Cisco ASA CX active / standby
Hello friends
One of my clients has a couple of ASA 5545 work quite well as active / standby failover. But the configuration that is not copied to the secondary unit is CX. Do you know how to get it? Please, do not hesitate to request further information, comment or document will be appreciated.
Kind regards!
The CX configurations are not part of the active reserve ASA replication.
How to synchronize the configurations of CX is to use PRSM (first Security Manager - product under separate license, not the one provided with the CX) running on a virtual machine in device mode.
Once you find out what pair CX with a PRSM "out of area", all configuration changes are deployed both to the pair.
Tags: Cisco Security
Similar Questions
-
Licenses, IPS on pair of Cisco ASA 5510 active / standby
I have two ASA 5510 devices in Active mode / standby. I think of buying both used IPS modules and their installation. My question is, me 1 or 2 licenses IPS that requires? We are on 8.4 right now, and I see 8.3 Cisco changed license to c/o to where you need only one license, not two. This is true for any way VPN licenses, so I was wondering if the same applies to licenses IPS.
In addition, the unique licensing model will as much as only requiring a base for the pair a/s license too? Or is the base license, something that you must have two pair a/s?
Failover doesn't f, you have only one module in the ASA elementary school. You must have two modules. But it is fine if you do not have a subscription license for your secondary IPS (at least for the system).
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
ASA 5520 Active standby and ssl vpn loadbalancing
I have a pair of Asa 5520 failover active rescue running. Can I use these two machines in a cluster of ssl vpn load balancing?
N ° when a couple active / standby is part of a cluster of VPN, the rescue unit is still pending - she will not be actively terminate user sessions. Only the active cluster members (and non-failover) will do.
-
Cisco ASA 8.4 Active Failover / standby with anyconnect local CA
Hi Friend´s
I hope you do well! I ve got a question, hope you can help me. I ve got an ASA 5550 with version 8.4 (6), it s focusing anyconnect VPN remote access who authenticate through certificate locally generated in ASA. We´ve got an another 5550 with the same hardware and same version, and we focus on the configuration of the failover. I ve heard of network other than it s engineers may not failover configuration when the ASA doing this local. Then I ve read full failover for version 8.4 operating guide (6) and I didn t find any restrictions on the local failover and CA working together. I m tests over the next weekend, but I would like to know from your experience, if I'm having problems on VPN connections or failover configuration.
Please, do not hesitate to ask as much as necessary information. All comment and documentation will be appreciated.
Best regards!
It's the n: documentatio
Does not support Active/Active or Active/Standby failover
And on top of that, ASDM shows that "Local CA cannot be configured when failover is activated".
-
Cisco ASA active / standby Mac addresses
Hi all
Please advise on the underside.
Say that I have to active / standby. I have two interfaces on each firewall configured as below
For the primary (active)
interface GigabitEthernet1 / 0--> Say burned in mac address is 6c41.6bb0.1111
nameif test1
security-level 0
10.1.1.1 IP address 255.255.255.0 ensures 10.1.1.2im int 2/0
Test2 nameif--> Say burned in mac address is 6c41.6aa0.1111
security-level 0
10.2.1.1 IP address 255.255.255.0 ensures 10.2.1.2For secondary school (currently idle)
interface GigabitEthernet1 / 0--> Say burned in mac address is 6c41.6bb0.2222
nameif test1
security-level 0
10.1.1.1 IP address 255.255.255.0 ensures 10.1.1.2im int 2/0
Test2 nameif--> Say burned in mac address is 6c41.6aa0.2222
security-level 0
10.2.1.1 IP address 255.255.255.0 ensures 10.2.1.2According to my understanding of the DOC.
To transfer traffic, other devices will use the main unit mac address and IP addresses.
Please consider under the scenario:
My primary unit has failed and secondary took over as active unit.
Primary (standby)
Secondary (active)
secondary Q1) so now will use the IP address and Mac address as below? Please confirm
10.1.1.1 & 6c41.6bb0.1111
10.2.1.1 & 6c41.6aa0.1111
Q2) I believe that the ip address of the primary (Standby) in aid will be
10.1.1.2
10.2.1.2
It will use what mac addresses? What is the BIA of the secondary unit? Please notify
Thanks in advance.
