host: secondary - failed

  Activity time: 0 (s)

  slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)

  Backup2 (0.0.0.0) interface: no connection (pending)

  Interface (0.0.0.0) Internet: No link (pending)

  Interface (0.0.0.0) Backup1: Normal (pending)

  The interface server (0.0.0.0): Normal (pending)

  Bank interface (0.0.0.0): Normal (pending)

  Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)

  Another host: primary: enabled

  Activity time: 5743217 (s)

  slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)

  Interface Backup2 (10.2.5.1): Normal (pending)

  Internet (202.131.225.90) interface: No link (pending)

  Interface Backup1 (10.3.5.1): Normal (pending)

  The interface server (192.168.227.1): Normal (pending)

  Bank interface (10.20.1.1): Normal (pending)

  Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)

  Failover stateful logical Update Statistics

  Link: State Management0/0 (top)

  Stateful Obj xmit rcv rerr xerr

  General 765518 0 35843181 874

  sys cmd 765518 0 765516 0

  up time         0          0          0          0

  RPC services 0 0 0 0

  TCP 0 0 12671303 80 Conn

  UDP 0 0 13432853 133 Conn

  ARP 0 0 8968384 661 tbl

  Xlate_Timeout 0 0 0 0

  Tbl IPv6 ND 0 0 0 0

  VPN IKE 0 0 1137 upd 0

  VPN IPSEC 0 0 3988 upd 0

  VPN CTCP upd 0 0 0 0

  VPN SDI upd 0 0 0 0

  VPN DHCP upd 0 0 0 0

  SIP session 0 0 0 0

  Logical update queue information

  Heart Max Total

  Q: recv 0 9 72011189

  Xmit Q: 0 1 765518

  You have a couple no link on your high school as well as a message no link on your primary.

  Backup2 (0.0.0.0) interface: no connection (pending)

  Interface (0.0.0.0) Internet: No link (pending)

  I recommend that you check these cables.  Don't forget that if you changed the default configuration, a failure of the single, or problems of connectivity even interface between an interface on the two ASAs fail.

  If this does not help, try entering the command interface of the monitor for the interfaces.

  --
  Please do not forget to rate and choose a good answer

• The networking redudancy, 2 network cards, active/active or active / standby?

  I have two network cards available for my management network.   More 'design' documents that I saw an active set to NIC and the other in standby mode.  What is the advantage of this approach compared to their definition both active?  Suppose I have no limitation of NIC and these 2 ports are dedicated to management only.

  greenpride32 wrote:

  I have two network cards available for my management network.   More 'design' documents that I saw an active set to NIC and the other in standby mode.  What is the advantage of this approach compared to their definition both active?  Suppose I have no limitation of NIC and these 2 ports are dedicated to management only.

  If you have no other exchanges on this vSwitch then you can leave them as an asset with no problems.

  Sometimes, the VMK vMotion interface is placed on the same vSwitch as VMK and if yes, it is good to separate them for different vmnic with active / standby.

• Is it necessary to buy two packs of licenses to set up a cluster active / standby HA with two units of TZ300?

  I need a cluster active / standby and I think I will need to buy two devices and only CGSS. Am I wrong?
  Why there is no TZ300 HA Unit regarding the unity of TZ500 HA and TZ600 HA unit?

  Thank you

  Angelo

  Yes, you are going to have to buy two devices and licenses only to your main unit. The only reason why there are TZ500 and 600 HA units because generally these are units that especially customer implement an HA pair because of the power they have.

  A TZ300 and 400 are wanted over a smaller model of business that usually gives rise to not have an HA pair so their isn't a specific unit of HA.

  These HA units are not different from any other unit, they are simply locked as part of a wise pair HA license.

  Thank you
  Ben Davis
  Reference Dell SonicWALL
  #Iwork4Dell

• Cisco ASA CX active / standby

  Hello friends

  One of my clients has a couple of ASA 5545 work quite well as active / standby failover. But the configuration that is not copied to the secondary unit is CX. Do you know how to get it? Please, do not hesitate to request further information, comment or document will be appreciated.

