ASA5505 configure VPN primary and backup

Dear experts,

I would like to ask you a few question that now I didn't get any primary VPN and backup connection, how can we do on this is sue? (I mean that when the primary reduction, then backup connection is automatically)

Could you advice me how can I do?

Best regards

Rechard_hk

I guess we should have asked for a bit more information, it seems Marwan and I responded almost at the same time, and I'm sure he'll provide great info.

I had more geared towards a scenario of a firewall failure fault tolerance or an ISP connection failed in an architecture Fw DOUBLE and DOUBLE tis.

Assuming that you want to have redundant firewall design, is when you look into the firewall active / standby to provide firewall redundancy, but when it comes to connections continues with VPN when one firewall fails, this is with characteristic State in place.

IM providing links for reference belloe to get an idea of fws active and reserve but ASA5505 is the only model who is a stateless person, it is not dynamic which means connections will have to re - perform when one firewall fails.

Also to implement two firewalls for the implementation of the changeover you need security more license to enable the active feature and reserve. This license will also include the activation of support DMZ and power create a VLAN to 20, as well as support Double TIS.

Example of active / standby

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Comparison of the ASA - Look into Ipsec more license and features.

http://www.Cisco.com/en/us/products/ps6120/prod_models_comparison.html

On the other hand you may have in the future a backup ISP link, not only do you have active failover / standby but you can also have a backup ISP must link primary link fails with ALS and follow-up of Staic routing.

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Rgds

Jorge

Tags: Cisco Security

Similar Questions

  • A primary and backup/replica ACS server may be on different versions?

    Hello

    (2) ACS' (for example: a common unit 1120 5.x version and a version of runnig quanta 1113 4.x) 1 primary possible version 5.x with a replica version 4.x?  If not, what are the requirements between implementation of a primary and backup/replica for devices?

    Thank you

    James

    Hello

    No, you can not made the two device replication you talked,

    The only requirement is that the devices are exactly same version and patach construction so that the replication working.

    Thank you

    Waris Hussain.

  • The limited size of the premises plan (size of primary and backup storage?)

    In a local plan, I put the following tags to limit the size of the JVM to 350 MB:
    < Unit Calculator > BINARY < / Unit-Calculator >
    < high-units > 367001600 < / high units >

    Means the primary storage AND backup storage is limited to 350 MB? It makes sense that they would have the same size, ensuring only that's how it works.

    Thank you!

    The settings will eventually be applied to the backup. You can view the following for the dimensioning of the news:

    http://wiki.tangosol.com/display/COH35UG/JVM+Sizing+Guide

    http://wiki.tangosol.com/display/COH35UG/production+checklist

    See you soon,.

    Jay

  • DG primary and backup

    Hi all

    11.2.0.1

    AIX 6.1

    I want to follow my primary and standby applied both on newspapers

    help > select client_process, process, sequence #, status from v$ managed_standby;

    I would like to issue the command on my cell phone the customer if I want to compare the output easily, if newspapers are in synch.

    How can I connect to a database of pending s which is not open using the client?

    Thank you very much

    zxy

    Hello

    I just wanted to share

    On primary

    SELECT THREAD # "Thread", SEQUENCE # 'last generated sequence.

    V $ ARCHIVED_LOG

    WHERE (THREAD #, FIRST_TIME) IN (SELECT THREAD #, MAX (FIRST_TIME) FROM V$ ARCHIVED_LOG GROUP BY THREAD #)

    ORDER BY 1;

    Standby mode

    SELECT A BOW. THREAD # "Thread", ARCH. SEQUENCE # 'last received sequence', Appl. SEQUENCE # 'the last sequence applied. "

    (ARCH. SEQUENCE #-APPL.) Sequence #) 'the difference '.

