Cisco ASA CX active / standby

Similar Questions

• Licenses, IPS on pair of Cisco ASA 5510 active / standby

  I have two ASA 5510 devices in Active mode / standby.  I think of buying both used IPS modules and their installation.  My question is, me 1 or 2 licenses IPS that requires?  We are on 8.4 right now, and I see 8.3 Cisco changed license to c/o to where you need only one license, not two.  This is true for any way VPN licenses, so I was wondering if the same applies to licenses IPS.

  In addition, the unique licensing model will as much as only requiring a base for the pair a/s license too?  Or is the base license, something that you must have two pair a/s?

  Failover doesn't f, you have only one module in the ASA elementary school. You must have two modules. But it is fine if you do not have a subscription license for your secondary IPS (at least for the system).

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• ASA 5520 Active standby and ssl vpn loadbalancing

  I have a pair of Asa 5520 failover active rescue running. Can I use these two machines in a cluster of ssl vpn load balancing?

  N ° when a couple active / standby is part of a cluster of VPN, the rescue unit is still pending - she will not be actively terminate user sessions. Only the active cluster members (and non-failover) will do.

• Cisco ASA 8.4 Active Failover / standby with anyconnect local CA

  Hi Friend´s

  I hope you do well! I ve got a question, hope you can help me. I ve got an ASA 5550 with version 8.4 (6), it s focusing anyconnect VPN remote access who authenticate through certificate locally generated in ASA. We´ve got an another 5550 with the same hardware and same version, and we focus on the configuration of the failover. I ve heard of network other than it s engineers may not failover configuration when the ASA doing this local. Then I ve read full failover for version 8.4 operating guide (6) and I didn t find any restrictions on the local failover and CA working together. I m tests over the next weekend, but I would like to know from your experience, if I'm having problems on VPN connections or failover configuration.

  Please, do not hesitate to ask as much as necessary information. All comment and documentation will be appreciated.

  Best regards!

  It's the n: documentatio

   Does not support Active/Active or Active/Standby failover

  And on top of that, ASDM shows that "Local CA cannot be configured when failover is activated".

• Cisco ASA active / standby Mac addresses

  Hi all

  Please advise on the underside.

  Say that I have to active / standby. I have two interfaces on each firewall configured as below

  For the primary (active)

  interface GigabitEthernet1 / 0--> Say burned in mac address is 6c41.6bb0.1111
  nameif test1
  security-level 0
  10.1.1.1 IP address 255.255.255.0 ensures 10.1.1.2

  im int 2/0

  Test2 nameif--> Say burned in mac address is 6c41.6aa0.1111
  security-level 0
  10.2.1.1 IP address 255.255.255.0 ensures 10.2.1.2

  For secondary school (currently idle)

  interface GigabitEthernet1 / 0--> Say burned in mac address is 6c41.6bb0.2222
  nameif test1
  security-level 0
  10.1.1.1 IP address 255.255.255.0 ensures 10.1.1.2

  im int 2/0

  Test2 nameif--> Say burned in mac address is 6c41.6aa0.2222
  security-level 0
  10.2.1.1 IP address 255.255.255.0 ensures 10.2.1.2

  According to my understanding of the DOC.

  To transfer traffic, other devices will use the main unit mac address and IP addresses.

  Please consider under the scenario:

  My primary unit has failed and secondary took over as active unit.

  Primary (standby)

  Secondary (active)

  secondary Q1) so now will use the IP address and Mac address as below? Please confirm

  10.1.1.1 & 6c41.6bb0.1111

  10.2.1.1 & 6c41.6aa0.1111

  Q2) I believe that the ip address of the primary (Standby) in aid will be

  10.1.1.2

  10.2.1.2

  It will use what mac addresses? What is the BIA of the secondary unit? Please notify

  Thanks in advance.

