ASA 5540 Stateful failover routing errors
Hello
Having two 5540's configuration in a failover scenario. Make the LAN failover and failover state. * See attachment *.
Failover LAN use 192.168.2.1 as active and 192.168.2.2 as before, with the subnet mask of 30. On both LAN failover use G0/2 and there is a crossover cable connecting them.
The failover of the State uses 192.168.3.1 as active and 192.168.3.2 as before, with the subnet mask of 30. With "enable HTTP replication" checked in ASDM. On both devices State failover uses G0/3 and there is a crossover cable connecting them.
The ASDM syslog connects errors every 10 seconds or so to say that:
SOURCE IP ADDRESS: 192.168.3.1
DESTINATION IP: 192.168.3.2
Description:
"Routing could not locate the next hop for igrp NP identity 192.168.3.1/0 in statefull:192.168.3.2/0".
The ASA use static routes to meet the network, these roads, there are two, and both are in the 10.x.x.x network. No routing protocol is in use.
I don't know why these errors are "spamming" my syslog and would like to get rid of them.
Glad to hear that it works, that's the most important thing. I don't mean to preach, but Cisco does not recommend using ADJUSTABLE wires to fail on. Devices cannot always say that the captain should be and usually causes questions more than a simple link to the bottom.
Tags: Cisco Security
Similar Questions
-
Is availble for IPsec VPN FOS 6.3 support stateful failover
Is availble for IPsec VPN FOS 6.3 support stateful failover
SAJ
Hello Saj,
Unfortunately not... stateful failover replica information such as:
Table of connection TCP, udp xlate table ports, h.323, PAT port allocation table...
they replicate data such as:
user authentication (uauth) table
Table ISAKMP / IPSEC SA
ARP table
Routing information
Therefore, in the case where the main breaks down, the IPSEC vpn will be reformed for the failover... Meanwhile, the user will not be able to access the applications...
I hope this helps... all the best... the rate of responses if deemed useful...
REDA
-
WRVS4400N ASA 5540 L2L IPSec connection
I have a remote WRVS4400N with a dynamic outside the address that opens a connection to an ASA 5540 with a static address.
I'm all set on the side of the ASA. My questions concern the 4400N. It does not seem to have a very robust configuration/configuration available for L2L tunnels. For one my encryption is limited to 3DES.
But I wonder if I'm missing something in the config. I have to configure L2L tunnels to two other firewalls. One firewall has 3 non-contiguous networks, and the other has 2. I have 5 tunnels configuration, this is the only way? What I'd like to see is 2 tunnels, one for each firewall distance, but then each tunnel would have access to networks (like on the side of the ASA), is anyway to do this? Perhaps a useful command line for this unit?
My other question concerns the tunnel-groups I've implemented on my ASA, and I do not want to use the proper names... However I can't seem to find a way to allow this to happen on the side of 4400N... I mean, I need a way to create a 'keyword' identifier or a "firewall identifier" on the 4400N and I do not see an appropriate field in the web interface. Someone at - it ideas?
Thanks in advance.
Hi WS, the WRVS router does not support a complete tunnel configuration or routes to have a multi site configuration. You would need a separate tunnel for each location.
Traditionally, the WRVS router was not a good game on any platform ASA. In most cases, I saw when a tunnel has put in place will be the router WRVS crash in an hour or less due to low memory. If you run a scenario where the WRVS stops responding or the tunnel down, this is the likely scenario.
I highly recommend is not to use the WRVS router for all tunnel with the ASA. If you are looking to stay in the field of small business, a RV220W or a RV042 router would be a much more suitable match.
-Tom
Please mark replied messages useful -
The profile number vpn that can be created in cisco asa 5540
Hi all
Want to know if there is a limit to how many anyconnect vpn profiles that can be created in a cisco asa 5540? TIA!
https://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa80/configuration/g...
