Active/active failover configuration LAN-based PIX / ASA

Similar Questions

• ASA-SSM-20 on the active failover configuration

  You can synchronize configuration between two IPS systems data?

  I have two ASA-SSM-20 (6.1.1 E3) one in each of my the SAA. Of the SAA is the shift in assets. During the configuration of the IPS module I always make these same changes also in the standby unit. Is it possible to synchronize to the top of these two survey periods, so when it is configured the other is updated?

  Thank you very much

  Unlike the SAA, there not an automatic function to preserve the configuration synchronization through SSMs 2.

  A few options:

  You can use the command copy to copy the configuration of a sensor to a ftp/scp server.

  Then use the copy on the second sensor command to copy the configuration on the second sensor. During the copy, it will ask whether to change the IP of the probe to what is in the configuration file. You will need to tell it to NOT change IP of the probe, otherwise you end up with 2 SSMs with the same IP address and are struggling to connect to them.

  Another option is to use the CSM. CSM has configuration that applies to simple sensors, but also the group configuration that can be applied across multiple sensors.

  If you have used the group configuration, then you could make one change to the configuration of the Group and apply it in all the sensors in the Group (you will place your SSMs 2 in the same group).

• replication of VPN with active failover / standby

  Hello world

  If ASA is the config of active failover / standby.

  If ASA Active VPN image, profile and plug-ins that will also replicate to ASA watch?

  or I have to do it manually on SAA standby?

  Concerning

  MAhesh

  The VPN image and profile are not replicated, you will have to do it manually.  Here is a list of which ends up in a configuration of active / standby stateful:

  • The NAT translation table

  • TCP connection States

  • The UDP connection States

  • The ARP table

  • The layer 2 bridge table (when it is running in transparent firewall mode)

  • The States of HTTP connection (if the HTTP replication is enabled)

  • The table ISAKMP / IPSec SA

  • The database of the GTP PDP connection

  --

  Please do not forget to rate and choose a good answer

• ASA in transparent mode with LAN base active failover / standby?

  Is it possible to have a pair of the SAA in transparent mode with LAN-based failover active / standby? I configured the portion of failover and then configured the transparent mode and it erased my failover configuration. Is this supported configuration, and if so are there at - it an example?

  Thanks in advance

  Yes. It is possible to have a pair of ASA in transparent mode with LAN-based failover active/Standy. You must perform the configuration of failover after conversion of the appliance in transparent mode.

  I saw an example on the cisco site, but I'll give you an example of one of the projects I run. Infact its very easy to configure failover in transparent mode. Less work.

  I have listed the configs on both the firewall for your reference

  Main firewall

  ============

  interface GigabitEthernet0/0

  nameif outside

  security-level 0

  No tap

  !

  interface GigabitEthernet0/1

  nameif inside

  security-level 100

  No tap

  !

  interface GigabitEthernet0/2

  Shutdown

  No nameif

  no level of security

  !

  interface GigabitEthernet0/3

  Failover LAN Interface Description

  !

  192.168.9.2 IP address 255.255.255.0 watch 192.168.9.7

  failover

  primary failover lan unit

  local failover FAILINT GigabitEthernet0/3 network interface

  failover abcdef keys

  failover interface ip FAILINT 172.16.9.1 255.255.255.0 watch 172.16.9.7

  The secondary firewall

  =================

  failover

  secondary failover lan unit

  local failover FAILINT GigabitEthernet0/3 network interface

  failover abcdef keys

  failover interface ip FAILINT 172.16.9.1 255.255.255.0 watch 172.16.9.7

  int GigabitEthernet0/3

  No tap

  Hope the above helps.

• Cisco ASA 8.4 Active Failover / standby with anyconnect local CA

  Hi Friend´s

  I hope you do well! I ve got a question, hope you can help me. I ve got an ASA 5550 with version 8.4 (6), it s focusing anyconnect VPN remote access who authenticate through certificate locally generated in ASA. We´ve got an another 5550 with the same hardware and same version, and we focus on the configuration of the failover. I ve heard of network other than it s engineers may not failover configuration when the ASA doing this local. Then I ve read full failover for version 8.4 operating guide (6) and I didn t find any restrictions on the local failover and CA working together. I m tests over the next weekend, but I would like to know from your experience, if I'm having problems on VPN connections or failover configuration.

  Please, do not hesitate to ask as much as necessary information. All comment and documentation will be appreciated.

  Best regards!

  It's the n: documentatio

   Does not support Active/Active or Active/Standby failover

  And on top of that, ASDM shows that "Local CA cannot be configured when failover is activated".

• Local unit is active failover but is not active.

  Impossible to run IPSEC sessions... This is a debugging... any idea?

  # Debug ASA5520 cry isa 1

  ASA5520 # 14 August at 11:06:59 [IKEv1]: IKE initiator: local unit is active failover but is not active.

  August 14 at 11:07 [IKEv1]: IKE initiator: local unit is active failover but is not active.