Q1 Yes), IP address and the MAC will be moving to the new active unit so no matter who the network except the switch will notice failover event
Q2) Yes, primary (watch now) will use IP addresses and MAC addresses available for secondary:
6C41.6bb0.2222
6C41.6aa0.2222
Kind regards.
-
Procedure to upgrade (Active-Standby) ASA
Hi all
I just want to check if our upgrade scheduled SAA causes no problems during the procedure.
Material: ASA5525-X
Existing IOS: 9.1.2
Update to: 9.4.2 (11)
Setup: Active standby
We intend to be upgraded the first start, after that, is the day before still will to resume after we force a failover him so that we can then pass the main firewall.
Thank you very much!
Yes, it's the process. I did it several times it it works perfectly when you follow the documented procedure.
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
-
ASA (Active standby) site-to-Site VPN Question
Hello
I had the question as below
Site A - 1 unit of VPN Netscreen firewall
Site B - 2 units of ASA VPN firewall
I'm trying to set up a VPN from Site to Site, but a problem with the configuration of the active standby.
Initially, I tried Site A 1 unit Netscreen and Site B 1 unit ASA vpn site-to-site. There's no problem.
but joins another ASA at site B and configure it as active / standby then I saw a few questions that I need help from here
Things that confuse me.
(1) do I need to use 2 public IP address on the SAA? (public IP for assets and the other a public IP ensures IP. it seems like a waste of the public IP address.)
(2) link failover and dynamic failover can be configured on the same interface?
Please help in this case, configuring VPN from Site to Site with active configuration / standby.
just to add to this,
just be careful when you dedicate an interface for dynamic failover, make sure that it is the highest capacity, or at least the same ability as an interface offers th
so if you use concert for passing traffic interface uses a concert for dynamic failover port, several times we saw people using the management for steful interface when they ports of concert and they run into issues where the dynamic function does not work as expected
You can read more here
https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/failover.html#wp1051759
-
Cisco asa active multiple interfaces on a single switch without configuration of vlan switch.
I was wondering if there is a work around on cisco asa to have 2 interfaces vlan on a switch. The reason I ask I have a cisco asa 5505 and a dell switch that does not support the configuration of VLANs. I set up 2 interface vlan on a cisco asa and when two interfaces are active my internet drops frequently. I was wondering if there is nothing to configure the asa cisco to make this thing work. Thanks in advance...
Assuming that Dell switch at least linking several interfaces of the ASA to the Dell should translate all media spanning tree protocols, but a bet covering the tree blocking State to avoid a tree covering loop.
If the Dell does not support tree covering weight then you would be in very bad shape each broadcast packet would be will loop indefinitely and cause what we call a 'broadcast storm. "
One way is not good and the other real harm.
-
Add the date of activation of the system of detention of intrusions and Cisco ASA FirePOWER
Good evening
I want to add detention system intrusions to Cisco ASA FirePOWER license (with I.P.S, protection MPAs., Apps and URL). Is possible that? I have to buy another license or only (not free) upgrade?
the start date of the firepower Cisco ASA license-protection starts from the purchase date or from date of activation/installation on router ASA5506-X?
Hi again, my responses below:
(3) the L-ASA5506W-TAMÁS = is the correct part number if you are looking to get the model of 5506-X Wireless ASA. Don't know why ours (CDW) site has not listed :) However, we have listed promotional SKU: L-ASA5506WTAMC-1PR. For more information, I suggest that join you your CDW account manager. If you are not a customer CDW then I would suggest that you contact your local Cisco partner dealer
(4) here's the datasheet FireSIGHT:
The device can be virtual or physical
5.1) IOS-base-2960 - I'm not sure I understand the question. Can you elaborate a bit more on what you're asking here?