  Kind regards!

  The CX configurations are not part of the active reserve ASA replication.

  How to synchronize the configurations of CX is to use PRSM (first Security Manager - product under separate license, not the one provided with the CX) running on a virtual machine in device mode.

  Reference.

  Once you find out what pair CX with a PRSM "out of area", all configuration changes are deployed both to the pair.

• Cisco ASA active / standby Mac addresses

  Hi all

  Please advise on the underside.

  Say that I have to active / standby. I have two interfaces on each firewall configured as below

  For the primary (active)

  interface GigabitEthernet1 / 0--> Say burned in mac address is 6c41.6bb0.1111
  nameif test1
  security-level 0
  10.1.1.1 IP address 255.255.255.0 ensures 10.1.1.2

  im int 2/0

  Test2 nameif--> Say burned in mac address is 6c41.6aa0.1111
  security-level 0
  10.2.1.1 IP address 255.255.255.0 ensures 10.2.1.2

  For secondary school (currently idle)

  interface GigabitEthernet1 / 0--> Say burned in mac address is 6c41.6bb0.2222
  nameif test1
  security-level 0
  10.1.1.1 IP address 255.255.255.0 ensures 10.1.1.2

  im int 2/0

  Test2 nameif--> Say burned in mac address is 6c41.6aa0.2222
  security-level 0
  10.2.1.1 IP address 255.255.255.0 ensures 10.2.1.2

  According to my understanding of the DOC.

  To transfer traffic, other devices will use the main unit mac address and IP addresses.

  Please consider under the scenario:

  My primary unit has failed and secondary took over as active unit.

  Primary (standby)

  Secondary (active)

  secondary Q1) so now will use the IP address and Mac address as below? Please confirm

  10.1.1.1 & 6c41.6bb0.1111

  10.2.1.1 & 6c41.6aa0.1111

  Q2) I believe that the ip address of the primary (Standby) in aid will be

  10.1.1.2

  10.2.1.2

  It will use what mac addresses? What is the BIA of the secondary unit? Please notify

  Thanks in advance.

  Q1 Yes), IP address and the MAC will be moving to the new active unit so no matter who the network except the switch will notice failover event

  Q2) Yes, primary (watch now) will use IP addresses and MAC addresses available for secondary:

  6C41.6bb0.2222

  6C41.6aa0.2222

  Kind regards.

• Safe way to restart the pair active / standby

  Hello

  I need to reboot my ASA5520. We have a pair of active / standby and I want to make sure they come in playing well and not in a fierce struggle.

  Any advice on how to reload these machines and optimize operating times?

  Thank you

  Pedro

  Pedro

  If you are not bothered in regards to he who becomes primary then simply pick one, reboot, wait until it has developed and then reload it.

  As long as you have properly configured failover, there should be minimal downtime, just the time it takes to switch when you reload.

  If you want to stay as the main primary school, then you need to recharge it first, let it come as standby, then reload the other and the former primary school will now become primary.

  Note that recharge the standby is firstly the best approach simply because you then have only a failover IE. When Eve comes backup and resumes, it's a standby feature then you recharge the primary here will be a failover.

  Jon

• Active / standby ASR9000v ICL

  Hello world

  After reviewing the documentation for the 9000v, I wonder if it is possible to configure the following scenario without using nV Edge. I have a pair of ASR9912 that are configured as standalone units. We received 3 ASR9000v which we configured in a scenario of the active / standby as part of a requirement of the customer.

  There is a pattern in this link: https://supportforums.cisco.com/document/9868421/asr9000xr-using-satelli... that shows the scenario, but it seems like a VSS deployment. In the same document, section 13 describes a Dual-host configuration. I wonder if that's what I'm looking for. Interfaces GigE on the system of 'sleep' will be in a break state? I'd be worried about some conflicts.

  I'm not the second 9912 upward and going until mid-January because of the power and the grid space, so I can't test until then.