  Q1 Yes), IP address and the MAC will be moving to the new active unit so no matter who the network except the switch will notice failover event

  Q2) Yes, primary (watch now) will use IP addresses and MAC addresses available for secondary:

  6C41.6bb0.2222

  6C41.6aa0.2222

  Kind regards.

• Procedure to upgrade (Active-Standby) ASA

  Hi all

  I just want to check if our upgrade scheduled SAA causes no problems during the procedure.

  Material: ASA5525-X

  Existing IOS: 9.1.2

  Update to: 9.4.2 (11)

  Setup: Active standby

  We intend to be upgraded the first start, after that, is the day before still will to resume after we force a failover him so that we can then pass the main firewall.

  Thank you very much!

  Yes, it's the process. I did it several times it it works perfectly when you follow the documented procedure.

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

• ASA (Active standby) site-to-Site VPN Question

  Hello

  I had the question as below

  Site A - 1 unit of VPN Netscreen firewall

  Site B - 2 units of ASA VPN firewall

  

  I'm trying to set up a VPN from Site to Site, but a problem with the configuration of the active standby.

  Initially, I tried Site A 1 unit Netscreen and Site B 1 unit ASA vpn site-to-site. There's no problem.

  but joins another ASA at site B and configure it as active / standby then I saw a few questions that I need help from here

  Things that confuse me.

  (1) do I need to use 2 public IP address on the SAA? (public IP for assets and the other a public IP ensures IP. it seems like a waste of the public IP address.)

  (2) link failover and dynamic failover can be configured on the same interface?

  Please help in this case, configuring VPN from Site to Site with active configuration / standby.

  just to add to this,

  just be careful when you dedicate an interface for dynamic failover, make sure that it is the highest capacity, or at least the same ability as an interface offers th

  so if you use concert for passing traffic interface uses a concert for dynamic failover port, several times we saw people using the management for steful interface when they ports of concert and they run into issues where the dynamic function does not work as expected

  You can read more here

  https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/failover.html#wp1051759

• Cisco asa active multiple interfaces on a single switch without configuration of vlan switch.

  I was wondering if there is a work around on cisco asa to have 2 interfaces vlan on a switch. The reason I ask I have a cisco asa 5505 and a dell switch that does not support the configuration of VLANs. I set up 2 interface vlan on a cisco asa and when two interfaces are active my internet drops frequently. I was wondering if there is nothing to configure the asa cisco to make this thing work. Thanks in advance...

  Assuming that Dell switch at least linking several interfaces of the ASA to the Dell should translate all media spanning tree protocols, but a bet covering the tree blocking State to avoid a tree covering loop.

  If the Dell does not support tree covering weight then you would be in very bad shape each broadcast packet would be will loop indefinitely and cause what we call a 'broadcast storm. "

  One way is not good and the other real harm.

• Add the date of activation of the system of detention of intrusions and Cisco ASA FirePOWER

  Good evening

  I want to add detention system intrusions to Cisco ASA FirePOWER license (with I.P.S, protection MPAs., Apps and URL). Is possible that? I have to buy another license or only (not free) upgrade?

  the start date of the firepower Cisco ASA license-protection starts from the purchase date or from date of activation/installation on router ASA5506-X?

  Hi again, my responses below:

  (3) the L-ASA5506W-TAMÁS = is the correct part number if you are looking to get the model of 5506-X Wireless ASA. Don't know why ours (CDW) site has not listed :) However, we have listed promotional SKU: L-ASA5506WTAMC-1PR. For more information, I suggest that join you your CDW account manager. If you are not a customer CDW then I would suggest that you contact your local Cisco partner dealer

  (4) here's the datasheet FireSIGHT:

  http://www.Cisco.com/c/en/us/products/collateral/security/firesight-Management-Center/datasheet-C78-736775.html

  The device can be virtual or physical

  5.1) IOS-base-2960 - I'm not sure I understand the question. Can you elaborate a bit more on what you're asking here?