Maximum connection profiles
The maximum number of connection profiles (tunnel groups) that can support a safety device is a function of the maximum number of concurrent sessions of VPN for the + 5 platform. For example, an ASA5505 can support a maximum of 25 concurrent sessions of VPN to 30 tunnel groups (25 + 5). Attempt to add a group of additional tunnel beyond the results of limit in the following message: "ERROR: the limit of 30 groups configured tunnel has been reached.
Table 32-2specifies the maximum VPN sessions and profiles of connection for each platform ASA.
Table 32-2 maximum VPN Sessions and profiles of connection by ASA platform
5505 database / security more5510/base/security Plus552055405550Maximum VPN sessions
10/25
250
750
5000
5000
Maximum connection profiles
15/30
255
755
5005
5005
-
ASA 5540 FW running version 7.0 (5)
I'm upgrading to PIX new pair of ASA 6.3.5 tonight. I wonder if anyone knows of any pitfalls that I need to know... I also want to know if this version of the code for the ASA are stable. Thanks in advance
We have migrated so a few Pix 520 s v. 6.3.5 to ASAs 7.0.5 running. I recommend their running in parallel and the migration of your servers, and virtual private networks slowly. We did this and it's paid off I crushed the ASAs several times because of software bugs. The sound of ASAs grand to integrate features of the hub VPN, IPS, etc but I'm now firmly to separate these services and their execution on different boxes.
We met EZVPN 831 'NEM' connection problems and it's malforming SCCP IP phones. We took the chance and upgraded to 7.2.1 in the hope that it would resolve due to improved Skinny improvements. Now stateful failover does not work "CSCse81232". So I'll still with another Pandora's box :)
So in summary if you use just the ASAs as a basic firewall 7.0.5 is stable. It's not worth the risk to pass the first major version just because of new features.
P.S. If you use make it sure ASDM you click on apply after each change. Do not a bunch of changes and then hit apply as this will crash 7.0.5. "CSCse22853" this bug was discovered by me and was not specific to just the cmds of DHCP relay.
-
people
I has implemented a vpn ssl on an asa 5540 (8.2), but cannot establish the local authority of ca
its a pair of active failover / standby
I knew that this was not enabled on active/active, but I didn't know that it was not also enabled on active/passive
has one came across this or know if it can be activated?
Hello
Unfortunately it is also not supported in Active script / standby.
There is an enhancement request to have this feature implemented so I would advise you to contact your account team if this feature is important to you, so that they can have it prioritized accordingly: CSCsm17487 CA Local: failover / load balancing Support.
Kind regards
Nicolas
-
a way vpn with asa to the 800 router
people
I have a site to site vpn set up between a asa 5540 and a 800 router
I want only the vpn to be initiated from the asa with the 800 remote listen incoming connections
I know that I can define the type of connection on the asa as only come but I can find an equivalent command to answer only for the 800 remote
can anyone point me in the right direction or is it enough to simply configure the asa as are created only for this encryption card
Thanks to anyone who takes the time to answer
Hello
I recommend you configure the tunnel as a dynamic to static tunnel VPN, the ASA will be the static counterpart, so it will be the initiator and the router will never be able to establish the connection.
The ASA will be a common L2L configuration, but the router will use a dynamic encryption card.
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008051a69a.shtml
The PIX in the example is old, then you can simply adjust the controls to your current version, the important thing is to understand the concept.
Please let me know if that answers your question,
Thank you.
-
on the stateful failover active / standby
Hello guys.
