Active/active failover configuration LAN-based PIX / ASA
Hi all
I would like to ask, if there is a restriction of length between the two ASA5510 in a LAN failover? Should not be, or I'm wrong?
Thank you
Norbert
Hello
normal duration of 100 m Ethernet. Or you can use the switches between them. I do not have a direct link.
Best regards, Celio
Tags: Cisco Security
Similar Questions
-
ASA-SSM-20 on the active failover configuration
You can synchronize configuration between two IPS systems data?
I have two ASA-SSM-20 (6.1.1 E3) one in each of my the SAA. Of the SAA is the shift in assets. During the configuration of the IPS module I always make these same changes also in the standby unit. Is it possible to synchronize to the top of these two survey periods, so when it is configured the other is updated?
Thank you very much
Unlike the SAA, there not an automatic function to preserve the configuration synchronization through SSMs 2.
A few options:
You can use the command copy to copy the configuration of a sensor to a ftp/scp server.
Then use the copy on the second sensor command to copy the configuration on the second sensor. During the copy, it will ask whether to change the IP of the probe to what is in the configuration file. You will need to tell it to NOT change IP of the probe, otherwise you end up with 2 SSMs with the same IP address and are struggling to connect to them.
Another option is to use the CSM. CSM has configuration that applies to simple sensors, but also the group configuration that can be applied across multiple sensors.
If you have used the group configuration, then you could make one change to the configuration of the Group and apply it in all the sensors in the Group (you will place your SSMs 2 in the same group).
-
replication of VPN with active failover / standby
Hello world
If ASA is the config of active failover / standby.
If ASA Active VPN image, profile and plug-ins that will also replicate to ASA watch?
or I have to do it manually on SAA standby?
Concerning
MAhesh
The VPN image and profile are not replicated, you will have to do it manually. Here is a list of which ends up in a configuration of active / standby stateful:
The NAT translation table
TCP connection States
The UDP connection States
The ARP table
The layer 2 bridge table (when it is running in transparent firewall mode)
The States of HTTP connection (if the HTTP replication is enabled)
The table ISAKMP / IPSec SA
The database of the GTP PDP connection
--
Please do not forget to rate and choose a good answer
-
ASA in transparent mode with LAN base active failover / standby?
Is it possible to have a pair of the SAA in transparent mode with LAN-based failover active / standby? I configured the portion of failover and then configured the transparent mode and it erased my failover configuration. Is this supported configuration, and if so are there at - it an example?
Thanks in advance
Yes. It is possible to have a pair of ASA in transparent mode with LAN-based failover active/Standy. You must perform the configuration of failover after conversion of the appliance in transparent mode.
I saw an example on the cisco site, but I'll give you an example of one of the projects I run. Infact its very easy to configure failover in transparent mode. Less work.
I have listed the configs on both the firewall for your reference
Main firewall
============
interface GigabitEthernet0/0
nameif outside
security-level 0
No tap
!
interface GigabitEthernet0/1
nameif inside
security-level 100
No tap
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
!
interface GigabitEthernet0/3
Failover LAN Interface Description
!
192.168.9.2 IP address 255.255.255.0 watch 192.168.9.7
failover
primary failover lan unit
local failover FAILINT GigabitEthernet0/3 network interface
failover abcdef keys
failover interface ip FAILINT 172.16.9.1 255.255.255.0 watch 172.16.9.7
The secondary firewall
=================
failover
secondary failover lan unit
local failover FAILINT GigabitEthernet0/3 network interface
failover abcdef keys
failover interface ip FAILINT 172.16.9.1 255.255.255.0 watch 172.16.9.7
int GigabitEthernet0/3
No tap
Hope the above helps.
-
Cisco ASA 8.4 Active Failover / standby with anyconnect local CA
Hi Friend´s
I hope you do well! I ve got a question, hope you can help me. I ve got an ASA 5550 with version 8.4 (6), it s focusing anyconnect VPN remote access who authenticate through certificate locally generated in ASA. We´ve got an another 5550 with the same hardware and same version, and we focus on the configuration of the failover. I ve heard of network other than it s engineers may not failover configuration when the ASA doing this local. Then I ve read full failover for version 8.4 operating guide (6) and I didn t find any restrictions on the local failover and CA working together. I m tests over the next weekend, but I would like to know from your experience, if I'm having problems on VPN connections or failover configuration.
Please, do not hesitate to ask as much as necessary information. All comment and documentation will be appreciated.
Best regards!
It's the n: documentatio
Does not support Active/Active or Active/Standby failover
And on top of that, ASDM shows that "Local CA cannot be configured when failover is activated".
-
Local unit is active failover but is not active.
Impossible to run IPSEC sessions... This is a debugging... any idea?
# Debug ASA5520 cry isa 1
ASA5520 # 14 August at 11:06:59 [IKEv1]: IKE initiator: local unit is active failover but is not active.
August 14 at 11:07 [IKEv1]: IKE initiator: local unit is active failover but is not active.
August 14 at 11:07:02 [IKEv1]: receiver IKE: local unit is active failover but does not
currently active.