  Has anyone successfully deployed this scenario without using nV Edge?

  Thank you.

  -Dominique

  DOM,

  We prefer that you evaluate advanced bifocals, which is a new feature. You will not need to use NV EDGE and we are actually calling customers of this technology to something more standards based. Take a look at the following:

  http://www.Cisco.com/c/en/us/TD/docs/routers/asr9000/software/asr9k_r5-3...

  Concerning

  Eddie.

• ASA 5520 Active standby and ssl vpn loadbalancing

  I have a pair of Asa 5520 failover active rescue running. Can I use these two machines in a cluster of ssl vpn load balancing?

  N ° when a couple active / standby is part of a cluster of VPN, the rescue unit is still pending - she will not be actively terminate user sessions. Only the active cluster members (and non-failover) will do.

• Help about LAN-based failover active / standby on pix 7.0

  Hello

  I wonder why my status active / standby faiover having to wait. And when I do sh failover state he failed on Hello not hear talk of companion to the standby state (see attachment)

  Failover on

  Status of cable: n/a - active LAN failover

  Unit of primary failover

  Failover LAN Interface: failover GigabitEthernet1 (top)

  Frequency of survey unit 1 seconds, 3 seconds hold time

  Interface frequency of survey 15 seconds

  1 political interface

  Watched 3 Interfaces maximum 250

  failover replication http

  Last failover to: 02:39:25 MYT on April 15, 2006

  This host: primary: enabled

  Activity time: 184985 (s)

  Interface inside (10.103.1.15): Normal (pending)

  Interface to the outside (210.187.51.2): Normal (pending)

  DMZ (210.187.51.81) of the interface: Normal (pending)

  Another host: secondary - ready Standby

  Activity time: 0 (s)

  Interface (0.0.0.0) inside: Normal (pending)

  Interface (0.0.0.0) outdoors: Normal (pending)

  Interface (0.0.0.0) dmz: Normal (pending)

  Failover stateful logical Update Statistics

  Link: failover GigabitEthernet1 (top)

  Stateful Obj xmit rcv rerr xerr

  101718 General 0 419 0

  sys cmd 419 0 419 0

  time 0 0 0 0

  RPC services 0 0 0 0

  Conn 74719 TCP 0 0 0

  Conn 21655 UDP 0 0 0

  ARP tbl 4928 0 0 0

  Xlate_Timeout 0 0 0 0

  VPN IKE upd 0 0 0 0

  VPN IPSEC upd 0 0 0 0

  VPN CTCP upd 0 0 0 0

  VPN SDI upd 0 0 0 0

  VPN DHCP upd 0 0 0 0

  Logical update queue information

  Heart Max Total

  Q: recv 0 2 419

  Xmit Q: 0 2 104936

  Is there something wrong with my setup?

  I use active LAN failover / standby.

  I am attached to my firewall configuration, failover, failover state sh sh and sh story of failover.

  looking at your configs... IP addresses for the rescue unit are missing... It should read something Central this:

  interface Ethernet0

  nameif outside

  IP 209.165.201.1 255.255.255.224 watch 209.165.201.2

• ASA 5520's active / standby, do not sync AnyConnect Profles

  I'm working on two ASA 5520 configuration in a configuration active / standby.  I have almost all the same between the two units for AnyConnect work waiting for both of the following:

  AnyConnect Client profiles

  AnyConnect Client software

  If I download the software manually to the standby unit I get warning against them are not synchronized, and on the active unit if I do a 'writing' standby does not copy the profile or the software.  Anyone has any ideas on this?

  Thank you

  Dan

  Hello

  Bug CSCsr31403

  When you configure the ASA in a failover pair, you must manually copy the AnyConnect and CSD images for the primary and the secondary ASA.   You must also do the same for the Anyconnect profile file if you use it.

  Either force the ASA shall become active and copy the files to the new ASA assets using ASDM or copy files directly from the console ASA ensures using tftp or ftp.

  Kind regards

  Note the useful messages

  Julio

• Is this declaration for the creation of correct active standby pair?