    Of

    (SELECT THREAD #, SEQUENCE # FROM V$ ARCHIVED_LOG WHERE (THREAD #, FIRST_TIME) IN)

    ((BY SELECTING THREAD #, MAX (FIRST_TIME) IN V$ ARCHIVED_LOG GROUP BY THREAD #)) ARCH,

    (SELECT THREAD #, SEQUENCE # FROM V$ LOG_HISTORY WHERE (THREAD #, FIRST_TIME) IN)

    ((BY SELECTING THREAD #, MAX (FIRST_TIME) IN V$ LOG_HISTORY GROUP BY THREAD #)) APPL

    WHERE ARCH. THREAD # = APPL. TRI WIRE # 1.

    SELECT THE THREAD #, LOW_SEQUENCE #, HIGH_SEQUENCE # V$ ARCHIVE_GAP;

    Reference: http://www.oraclemasters.in/?p=1255

    -List archivelogs not applied pending

    SELECT DISTINCT SEQUENCE # FROM V$ ARCHIVED_LOG in case of APPLICATION = 'NO' and sequence # > 100 LESS (SELECT SEQUENCE # FROM V$ ARCHIVED_LOG in case of APPLICATION = 'YES' AND SEQUENCE # IN (SELECT DISTINCT SEQUENCE # FROM V$ ARCHIVED_LOG in case of APPLICATION = 'NO'));

    -Get the number of archvielogs not applied pending

    Select thread #, count(sequence#) 'COUNT_ARCS_PENDING' (SELECT DISTINCT THREAD #, SEQUENCE # OF V$ ARCHIVED_LOG in case of APPLICATION = 'NO' and sequence # > 100 LESS (SELECT THREAD #, SEQUENCE # OF V$ ARCHIVED_LOG in case of APPLICATION = 'YES' AND SEQUENCE # IN (SELECT DISTINCT SEQUENCE # FROM V$ ARCHIVED_LOG in case of APPLICATION = 'NO' and sequence # > 100))) group thread #;

  • configuration VPN concentrator 3000 backup

    Hello

    Can someone tell me how can I take backup of my Cisco VPN 3000 series concentrator configuration?

    in GUI and command mode?

    I couldn't find any good document describing.

    Here is the link on how to Backup/restore configs and work with the file system.

    http://www.Cisco.com/en/us/docs/security/vpn3000/vpn3000_47/Administration/Guide/Fileman.html

  • change ip address of the database servers primary and standby

    Hello.

    I have an oracle server primary and backup (version 11.2.0.4) on windows 8 profesional.

    They work well until today.

    Today, I had to change my ip address on both servers.

    After that I changed the ip address of the OS, I changed the ip address in tnsnames.ora and listener.ora files only.

    A moment that everything worked well. But now the archivelog files not copy to the standby server.

    Is there a place where I have to change ip or the settings on the database?

    Please, I hope you can help me.

    Best regards

    Hello

    After that I changed the ip address of the OS, I changed the ip address in tnsnames.ora and listener.ora files only.

    A moment that everything worked well. But now the archivelog files not copy to the standby server.

    1. If it worked for a while after the change of ip address

    3. make sure your journal alerts, what it says? information about the error?

    2. first thing ipadress sequenced in tnsnames.ora and listener.ora on primary and standby

    3. check ping to the host-level work and tnpsing is reached or not. If both are working check listeners are up or not and they are able to identify the services of db, registered or not.

    4. now, connect as sysdba password on the servers file

    5 check v$ achive_Dest_status for valid or relevant destination which is assistance for the transfer of the archives of primary Eve (the error column)

    -Not especially to knew what the problem is, you should get the controls.

    -Pavan Kumar N

  • Problem with VPN L2L and RA in a failover configuration

    I use two ASA 5540 in failover active-standby configuration. These boxes (primary and secondary) are used to establish some L2L and VPN RA (remote access). The active area run the OSPF process.

    The problem is when the failover (blocking just to the bottom of the active area, or "active failover" running in a secondary zone) all L2L be restored in a secondary zone. The only way I can do this (re-connect) removes the configuration of IPP (Reverse injectable way) (for example. ("no card crypto rprbbe_map 3 don't set reverse-road") and the configuration of IPP ("card crypto rprbbe_map 3 Road opposite the value"). After this the connection is re-established.