August 14 at 11:07:04 [IKEv1]: IKE initiator: local unit is active failover but is not active.
August 14 at 11:07:04 [IKEv1]: IKE initiator: local unit is active failover but is not active.
Try to restart the PIX.
Referring URL:
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml
-
Clarification of active/active failover
HI - can someone tell me if the ASA active/active failover requires two ports of router for the output traffic? In other words, a path for each subnet in both contexts? Or in the form below, the A/A failover can work with a single port gateway router?
Thank you
Dave
Dave,
Several contexts can share outside access by assigning to each of them an IP address on the same subnet. But for A/A failover, it requires each context has its own physical interface, so a single port gateway router is not ongoing work, except the implementation of vlan routing using router-to-the-stick.
Thank you
Hang
-
Is the PIX v7.0 OS the same OS that runs on the ASA? Configurations are portable between the two devices.
They are essentailly the same thing, even if you can not put a picture of pix on a SAA or vice versa. PIX is Magi begin «pix...» ', images ASA... Well, you can guess.
There are some differences due to material - an ASA does not have a serial port for failover (to use LAN-based failover), he did not FO/R/UR and interface IDS are different.
But in terms of NAT, ACL, itineraries, opposed groups etc. is the same thing. You can config port but attention config interface and failover.
-
Problem with VPN L2L and RA in a failover configuration
I use two ASA 5540 in failover active-standby configuration. These boxes (primary and secondary) are used to establish some L2L and VPN RA (remote access). The active area run the OSPF process.
The problem is when the failover (blocking just to the bottom of the active area, or "active failover" running in a secondary zone) all L2L be restored in a secondary zone. The only way I can do this (re-connect) removes the configuration of IPP (Reverse injectable way) (for example. ("no card crypto rprbbe_map 3 don't set reverse-road") and the configuration of IPP ("card crypto rprbbe_map 3 Road opposite the value"). After this the connection is re-established.
In RA guests the session persists on a failover event, but the customer loses access. To resolve this problem, the customer needs to disconnect and reconnect.
Anyone has any experience with this kind of (L2L and RA) VPN configuration using failover?Behavior seems buggy.
What version do you use?
-
Hello world
We tried to gif a 14GB of ram and make server complete a booking for her.
This is a server for the exams and the vendor told us to do.I can't any more then 5500MB reservation on it, when I anymore that I get
"Insufficient resources to meet the level of failover configured for vSphere HA.We have:
2 X 5.1 ESXi hosts
Each host has
2 x processors (8 Cores each) with HT active.
255,75 GB of RamvSphere HA has been activated.
Admission control policy is enabled and that the ability to failover is 1 host.What is the problem here?
Thank you
Ernst.Admission control policy is all about to give you the kind of guarantee that if the host failure happens then there will be enough resources to perform the successful failover.
in simple terms, it comes to reserve the resources of failover.
I would recommend going through the notion of vSphere HA, reduced control policy the following document.
From the Page number 22, the details that you need to study is given. Focus especially on part calculations Slot size of it.
in your case you HA vSphere with number of failure of host to tolerate as admission control strategy defined.
This means system will calculate CPU and memory slots out of the resources in your cluster, and the total number of units, it will keep some resources like reserved for failover, and others will be available to be used. It all depends on how much failure of hosts that you want to tolerate.
now in your case, if you try to increase booking one of the virtual machine, which will then affect the number of locations in your environment, and so reserved ability to failover is violated, the system will not let you do what you want to do. As the energy on a virtual machine, or growing booking a powered VM etc..
If you find that you have enough resources in your cluster and due to some virtual machines with very large cpu or memory reservation, number of places is less than you can still manage the settings some advanced in vSphere HA configuration, but I strongly recommend, try to take the help of someone who has done it before.
also try to go through other admission control strategies which are explained in the document for more inputs.
-
User of the restrictions-pix/asa
PIX / asa, I created the user with the privilege level, how I can restrcit the depending on the level of privilege.
privilege level example 10 they can't enter config mode.
advise the pl
Thank you
Knockaert
Hello
You must enable local command authorization to do so. See this link to enable local and configuration authorization steps.
http://www.Cisco.com/en/us/docs/security/ASA/asa72/configuration/guide/mgaccess.html#wp1042039
-
Not enough resources to meet the level of failover configured for vSphere HA
I have a cluster of vSphere based 5.0 based on ESXi 5 knots 2.
When I try to start a virtual machine, I get an error saying that there is "insufficient resources to meet the level of failover configured for vSphere HA.
If I turn off an another VM the problem disappears and I can turn on my VM.
If I try to turn on the virtual machine, I have already turned off, I get the error again.
It seems obvious that there is a lack resources or some setting is misconfigured, but even after reading the forums and manuals, I am unable to locate the critical resource or parameter that is not correct.
Based on my experience or vSphere server and ESXi servers are overloaded.
I have an another similar cluster of hosting a larger number of virtual machines with no similar problem.
This performance counter and this setting should check to identify the bottleneck?