  August 14 at 11:07:02 [IKEv1]: receiver IKE: local unit is active failover but does not

  currently active.

  August 14 at 11:07:04 [IKEv1]: IKE initiator: local unit is active failover but is not active.

  August 14 at 11:07:04 [IKEv1]: IKE initiator: local unit is active failover but is not active.

  Try to restart the PIX.

  Referring URL:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml

• Clarification of active/active failover

  HI - can someone tell me if the ASA active/active failover requires two ports of router for the output traffic? In other words, a path for each subnet in both contexts? Or in the form below, the A/A failover can work with a single port gateway router?

  Thank you

  Dave

  Dave,

  Several contexts can share outside access by assigning to each of them an IP address on the same subnet. But for A/A failover, it requires each context has its own physical interface, so a single port gateway router is not ongoing work, except the implementation of vlan routing using router-to-the-stick.

  Thank you

  Hang

• PIX / ASA 7.0

  Is the PIX v7.0 OS the same OS that runs on the ASA? Configurations are portable between the two devices.

  They are essentailly the same thing, even if you can not put a picture of pix on a SAA or vice versa. PIX is Magi begin «pix...» ', images ASA... Well, you can guess.

  There are some differences due to material - an ASA does not have a serial port for failover (to use LAN-based failover), he did not FO/R/UR and interface IDS are different.

  But in terms of NAT, ACL, itineraries, opposed groups etc. is the same thing. You can config port but attention config interface and failover.

• Problem with VPN L2L and RA in a failover configuration

  I use two ASA 5540 in failover active-standby configuration. These boxes (primary and secondary) are used to establish some L2L and VPN RA (remote access). The active area run the OSPF process.

  The problem is when the failover (blocking just to the bottom of the active area, or "active failover" running in a secondary zone) all L2L be restored in a secondary zone. The only way I can do this (re-connect) removes the configuration of IPP (Reverse injectable way) (for example. ("no card crypto rprbbe_map 3 don't set reverse-road") and the configuration of IPP ("card crypto rprbbe_map 3 Road opposite the value"). After this the connection is re-established.

  In RA guests the session persists on a failover event, but the customer loses access. To resolve this problem, the customer needs to disconnect and reconnect.

  Anyone has any experience with this kind of (L2L and RA) VPN configuration using failover?

  Behavior seems buggy.

  What version do you use?

• who can help me with "insufficient resources to meet the level of failover configured for vSphere HA.

  Hello world

  We tried to gif a 14GB of ram and make server complete a booking for her.
  This is a server for the exams and the vendor told us to do.

  I can't any more then 5500MB reservation on it, when I anymore that I get
  "Insufficient resources to meet the level of failover configured for vSphere HA.

  We have:

  2 X 5.1 ESXi hosts
  Each host has
  2 x processors (8 Cores each) with HT active.
  255,75 GB of Ram

  vSphere HA has been activated.
  Admission control policy is enabled and that the ability to failover is 1 host.

  What is the problem here?

  Thank you
  Ernst.

  
  

  Admission control policy is all about to give you the kind of guarantee that if the host failure happens then there will be enough resources to perform the successful failover.

  in simple terms, it comes to reserve the resources of failover.

  I would recommend going through the notion of vSphere HA, reduced control policy the following document.

  https://pubs.VMware.com/vSphere-60/topic/com.VMware.ICbase/PDF/vSphere-ESXi-vCenter-Server-60-availability-Guide.PDF

  From the Page number 22, the details that you need to study is given. Focus especially on part calculations Slot size of it.

  in your case you HA vSphere with number of failure of host to tolerate as admission control strategy defined.

  This means system will calculate CPU and memory slots out of the resources in your cluster, and the total number of units, it will keep some resources like reserved for failover, and others will be available to be used. It all depends on how much failure of hosts that you want to tolerate.

  now in your case, if you try to increase booking one of the virtual machine, which will then affect the number of locations in your environment, and so reserved ability to failover is violated, the system will not let you do what you want to do. As the energy on a virtual machine, or growing booking a powered VM etc..

  If you find that you have enough resources in your cluster and due to some virtual machines with very large cpu or memory reservation, number of places is less than you can still manage the settings some advanced in vSphere HA configuration, but I strongly recommend, try to take the help of someone who has done it before.

  also try to go through other admission control strategies which are explained in the document for more inputs.

• User of the restrictions-pix/asa

  PIX / asa, I created the user with the privilege level, how I can restrcit the depending on the level of privilege.

  privilege level example 10 they can't enter config mode.

  advise the pl

  Thank you

  Knockaert

  Hello

  You must enable local command authorization to do so. See this link to enable local and configuration authorization steps.

  http://www.Cisco.com/en/us/docs/security/ASA/asa72/configuration/guide/mgaccess.html#wp1042039

• Not enough resources to meet the level of failover configured for vSphere HA

  I have a cluster of vSphere based 5.0 based on ESXi 5 knots 2.