  5.2) I.D.S. requires no additional licenses. It is part of the solution if you buy above subscriptions. The main difference here is that IPS (Intrusion Prevention System) is deployed in line and he will drop the traffic/connections if a malicious activity is detected. IDS (Intrusion Detection System) is monitor only. Thus, if the malicious traffic is detected, firepower will alert you to this topic but he will drop all traffic.

  3DES/5,3) AES will be included at the time of the references you listed.

  Thank you for evaluating useful messages!

• ASA 5520's active / standby, do not sync AnyConnect Profles

  I'm working on two ASA 5520 configuration in a configuration active / standby.  I have almost all the same between the two units for AnyConnect work waiting for both of the following:

  AnyConnect Client profiles

  AnyConnect Client software

  If I download the software manually to the standby unit I get warning against them are not synchronized, and on the active unit if I do a 'writing' standby does not copy the profile or the software.  Anyone has any ideas on this?

  Thank you

  Dan

  Hello

  Bug CSCsr31403

  When you configure the ASA in a failover pair, you must manually copy the AnyConnect and CSD images for the primary and the secondary ASA.   You must also do the same for the Anyconnect profile file if you use it.

  Either force the ASA shall become active and copy the files to the new ASA assets using ASDM or copy files directly from the console ASA ensures using tftp or ftp.

  Kind regards

  Note the useful messages

  Julio

• Cisco ASA 5510 + license + AIP - SSM

  Hello.

  I have this box.

  I have a few questions about it.

  (1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?

  (2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?

  (3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?

  (4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?

  Please help me.

  (1) you must Smartnet in order to download the software from the download from cisco.com site.

  (2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.

  (3) Yes, the basic license is OK for the AIP module.

  (4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.

  Hope that answers your questions.

• Error message 5545 ASA Cisco: % ASA-3-210007: READ allocate xlate failed

  Hello team,

  We have 2 firewall Cisco ASA, active failover / standby.

  the waiting for firewall, we see this error message "% ASA-3-210007: READ allocate xlate failed.

  This error message is related to the bug?

  Thank you for your help,

  Best regards

  Yunus Saleh

  Hi Younous,

  This error on the rescue unit could be associated with a problem of memory on the device or memory full on the device.

  IF these options are not confirmed, we can consider that your devices version is bug hit.

  https://Tools.Cisco.com/bugsearch/bug/CSCub94479/?referring_site=bugquic...

  BTW, you send us the "sh version" of your device.

  If your version is 'old' or connected to the version mentioned in the BUG system, is high suggests updating your device.

  In a law/stb Setup, are also "0 downtime" and updated easy both devices

  Let me know

  Matteo

  Please rate me if the post was beneficial for your solution / questions

• License of IPSec Cisco ASA

  Dear all,

  I want to know how much maximum IPSec connection allowed in my Cisco ASA 5505.

  I want to try VPN L2TP Mac and PC

  TQ

  The devices allowed for this platform:
  The maximum physical Interfaces: 8 perpetual
  VLAN: 20 unrestricted DMZ
  Double ISP: Activated perpetual
  VLAN Trunk Ports: 8 perpetual
  Guests of the Interior: perpetual unlimited
  Failover: Active / standby perpetual
  Encryption - A: enabled perpetual
  AES-3DES-Encryption: activated perpetual
  AnyConnect Premium peer: 25 perpetual
  AnyConnect Essentials: 25 perpetual
  Counterparts in other VPNS: 25 perpetual
  Total VPN counterparts: 25 perpetual
  Shared license: activated perpetual
  AnyConnect for Mobile: activated perpetual
  AnyConnect VPN phone Cisco: activated perpetual
  Assessment of Advanced endpoint: activated perpetual
  Proxy UC phone sessions: 24 perpetual
  Proxy total UC sessions: 24 perpetual
  Botnet traffic filter: activated perpetual
  Intercompany Media Engine: Disabled perpetual
  Cluster: Disabled perpetual

  With this device you can have 25 concurrent VPN sessions, regardless of the type.