  Hi, I have two servers, one is "baal" and the other is "diablo".
  I want to create a pair of active standby with the RETURN of TWOSAFE and disable the BACK after that 5 times timeout happens and resume BACK if less than 8 ms recognize.
  I do not sure if 8 ms is reasonable if the starting node is far behind the active node (assuming the starting node is to hardware failure).
  Here's my response:
  --------------------------------
  PAIR of EVE ACTIVE CREATE eppdb WE "baal", eppdb ON "diablo."
  RETURN TWOSAFE
  STORE eppdb WE 'baal '.
  DISABLE THE BACK EVERY 5
  CURRICULUM VITAE OF RETURN 8;
  -------------------------------
  Is what I'm not clear on the key word "STORE."
  I noticed that there are a lot of 'STORE' after RETURN of TWOSAFE and make that confused me for a while.
  If this assertion is false, please correct me.
  
  Thank you.

  In fact, these options apply to the store level so that the statement is as follows:

  CREATE A PAIR OF ACTIVE STANDBY
  eppdb WE 'baal', eppdb ON TWOSAFE of RETURN "diablo."
  STORE eppdb WE 'baal '.
  DISABLE THE RETURN ALL 5 HP BACK 20
  RETURN SERVICES TURNED OFF WHEN THEY ARE ARRESTED
  SUSTAINABLE COMMITMENT ON
  COMMIT LOCAL ACTION VALIDATION
  WAIT BACK 30 TIMES
  STORE eppdb ON "diablo."
  DISABLE THE RETURN ALL 5 HP BACK 20
  RETURN SERVICES TURNED OFF WHEN THEY ARE ARRESTED
  SUSTAINABLE COMMITMENT ON
  COMMIT LOCAL ACTION VALIDATION
  WAIT BACK 30 TIMES;

  All these options and what they mean are described in detail in the (very good) documentation. I would recommend that you read in order to understand that you configure here... Just a summary.

  Whenever the wait isn't available, application commits will experience timeouts (TT WARNING 8170). Request code must be prepared to receive and respond to this warning. Finally (according to the options DISABLE RETURN and RETURN WAIT [see below]) TT come back asynchronously and wait times stops. Once sleep is available and the stores are back in sync TT will increase from TWOSAFE BACK mode once again.

  DISABLE BACK every 5 - turn off the twosafe return (i.e. emergency in asynchronous mode) treatment after 5 consecutive times (each timeout will be 30 seconds)

  BACK to the TIME of WAITING 30 - wait up to 30 seconds (a very long time) for recognition in return for service to the peer

  The combination of these two parameters means that in the event of network failure or the eve past active offline will be waiting for about 150 seconds (5 x 3) before disabling the twosafe return processing. During this time of transaction request will be and experience timeouts. I would suggest smaller values such as 2 and 10 maybe but only t = OU can decide what is reasonable for your environment.

  SUSTAINABLE if ENGAGING ON - whenever the return services are then disabled, force all commits to be sustainable (synchronous disk). This will degrade performance, but provides continuous data protection when the instance of relief is not available. If you don't want this feature so do not configure (but then when the watch is not available you are exposed to data loss if the assets fails).

  RETURN SERVICES OFF when THEY are ARRESTED - disable services return (spend in asynchronous mode) each time the replication agent stops.

  LOCAL validation ACTION COMMIT - if a validation Gets a time-out warning (TT8170) then the transaction status is uncertain. The application can choose to engage locally (allowing it to continue the treatment), in which case the txn is committed. will be added to the queue of replication for a (possible) retransmission in asynchronous mode. It is the recommended behavior and is defined by this option. The other option is NO ACTION, which is also the default value. With this option, the application must implement the logic for its own decision, and then call a few specific TT builtin functions to decide how to deal with the uncertain state. This adds significant complexity. Until the application makes a decision, it is impossible to continue.

  See the documentation for more information.

• Active standby records?

  Must Media Encoder be open to enable active standby records? Or he ping them closed while?

  SOUL should run.