  When I try to start a virtual machine, I get an error saying that there is "insufficient resources to meet the level of failover configured for vSphere HA.

  If I turn off an another VM the problem disappears and I can turn on my VM.

  If I try to turn on the virtual machine, I have already turned off, I get the error again.

  It seems obvious that there is a lack resources or some setting is misconfigured, but even after reading the forums and manuals, I am unable to locate the critical resource or parameter that is not correct.

  Based on my experience or vSphere server and ESXi servers are overloaded.

  I have an another similar cluster of hosting a larger number of virtual machines with no similar problem.

  This performance counter and this setting should check to identify the bottleneck?

  Concerning

  Marius

  To check reservations for virtual machines, I would select the Cluster in your vCenter inventory, then select the resources"" tab.  Which displays the child objects of the bunch (VMs, Resource Pools, vApps).  There you can watch settings of CPU resources and memory.  You'll want to watch the column of "Reserves".

  To find the size of the slot and places available, look at the tab "Summary" of your cluster.  There is a tile marked "vSphere HA.  In this mosaic, there will be a link for "Advanced Runtime Info" which will open a new window with the location information.

  When the Admission AP policy is set to "Number of failures of host cluster will tolerate", HA has a very pessimistic view of your resources, since it must be able to handle all the possibilities.

  Another option would be to change the admission control strategy in settings of Cluster HA to "percentage of resources reserved for failover.  It reserves a part of the resources for use by HA in the case of a failover, rather than trying to calculate the size of the individual virtual machines.  With a 2 cluster nodes, I think it a relatively safe bet to set these values to 50%, as your worst case scenario HA would be losing a single host on 2.

• Help about LAN-based failover active / standby on pix 7.0

  Hello

  I wonder why my status active / standby faiover having to wait. And when I do sh failover state he failed on Hello not hear talk of companion to the standby state (see attachment)

  Failover on

  Status of cable: n/a - active LAN failover

  Unit of primary failover

  Failover LAN Interface: failover GigabitEthernet1 (top)

  Frequency of survey unit 1 seconds, 3 seconds hold time

  Interface frequency of survey 15 seconds

  1 political interface

  Watched 3 Interfaces maximum 250

  failover replication http

  Last failover to: 02:39:25 MYT on April 15, 2006

  This host: primary: enabled

  Activity time: 184985 (s)

  Interface inside (10.103.1.15): Normal (pending)

  Interface to the outside (210.187.51.2): Normal (pending)

  DMZ (210.187.51.81) of the interface: Normal (pending)

  Another host: secondary - ready Standby

  Activity time: 0 (s)

  Interface (0.0.0.0) inside: Normal (pending)

  Interface (0.0.0.0) outdoors: Normal (pending)

  Interface (0.0.0.0) dmz: Normal (pending)

  Failover stateful logical Update Statistics

  Link: failover GigabitEthernet1 (top)

  Stateful Obj xmit rcv rerr xerr

  101718 General 0 419 0

  sys cmd 419 0 419 0

  time 0 0 0 0

  RPC services 0 0 0 0

  Conn 74719 TCP 0 0 0

  Conn 21655 UDP 0 0 0

  ARP tbl 4928 0 0 0

  Xlate_Timeout 0 0 0 0

  VPN IKE upd 0 0 0 0

  VPN IPSEC upd 0 0 0 0

  VPN CTCP upd 0 0 0 0

  VPN SDI upd 0 0 0 0

  VPN DHCP upd 0 0 0 0

  Logical update queue information

  Heart Max Total

  Q: recv 0 2 419

  Xmit Q: 0 2 104936

  Is there something wrong with my setup?

  I use active LAN failover / standby.

  I am attached to my firewall configuration, failover, failover state sh sh and sh story of failover.

  looking at your configs... IP addresses for the rescue unit are missing... It should read something Central this:

  interface Ethernet0

  nameif outside

  IP 209.165.201.1 255.255.255.224 watch 209.165.201.2

• How can I use MS Active Directory to authenticate a PIX?

  I currently have a race PIX515 6.3 and I have created user manuals from via PPTP (VPDN) to my protected network (administrative nightmare). Is it possible that I can use MS Active Directory database user and have the PIX refer to him for authentication? Or do I need to Cisco's ACS software to accomplish this?

  Here you go

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a0080094700.shtml

  concerning

  John

• Activation of the LAN after reinstalling Windows - Satellite Pro A10

  I gave my laptop Toshiba Satellite Pro A10 an a copy of Windows XP Pro format. In general, I use a PCMCIA Wireless Internet card, but I don't want to connect to my laptop via a physical Ethernet cable. Unfortunately I can not understand how to turn the local network on my PC (I.E. It is even not in Device Manager). Does anyone know how to do this? (IE. What Toshiba utility, I need to do this etc.)

  Hello

  It's very strange. Please visit the Toshiba download page and install Toshiba FAST ether LAN V. 6.4.14 drivers satellite A10. It should work. If the device is enabled in the Device Manager it must work when you connect the LAN cable.