Concerning
Marius
To check reservations for virtual machines, I would select the Cluster in your vCenter inventory, then select the resources"" tab. Which displays the child objects of the bunch (VMs, Resource Pools, vApps). There you can watch settings of CPU resources and memory. You'll want to watch the column of "Reserves".
To find the size of the slot and places available, look at the tab "Summary" of your cluster. There is a tile marked "vSphere HA. In this mosaic, there will be a link for "Advanced Runtime Info" which will open a new window with the location information.
When the Admission AP policy is set to "Number of failures of host cluster will tolerate", HA has a very pessimistic view of your resources, since it must be able to handle all the possibilities.
Another option would be to change the admission control strategy in settings of Cluster HA to "percentage of resources reserved for failover. It reserves a part of the resources for use by HA in the case of a failover, rather than trying to calculate the size of the individual virtual machines. With a 2 cluster nodes, I think it a relatively safe bet to set these values to 50%, as your worst case scenario HA would be losing a single host on 2.
-
Help about LAN-based failover active / standby on pix 7.0
Hello
I wonder why my status active / standby faiover having to wait. And when I do sh failover state he failed on Hello not hear talk of companion to the standby state (see attachment)
Failover on
Status of cable: n/a - active LAN failover
Unit of primary failover
Failover LAN Interface: failover GigabitEthernet1 (top)
Frequency of survey unit 1 seconds, 3 seconds hold time
Interface frequency of survey 15 seconds
1 political interface
Watched 3 Interfaces maximum 250
failover replication http
Last failover to: 02:39:25 MYT on April 15, 2006
This host: primary: enabled
Activity time: 184985 (s)
Interface inside (10.103.1.15): Normal (pending)
Interface to the outside (210.187.51.2): Normal (pending)
DMZ (210.187.51.81) of the interface: Normal (pending)
Another host: secondary - ready Standby
Activity time: 0 (s)
Interface (0.0.0.0) inside: Normal (pending)
Interface (0.0.0.0) outdoors: Normal (pending)
Interface (0.0.0.0) dmz: Normal (pending)
Failover stateful logical Update Statistics
Link: failover GigabitEthernet1 (top)
Stateful Obj xmit rcv rerr xerr
101718 General 0 419 0
sys cmd 419 0 419 0
time 0 0 0 0
RPC services 0 0 0 0
Conn 74719 TCP 0 0 0
Conn 21655 UDP 0 0 0
ARP tbl 4928 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical update queue information
Heart Max Total
Q: recv 0 2 419
Xmit Q: 0 2 104936
Is there something wrong with my setup?
I use active LAN failover / standby.
I am attached to my firewall configuration, failover, failover state sh sh and sh story of failover.
looking at your configs... IP addresses for the rescue unit are missing... It should read something Central this:
interface Ethernet0
nameif outside
IP 209.165.201.1 255.255.255.224 watch 209.165.201.2
-
How can I use MS Active Directory to authenticate a PIX?
I currently have a race PIX515 6.3 and I have created user manuals from via PPTP (VPDN) to my protected network (administrative nightmare). Is it possible that I can use MS Active Directory database user and have the PIX refer to him for authentication? Or do I need to Cisco's ACS software to accomplish this?
Here you go
concerning
John
-
Activation of the LAN after reinstalling Windows - Satellite Pro A10
I gave my laptop Toshiba Satellite Pro A10 an a copy of Windows XP Pro format. In general, I use a PCMCIA Wireless Internet card, but I don't want to connect to my laptop via a physical Ethernet cable. Unfortunately I can not understand how to turn the local network on my PC (I.E. It is even not in Device Manager). Does anyone know how to do this? (IE. What Toshiba utility, I need to do this etc.)
Hello
It's very strange. Please visit the Toshiba download page and install Toshiba FAST ether LAN V. 6.4.14 drivers satellite A10. It should work. If the device is enabled in the Device Manager it must work when you connect the LAN cable.
Maybe you are looking for
-
I can't access all the sites on my PC
Since 3 days when I tryto get on facebook or youtube or any other site, I get "unable to connect safe" I don't know what to do please help!
-
Hello How to change my admin account
-
Replacement of the LCD E1-571-33124G50Mnks
I buy a new LCD for my Acer aspire laptop, I found a good screen on Amazon and I need to be sure that it fits in my laptop, here is the link: https://www.amazon.com/gp/product/B003TQC3BG/ref=ox_sc_act_title_1?ie=UTF8&psc=1&smid=A2J2RVYEZZOYEY I would
-
All about magnified computer screen, how to fix this?
I accidentally hit the keys on my laptop and the screen went black. When he came again a few seconds later all she displayed has been amplified. Web pages, toolbars, desktop, computer. I think I accidentally hit some sort of hot key command that resi
-
Access denied in even cmd.exe with elevated privileges
Hello Have a problem to run several commands in cmd.exe on Windows Vista Home Premium SP2. Even when I select run as administrator at the launch of cmd.exe, many commands such as chkdsk, ping, tracert, net user, etc just respond with access is denied