• Anconnect Cisco ASA VPN deployment

  Hello

  I have a request for information about the deployment for the ASA who must support more than 10000 clients. I understand that several ASA would be necessary for her however I was wondering what can be typical design for this? The ASA multiple is configured as vpn cluster/load balancing, etc... ?

  I would if there is any design document for it. The current configuration is that a pair of ASA active / standby, I was wondering how to combine the total connection, if I need 15000 connections vpn; pairs of example 2 active / standby with vpn clustering/load balancing, etc... ?

  Thank you.

  You are right, that the vpn load-balancing is the technology, you need to deploy for this. With this, you can combine multiple devices to a cluster of load sharing. These devices may be different, for example two 5555 with two 5545 that would give you a total of 15000 VPN connections.
  Of course, you plan for failure of the device. So you can deploy 4 * 5555 and also if an ASA is lost you yet 15000 connections (well, at least based on the datasheet; I would not push the number of connections to the limit).
  You can also deploy these devices also as FO-systems for redundancy. 3 * 2 * 5555 would also give you redundancy.

  This is under the assumption that users connect to office even where the ASAs have one L2-connection to another which is necessary for the VPN load-balancing. If users connect through different places, then these ASAs cannot use VPN-load balancing, unless you have a L2 connection between the loacations.

  If you have multiple sites, you should also think about the shared license server that could save a lot of money if your users do not always use the same gateway.

  And last point: as much as possible for your AAA with a central RADIUS server set up to reduce the probability of a misconfiguration on ASAs multiples.

  Sent by Cisco Support technique iPad App

• VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network

  Hello

  I'm a little confused as to which is the problem. This is the premise for the problem I have face.

  One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.

  Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)

  So essentially the encryption field is configured as follows:

  access-list line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
  access-list line 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
  access-list line 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173)

  Free NAT has been configured as follows (names modified interfaces):

  NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP

  the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202

  NAT (interface2) 0-list of access VPN-SHEEP

  VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252

  After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.

  There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)

  The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.

  Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).

  This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.

  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit rule
  Additional information:
  MAC access list

  Phase: 2
  Type: FLOW-SEARCH
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  Not found no corresponding stream, creating a new stream

  Phase: 3
  Type:-ROUTE SEARCH
  Subtype: entry
  Result: ALLOW
  Config:
  Additional information:
  in 10.82.0.200 255.255.255.252 outside

  Phase: 4
  Type: ACCESS-LIST
  Subtype: Journal
  Result: ALLOW
  Config:
  Access-group interface interface1
  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  Additional information:

  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 6
  Type: INSPECT
  Subtype: np - inspect
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  Policy-map global_policy
  class inspection_default
  inspect the http
  global service-policy global_policy
  Additional information:

  Phase: 7
  Type: FOVER
  Subtype: Eve-updated
  Result: ALLOW
  Config:
  Additional information:

  Phase: 8
  Type: NAT-FREE
  Subtype:
  Result: ALLOW
  Config:
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
  Exempt from NAT
  translate_hits = 32, untranslate_hits = 35251
  Additional information:

  -Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.

  Phase: 9
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
  NAT-control
  is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
  static translation at 10.231.0.0
  translate_hits = 153954, untranslate_hits = 88
  Additional information:

  -Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet

  Phase: 10
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT (interface1) 5 10.231.191.0 255.255.255.0
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
  dynamic translation of hen 5 (y.y.y.y)
  translate_hits = 3048900, untranslate_hits = 77195
  Additional information:

  Phase: 11
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional information:

  Phase: 12
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional information:

  Phase: 13
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 1047981896 id, package sent to the next module

  Result:
  input interface: interface1
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  So, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?

  And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.

  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
  current_peer: y.y.y.y

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.

  Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)

  If there is any essential information that I can give, please ask.

  -Jouni

  Jouni,

  8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).

  If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)

  Marcin