I have two ASA, same model and material. ASA have configured stateful failover active / standby by someone a few years ago. It worked normally until recently and no one changed the configuration. Then the secondary unit can't. Ping between 2 interfaces is ok. Please help me solve this problem.
on the main site
interface Management0/0
STATE failover Interface Description
management only
interface GigabitEthernet1/1
Failover LAN Interface Description
failover
primary failover lan unit
failover lan interface failover GigabitEthernet1/1
The link with failover Management0/0 status
failover failover interface ip 172.16.1.1 255.255.255.0 ensures 172.16.1.2
State of the failover interface ip 172.16.0.1 255.255.255.0 ensures 172.16.0.2
on the secondary site
interface Management0/0
STATE failover Interface Description
management only
interface GigabitEthernet1/1
Failover LAN Interface Description
output of the show failover on PRIMARY
Show execution of failover
failover
primary failover lan unit
failover lan interface failover GigabitEthernet1/1
The link with failover Management0/0 status
failover failover interface ip 172.16.1.1 255.255.255.0 ensures 172.16.1.2
State of the failover interface ip 172.16.0.1 255.255.255.0 ensures 172.16.0.2
See the resumption of F1 #.
Failover on
Unit of primary failover
Failover LAN interface: GigabitEthernet1/1 failover (maximum)
Frequency of survey unit 1 seconds, 15 seconds holding time
Survey frequency interface 5 seconds, 25 seconds hold time
1 political interface
Monitored 5 256 maximum Interfaces
Version: Our 8.2 (2), Matt 8.2 (2)
Last failover to: 08:03:11 ULAST January 1, 2003
This host: primary: enabled
Activity time: 5755203 (s)
slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)
Interface Backup2 (10.2.5.1): Normal (pending)
Internet (202.131.225.90) interface: No link (pending)
Interface Backup1 (10.3.5.1): Normal (pending)
The interface server (192.168.227.1): Normal (pending)
Bank interface (10.20.1.1): Normal (pending)
Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)
Another host: secondary - failed
Activity time: 0 (s)
slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)
Backup2 (0.0.0.0) interface: no connection (pending)
Interface (0.0.0.0) Internet: No link (pending)
Interface (0.0.0.0) Backup1: Normal (pending)
The interface server (0.0.0.0): Normal (pending)
Bank interface (0.0.0.0): Normal (pending)
Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)
Failover stateful logical Update Statistics
Link: State Management0/0 (top)
Stateful Obj xmit rcv rerr xerr
General 76184539 0 767513 6
sys cmd 767328 0 767326 1
up time 0 0 0 0
RPC services 0 0 0 0
25878669 0 11 5 TCP Conn
Conn UDP 40545710 0 40 0
ARP 8987688 0 136 tbl 0
Xlate_Timeout 0 0 0 0
Tbl IPv6 ND 0 0 0 0
VPN IKE upd 1140 0 0 0
VPN IPSEC upd 4004 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP session 0 0 0 0
Logical update queue information
Heart Max Total
Q: recv 0 7 6522961
Xmit Q: 0 34 106685671
output of the secondary recovery
See the resumption of F1 #.
Failover on
Secondary failover unit
Failover LAN interface: GigabitEthernet1/1 failover (maximum)
Frequency of survey unit 1 seconds, 15 seconds holding time
Survey frequency interface 5 seconds, 25 seconds hold time
1 political interface
Monitored 5 256 maximum Interfaces
Version: Our 8.2 (2), Matt 8.2 (2)
Last failover at: 03:36:23 ULAST December 15, 2013
This host: secondary - failed
Activity time: 0 (s)
slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)
Backup2 (0.0.0.0) interface: no connection (pending)
Interface (0.0.0.0) Internet: No link (pending)
Interface (0.0.0.0) Backup1: Normal (pending)
The interface server (0.0.0.0): Normal (pending)
Bank interface (0.0.0.0): Normal (pending)
Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)
Another host: primary: enabled
Activity time: 5743217 (s)
slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)
Interface Backup2 (10.2.5.1): Normal (pending)
Internet (202.131.225.90) interface: No link (pending)
Interface Backup1 (10.3.5.1): Normal (pending)
The interface server (192.168.227.1): Normal (pending)
Bank interface (10.20.1.1): Normal (pending)
Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)
Failover stateful logical Update Statistics
Link: State Management0/0 (top)
Stateful Obj xmit rcv rerr xerr
General 765518 0 35843181 874
sys cmd 765518 0 765516 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP 0 0 12671303 80 Conn
UDP 0 0 13432853 133 Conn
ARP 0 0 8968384 661 tbl
Xlate_Timeout 0 0 0 0
Tbl IPv6 ND 0 0 0 0
VPN IKE 0 0 1137 upd 0
VPN IPSEC 0 0 3988 upd 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP session 0 0 0 0
Logical update queue information
Heart Max Total
Q: recv 0 9 72011189
Xmit Q: 0 1 765518
You have a couple no link on your high school as well as a message no link on your primary.