    In RA guests the session persists on a failover event, but the customer loses access. To resolve this problem, the customer needs to disconnect and reconnect.

    Anyone has any experience with this kind of (L2L and RA) VPN configuration using failover?

    Behavior seems buggy.

    What version do you use?

  • Want to know primary and secondary configuration to the call, Manager with the voice gateways

    Hi all

    Hope you all are doing well, I wanted to know that we have two other PRI service provider and we want one of them are primary and secondary schools on the other. We have two supplier dedicated 4-4 finish lines. Please provide me with the part of configuration that are required in this case and how to re a SP for primary education and another SP for secondary lines.

    Thank you

    Arjun keita

    Hello Arjun,

    For the full bridge configuration you can check the guides below, but for the PRI redundancy, you create dial-peers and specify the feedback:

    https://www.Google.co.in/URL?SA=t&source=Web&RCT=j&URL=http: / / www.cisco...

    Voice POTS dial-peer 1

    Destination-pettern 0 t

    Port 0/0/0:15

    Preference 0

    Dial-peer voice 2 pots

    Port 0/0/1:15

    Preference 1

    Dest-model 0 t

    Dial-peer voice 3 pots

    Description incoming only

    Incoming called-number. T

    Direct inward dial

    Aseem

    (Please rate if useful)

  • How to configure Enterprise Manager Database Control (MCCD) to make it work on 2 servers (primary and standby) work according to the rules of the DG

    Hello everyone I use Oracle Database EE 11.2.0.4 with DG.

    In these cases, I need to get Enterprise Manager Database Control running against DB with no CARS and no DG I do the following:

    I have SQLPLUS logon as user SYS or SYSTEM and drop the account sysman and business objects:

    DECLARE

    CURSOR c1 IS

    SELECT master, synonym_name name

    OF dba_synonyms

    WHERE table_owner = "SYSMAN";

    BEGIN

    TO r1 c1 LOOP

    IF r1.owner = "PUBLIC" THEN

    RUN IMMEDIATELY "DROP PUBLIC SYNONYM ' |" R1. Name;

    ON THE OTHER

    RUN IMMEDIATELY "DROP SYNONYM ' |" R1. Owner: '. ' || R1. Name;

    END IF;

    END LOOP;

    END;

    /

    Mgmt_view DROP USER CASCADE;

    /

    DROP ROLE mgmt_user;

    /

    Sysman DROP USER CASCADE;

    /

    After that, I run

    EMCA - config dbcontrol db-rest recreate

    But what do I do in case I have 2 servers (primary and standby) work according to the rules of the DG?

    Hello

    It is not possible to monitor and administer a basic physical or logical standby, IE using Enterprise Manager Database Control Data Guard.  This is mainly due to the fact that Database Control is designed to monitor the 1-database and an environment Data Guard, by definition, includes more than 1 database.

    If you attempt to run emca against a database of pending, you will get an error like (i.e. ORA-01219: database is not open).

    Of course, database Control, can be used to monitor the current main database (with no capacity to administer or control Data Guard related features).  In such a case, failover Database Control needs to be reconfigured to run on the new primary database using the commands described in detail in Note 278100.1 how to remove, create and recreate DB Control In A Database, section c. recreate/ReConfig DB control, Option 2 10 g. recreate the control DB Configuration files and repository.

    Enterprise Manager Grid Control or Cloud control provides the functionality for display, monitor, and administer the primary and standby databases in a Data Guard configuration.

    Reference: It is Possible to configure the database for a logical or physical Standby Database command? (Doc ID 315116.1)

    You can effectively use EM 12 c cloud control to monitor and manager ensures DB

    Ref to the link for more details below

    Set up and manage to Oracle Data Guard with Oracle Enterprise Manager Cloud control 12 c

    Kind regards

    Rahul

  • Several primary and physical databases Configuration ensures in Data Guard Broker

    Hello

    Is it possible to add two or several primary and physical databases configuration ensures in data guard broker?