5.2) I.D.S. requires no additional licenses. It is part of the solution if you buy above subscriptions. The main difference here is that IPS (Intrusion Prevention System) is deployed in line and he will drop the traffic/connections if a malicious activity is detected. IDS (Intrusion Detection System) is monitor only. Thus, if the malicious traffic is detected, firepower will alert you to this topic but he will drop all traffic.
3DES/5,3) AES will be included at the time of the references you listed.
Thank you for evaluating useful messages!
-
ASA 5520's active / standby, do not sync AnyConnect Profles
I'm working on two ASA 5520 configuration in a configuration active / standby. I have almost all the same between the two units for AnyConnect work waiting for both of the following:
AnyConnect Client profiles
AnyConnect Client software
If I download the software manually to the standby unit I get warning against them are not synchronized, and on the active unit if I do a 'writing' standby does not copy the profile or the software. Anyone has any ideas on this?
Thank you
Dan
Hello
Bug CSCsr31403
When you configure the ASA in a failover pair, you must manually copy the AnyConnect and CSD images for the primary and the secondary ASA. You must also do the same for the Anyconnect profile file if you use it.
Either force the ASA shall become active and copy the files to the new ASA assets using ASDM or copy files directly from the console ASA ensures using tftp or ftp.
Kind regards
Note the useful messages
Julio
-
Cisco ASA 5510 + license + AIP - SSM
Hello.
I have this box.
I have a few questions about it.
(1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?
(2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?
(3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?
(4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?
Please help me.
(1) you must Smartnet in order to download the software from the download from cisco.com site.
(2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.
(3) Yes, the basic license is OK for the AIP module.
(4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.
Hope that answers your questions.
-
Error message 5545 ASA Cisco: % ASA-3-210007: READ allocate xlate failed
Hello team,
We have 2 firewall Cisco ASA, active failover / standby.
the waiting for firewall, we see this error message "% ASA-3-210007: READ allocate xlate failed.
This error message is related to the bug?
Thank you for your help,
Best regards
Yunus Saleh
Hi Younous,
This error on the rescue unit could be associated with a problem of memory on the device or memory full on the device.
IF these options are not confirmed, we can consider that your devices version is bug hit.
https://Tools.Cisco.com/bugsearch/bug/CSCub94479/?referring_site=bugquic...
BTW, you send us the "sh version" of your device.
If your version is 'old' or connected to the version mentioned in the BUG system, is high suggests updating your device.
In a law/stb Setup, are also "0 downtime" and updated easy both devices
Let me know
Matteo
Please rate me if the post was beneficial for your solution / questions
-
Dear all,
I want to know how much maximum IPSec connection allowed in my Cisco ASA 5505.
I want to try VPN L2TP Mac and PC
TQ
The devices allowed for this platform:
The maximum physical Interfaces: 8 perpetual
VLAN: 20 unrestricted DMZ
Double ISP: Activated perpetual
VLAN Trunk Ports: 8 perpetual
Guests of the Interior: perpetual unlimited
Failover: Active / standby perpetual
Encryption - A: enabled perpetual
AES-3DES-Encryption: activated perpetual
AnyConnect Premium peer: 25 perpetual
AnyConnect Essentials: 25 perpetual
Counterparts in other VPNS: 25 perpetual
Total VPN counterparts: 25 perpetual
Shared license: activated perpetual
AnyConnect for Mobile: activated perpetual
AnyConnect VPN phone Cisco: activated perpetual
Assessment of Advanced endpoint: activated perpetual
Proxy UC phone sessions: 24 perpetual
Proxy total UC sessions: 24 perpetual
Botnet traffic filter: activated perpetual
Intercompany Media Engine: Disabled perpetual
Cluster: Disabled perpetualWith this device you can have 25 concurrent VPN sessions, regardless of the type.
-
Anconnect Cisco ASA VPN deployment
Hello
I have a request for information about the deployment for the ASA who must support more than 10000 clients. I understand that several ASA would be necessary for her however I was wondering what can be typical design for this? The ASA multiple is configured as vpn cluster/load balancing, etc... ?
I would if there is any design document for it. The current configuration is that a pair of ASA active / standby, I was wondering how to combine the total connection, if I need 15000 connections vpn; pairs of example 2 active / standby with vpn clustering/load balancing, etc... ?