Backup2 (0.0.0.0) interface: no connection (pending)
Interface (0.0.0.0) Internet: No link (pending)
I recommend that you check these cables. Don't forget that if you changed the default configuration, a failure of the single, or problems of connectivity even interface between an interface on the two ASAs fail.
If this does not help, try entering the command interface of the monitor for the interfaces.
--
Please do not forget to rate and choose a good answer -
ASA 5540 - cannot ping inside the interface
Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange.
In the ASDM, I see messages like this:
ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong.
This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA.
interface Vlanx
IP x.x.x.x 255.255.255.0
IP broadcast directed to 199
IP accounting output-packets
IP pim sparse - dense mode
route IP cache flow
load-interval 30
Has anyone experiences the problem like this before? Thanks in advance for any help.
Can you post the output of the following on the ASA:-
display the route
And the output of your base layer diverter: -.
show ip route<>
HTH >
-
Cisco IOS IPSec failover | Route based VPN with HSRP
I can find the redundancy of vpn IPSec using policy based VPN with HSRP.
Any document which ensures redundancy of the road-base-vpn with HSRP?
OK, I now understand the question. Sorry, I have no documents for this task.
I can see in the crypto ipsec profile that you will use under the Tunnel interface configuration to enable the protection, you can configure the redundancy:
cisco(config)#crypto ipsec profile VTIcisco(ipsec-profile)#?Crypto Map configuration commands: default Set a command to its defaults description Description of the crypto map statement policy dialer Dialer related commands exit Exit from crypto map configuration mode no Negate a command or set its defaults redundancy Configure HA for this ipsec profile responder-only Do not initiate SAs from this device set Set values for encryption/decryption
cisco(ipsec-profile)#redundancy ? WORD Redundancy group name
cisco(ipsec-profile)#redundancy MRT ? stateful enable stateful failover
I suggest that it is the same as redundancy card crypto. But no documentation or examples found... -
ASA - 5540 used for IPSec VPN only - I can do away with Nat 0?
I'll use an ASA 5540 as our head of VPN endpoint only - and not as a firewall.
Also, we have a class for our company internal address space routable B address, so we don't need NAT. I would like to disable the function NAT 0 if I can so I always add NAT 0 to ensure that the 5540 does not NAT.
Y at - it an easy way to disable the need using NAT 0?
Are there any of the draw to do that?
You can disable the use of nat 0 disabling the nat control.
To achieve this, go to the global configuration mode and use this command:
no nat control
To check whether you have it turned on, you can check it with:
SH run nat-control
See you soon!
-Butterfly
-
Hi all, I built a site 2 site between an ASA 5510 and a PIX IPsec tunnel. The tunnel is up, and most of the time the traffic flow between source and destination LANs as planned. The problem is that we need the ASA to send syslog messages in the VPN tunnel to a syslog on PIX site server. If I get a router on the ASA website, I ping the site of PIX syslog server. The following statement is in the ASA:
Route out of pix.net.addr sub.net.mask next.hop
But in the journal of the ASA, I see messages "Routing failed" for the traffic of the SAA on the syslog server.