    I have 1 primary databases and two databases physical standby that is

    (1) primary that is pri - (database primary)

    (2) secondary i, e, s (physical pending)

    (3) Secondary2 i.e. sec2 (physical pending)

    Practical AM sinister place, my scenario is my pri and dry machines are in seat, if the pri crashed it switch to s that works very well and my S2 is in another area office. Suppose that if my two siege machines pri and sec crashed, so I want to do my mahcine sec2 as primary.

    I have two separate computers to the broker a headquarters and a District Office

    Use failure of quick start on Data Guard Broker, broker headquarters machine I have configured pri and dry but in sector office broker not able congifured pri and S2 and the machine.

    can be done several primary database configuration with data bases on hold?

    Has anyone done this before, or has a perform a recovery after loss of place...

    need help or suggestion

    thanx

    No.... It is not possible. When you use the DG broker, the first thing you can do in the DGMGRL utility is to deliver CONFIGURATION to CREATE. You can see on the doc of this command that you define here the PRIMARY DATABASE.

    The command to add a DATABASE to the broker, adds a new database pending. You cannot add an another primary.

    The broker configuration is explicitly for a primary and all standby databases is supported. If you have an another primary, you create a separate DG broker configuration.

    See you soon,.
    Brian

  • Is it possible to configure Thunderbird to send an email to the primary and laternate email outside an address list?

    I use Thunderbird 17.0.6 on a Windows 7 platform.

    Some of the names in my address book have an e-mail address and an alternate email address. Is it possible to send the e-mail sent to this name to two primary and alternative address? I know that I can use a list or a key name in the field on two occasions, by selecting the desired address.

    I was expecting a button that would automatically send e-mail to two address when the alternative e-mail address field has a value.

    There is nothing like this. Usually send the same mail to the person even on the two e-mail addresses would be considered spam them and can see you banned from some e-mail systems.

  • How partition an external hard drive and configure for Time Machine backup?

    I am a rookie just to switch to Windows Apple Mac and I'm looking to back up my new iMac with a Seagate hard drive 2 TB external.  My Mac is a 1 TB hard drive, I'm looking to partition for backup and storage.  Is this a good idea?  Is there a simple way to do it?  I appreciate any help I can get.  I also bought three years of Apple support, but I'd rather do it myself, so I thought I'd give this discussion from the community to try.  Thank you!!

    No, it isn't. Your working data and backups must be on separate drives in case one of them goes down.

    (138181)

  • VPN client and redundant peering

    Hello world

    PC user's config with remote access VPN client.

    Tell the client pc has the configuration of the VPN client with backup servers and if ASA primary is the stop will be the secondary question of the new IP address of the client VPN gateway

    address automatically?

    Here the SAA is not in any failover mode.

    Concerning

    The list of backup server is used when establishing a new VPN connection.  If it the customer has an active connection and the VPN server is no longer available then the user will have to re-establish the connection manually.

    --

    Please do not forget to rate and choose a good answer

  • Cisco ASA 5510 L2L VPN on the backup interface

    OK, here is what I have and I even if I knew how to do this, but it has not worked for me.  I hope someone out there can help you.

    I have an ASA 5510 running 8.4 with double configuration of ISPs on 2 different interfaces: outside (primary), backup (backup).  I also have a site to site VPN ASA another in another city.  The VPN is now configured on the external interface and works very well.  What I wanted to do, is to make the VPN running on backup interface only.

    So, I changed the card encryption on the remote side to use the backup interface IP and created a tunnel-group for her.  Then, I created a map encryption for backup interface and activated ikev1 on it.  The default route is configured to use the external interface, so I created a static route that routes traffic destined for the external interface of the remote side to the backup interface default gateway.  I can get to establish tunnels, but no traffic passes through them.  I have however while I need a NAT device for the tunnel traffic to I created a NAT so but still no transmitted traffic.  I tried the packet - trace and he said: the traffic was allowed and show its crypto ipsec command, I see the configuration of the tunnel, but no traffic will pass through it.  Can anyone help?