Thank you.
You are right, that the vpn load-balancing is the technology, you need to deploy for this. With this, you can combine multiple devices to a cluster of load sharing. These devices may be different, for example two 5555 with two 5545 that would give you a total of 15000 VPN connections.
Of course, you plan for failure of the device. So you can deploy 4 * 5555 and also if an ASA is lost you yet 15000 connections (well, at least based on the datasheet; I would not push the number of connections to the limit).
You can also deploy these devices also as FO-systems for redundancy. 3 * 2 * 5555 would also give you redundancy.This is under the assumption that users connect to office even where the ASAs have one L2-connection to another which is necessary for the VPN load-balancing. If users connect through different places, then these ASAs cannot use VPN-load balancing, unless you have a L2 connection between the loacations.
If you have multiple sites, you should also think about the shared license server that could save a lot of money if your users do not always use the same gateway.
And last point: as much as possible for your AAA with a central RADIUS server set up to reduce the probability of a misconfiguration on ASAs multiples.
Sent by Cisco Support technique iPad App
-
VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network
Hello
I'm a little confused as to which is the problem. This is the premise for the problem I have face.
One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.
Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)
So essentially the encryption field is configured as follows:
access-list
line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
access-listline 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
access-listline 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173) Free NAT has been configured as follows (names modified interfaces):
NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP
the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202NAT (interface2) 0-list of access VPN-SHEEP
VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252
After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.
There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)
The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.
Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).
This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
MAC access listPhase: 2
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new streamPhase: 3
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.82.0.200 255.255.255.252 outsidePhase: 4
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:Access-group interface interface1
access-list extendedallow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
Additional information:Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:Phase: 6
Type: INSPECT
Subtype: np - inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
Policy-map global_policy
class inspection_default
inspect the http
global service-policy global_policy
Additional information:Phase: 7
Type: FOVER
Subtype: Eve-updated
Result: ALLOW
Config:
Additional information:Phase: 8
Type: NAT-FREE
Subtype:
Result: ALLOW
Config:
NAT-control
is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
Exempt from NAT
translate_hits = 32, untranslate_hits = 35251
Additional information:-Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
NAT-control
is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
static translation at 10.231.0.0
translate_hits = 153954, untranslate_hits = 88
Additional information:-Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet
Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (interface1) 5 10.231.191.0 255.255.255.0
NAT-control
is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
dynamic translation of hen 5 (y.y.y.y)
translate_hits = 3048900, untranslate_hits = 77195
Additional information:Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:Phase: 14
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 1047981896 id, package sent to the next moduleResult:
input interface: interface1
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allowSo, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?
And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.
access-list extended
allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
current_peer: y.y.y.y#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.
Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)
If there is any essential information that I can give, please ask.
-Jouni
Jouni,
8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).
If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)
Marcin
Maybe you are looking for
-
Webcam does not work on Satellite L655
After Reinstalling windows, the camera does not work. I have no recovery, so I just installed Win 7 Home premium x 64.I checked the drivers from the toshiba site, but it seems that the drivers are already present in windows and it is just a utility.
-
HP t5740e installation XP instead of built-in W7
Hi all, I was wondering if it is possible to install Windows XP instead of W7 on my HP t5740e?I realize that it doesn't have a CD rom, but I know how to install XP via USB, so this isn't a problem. The only problem might be the lack of drivers becaus
-
I was called by a man in India who says he represents windows live, is - what a scam?
I was called by a man from the India, which says it represents windows live and I have a problem on my pc, the real sound
-
File of Windows Install CleanUp
I currently have 30.4 gig of garbage too much space on my C drive in my Windows/Installer program. I am less then 2% free space. I have downloaded and run the Windows Installer CleanUp utility only yesterday and who cleared 2gig (I was almost 33 co
-
NEX 3N unable to shoot in RAW mode with lens SEL55210
With SEL55210 lens, the camera not the focal length so I try to shoot in RAW mode and gives an error message. If I change it to JPEG format, there is no problem. Is it a fault in the lens, or I have to change some settings in the camera? There is no