April 8, 2010 08:32:01 ASA5510: % ASA-6-110003: routing could not locate the next hop for icmp NP identity Ifc:10.xx.x.xx/0 to inside:172.xx.x.xx/0
Any thoughts?
Thank you
Robert
Hello
Public IP address of the ASA must be in interesting for this tunnel traffic (since it's the INVESTIGATION period where newspapers are going to be sent from).
Also, the IP address of the syslog server must be in the interesting traffic.
In other words, you should be able to PING from the ASA to syslog (through the tunnel) server.
Federico.
-
VPN site to site by using the host name on cisco asa 5540 - dyndns
Can someone help me configure VPN site to site on cisco asa 5540. The other end is seen configured dyndns and so should set up her counterpart with the host name.
If the other end is a dynamic IP address, you must configure a dynamic map and then use in the encryption card
See the following example.
-
How can I get an ASA 5540 return to the default configuration?
Is there an easy way to re-apply the default that comes with a new ASA 5540? I would like to have the our ASA 5540 to return to its default to 192.168.1.1 inside the interface and act as a DHCP server, so I connect a PC to start the initial configuration using the ASDM.
The ASA 5540 is running on asa723 - k8.bin.
factory default setting
http://www.Cisco.com/en/us/docs/security/ASA/asa72/command/reference/c4_72.html#wp2039866
a simple "write erase/recharge" would also do the trick.
-
I saw the docs that show how to configure ASA-ASA VPN share OSPF routes and for IOS to IOS OSPF sharing routes. Is it possible to get the ASA to IOS device?
I'm supposed to put in place a DMVPN through some remote sites, and there is an ASA one of the sites. The EIGRP routes are expected to be shared across the DMVPN (I suppose could go to OSPF if necessary). My plan for the site of the SAA was to set up a VPN site-to-site regular with the DMVPN hub and redistribute OSPF and EIGRP routes in the other, so the rays can talk to the ASA branch by the hub.
Is it possible, or I have to use static routes to and from the network of the ASA?
Xavier,
In the road map you must place a match statement corresponding prefixes/subnets that you would like to advertise in EIGRP.
About the ASA, normally you have not to, but I don't see a problem with the addition of statements of IPP in crypto card (normally).
With regard to orders. I always refer people to self-help ;-)
http://www.Cisco.com/en/us/products/ps10591/products_product_indices_list.html
more precisely:
http://www.Cisco.com/en/us/docs/iOS/MCL/allreleasemcl/all_book.html
Docs IPP:
Redistribution of EIGRP:
In any case take step by step, start by checking what the situation will be when you insert routes into the routing on the hub by RRI table. Then, if necessary, redistribute static routes in EIGRP.
Marcin
Maybe you are looking for
-
I can't find my external hard drive
Hello I have a drive hard new, not used externally. It has its own drive system and goes into USB. A friend got for me (he knows computers!), it's a drive hard there, for which he bought coverage. He says that it's compatible pc and mac and my friend
-
Updated Firefox & my Kaspersky Security money is gone, how do I get it back?
My Firefox has just updated to 36.0.1 - my money for security Kaspersky has disappeared from my modules so that now there are a few web sites (including my online banking) I can't b/c, it says there is an "error" in my protected browser, meaning that
-
Windows Vista hangs on video streaming.
This happens quite often and gets worse... because I try to make vidio streaming. The system hangs and restarts it... but I get no flow of microsoft... even after several incidents last updated reports. Seems that Vista is more unstable than on ti
-
Windows Update 80096001 on Vista 32 error (Fixit won't work)
So I get this error everytime I try to update and I've tried FixIt program several times here: http://support.microsoft.com/kb/971058, so I resorted to fix manually. It turns out that I miss a lot of files .dll as evidenced by the errors I get when I
-
Remove all traces of Norton 360
I uninstalled Norton 360 but always stayed with Norton Safe Search. I am now using Kaspersky. I feel that they are not compatible. How can I remove Norton 360 Safe Search?