    Ben,

    you use a code to version 8.4, I recommend starting by removing the config NAT statements at both ends. This version does not have the NAT and control, and if you don't need... I've seen instances with 8.4 (3) where a NAT even though apparently correct was causing not to pass through the traffic.

    Site A:

    NAT (inside, backup) source static obj-SiteALAN obj-SiteALAN static obj-SiteBLAN obj-SiteBLAN

    Site b:

    NAT (inside, outside) source static obj - 192.168.5.0 obj - 192.168.5.0 destination static obj - 192.168.3.0 obj - 192.168.3.0

    If possible, you should increase your AES encryption, but this is a personal point of view and should not stop the traffic through the links. You should be able to see the counters for the data transmitted / received are these incrementing?

    Do you have the ACLs that are from the inside to the outside and internal interface to the Interface of backup (duplicated.

    In this model, the control is the routing.

    Best regards

    Ju

    http://helpamunky.WordPress.com/

  • Help configuration VPN 5505

    I am new to the use of Cisco devices and I need a little help with some configurations on an ASA5505 with 8.4.

    I want to connect 2 ASA5505 with a site-to-site.

    Site 1

    is where I want to connect to.  Site 1 we have access to 192.168.40.x and 192.168.42.x networks.  This ip is: 192.168.40.254

    Site 2

    I want to connect to site 1 and see the 40.x and 42.x networks.  I am able to connect to the network 40.x and can see devices on it, but I can't go to the 42.x network.  This ip device is: 192.168.50.1

    The sites are not in the same place, just in case someone asks about it.

    Hello

    Seems to me that you do not have good rules configured on Site1 and Site2 ASA on the VPN

    You must add the following configurations

    Site1

    access extensive list ip 192.168.42.0 inside_nat0_outbound allow 255.255.255.0 192.168.50.0 255.255.255.0

    access extensive list ip 192.168.42.0 outside_cryptomap allow 255.255.255.0 192.168.50.0

    -It would add both traffic between networks for VPN configurations and unnated traffic through to the remote end

    Site2

    outside_cryptomap to access extended list ip 192.168.50.0 allow 255.255.255.0 192.168.42.0 255.255.255.0

    This would add the traffic between networks for VPN configurations

    Seems that you already have the NAT0 configurations in place for networks, but not above the line for the VPN itself.

    Please rate if it helped

Maybe you are looking for

  • Phoneclean deleted my photos and my videos.

    I tried to erase the storage on my iPhone 6, I used phoneclean, he slightly blotted out most of my iPhone says library.my yet there are 1.8GBs but there are only 40 photos and videos. I really want to get back them. help please.

  • Download for i - pod.

    I wonder is it possible to transfer videos from the internet on the iPod. Mabey via i-tunes? Help, please! Thank you.

  • Use EasyBCD 2.0 (beta) for Dual Boot systems

    My frustration with the evolution of a XP / XP dual boot to a Windows 7 / XP boot has been resolved in 30 seconds with EasyBCD 2.0. Perhaps, I missed the referemce to a specific level of EasyBCD? This is a beta version, so we need to register (it's f

  • Contacts from blackBerry Smartphones copy to Sim

    I, m tring to transfer all my numbers on the sim card as my Storm is defective and to get a new one. Can't do it, any ideas on how to save my numbers.

  • L2TP/IPSEC: IOS <>- Android

    Hello is there a working solution L2TP/IPSEC VPN between Cisco IOS and Android 2.1? I'm trying to get my mobile online, but the connection is complete after 10 sek. Any tips? Harald My IOS config: VPDN enable!VPDN-group l2tpvpn! Default L2TP VPDN gro