Clarification of active/active failover

Similar Questions

• Local unit is active failover but is not active.

  Impossible to run IPSEC sessions... This is a debugging... any idea?

  # Debug ASA5520 cry isa 1

  ASA5520 # 14 August at 11:06:59 [IKEv1]: IKE initiator: local unit is active failover but is not active.

  August 14 at 11:07 [IKEv1]: IKE initiator: local unit is active failover but is not active.

  August 14 at 11:07:02 [IKEv1]: receiver IKE: local unit is active failover but does not

  currently active.

  August 14 at 11:07:04 [IKEv1]: IKE initiator: local unit is active failover but is not active.

  August 14 at 11:07:04 [IKEv1]: IKE initiator: local unit is active failover but is not active.

  Try to restart the PIX.

  Referring URL:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml

• replication of VPN with active failover / standby

  Hello world

  If ASA is the config of active failover / standby.

  If ASA Active VPN image, profile and plug-ins that will also replicate to ASA watch?

  or I have to do it manually on SAA standby?

  Concerning

  MAhesh

  The VPN image and profile are not replicated, you will have to do it manually.  Here is a list of which ends up in a configuration of active / standby stateful:

  • The NAT translation table

  • TCP connection States

  • The UDP connection States

  • The ARP table

  • The layer 2 bridge table (when it is running in transparent firewall mode)

  • The States of HTTP connection (if the HTTP replication is enabled)

  • The table ISAKMP / IPSec SA

  • The database of the GTP PDP connection

  --

  Please do not forget to rate and choose a good answer

• Cisco ASA 8.4 Active Failover / standby with anyconnect local CA

  Hi Friend´s

  I hope you do well! I ve got a question, hope you can help me. I ve got an ASA 5550 with version 8.4 (6), it s focusing anyconnect VPN remote access who authenticate through certificate locally generated in ASA. We´ve got an another 5550 with the same hardware and same version, and we focus on the configuration of the failover. I ve heard of network other than it s engineers may not failover configuration when the ASA doing this local. Then I ve read full failover for version 8.4 operating guide (6) and I didn t find any restrictions on the local failover and CA working together. I m tests over the next weekend, but I would like to know from your experience, if I'm having problems on VPN connections or failover configuration.

  Please, do not hesitate to ask as much as necessary information. All comment and documentation will be appreciated.

  Best regards!

  It's the n: documentatio

   Does not support Active/Active or Active/Standby failover

  And on top of that, ASDM shows that "Local CA cannot be configured when failover is activated".

• ASA in transparent mode with LAN base active failover / standby?

  Is it possible to have a pair of the SAA in transparent mode with LAN-based failover active / standby? I configured the portion of failover and then configured the transparent mode and it erased my failover configuration. Is this supported configuration, and if so are there at - it an example?

  Thanks in advance

  Yes. It is possible to have a pair of ASA in transparent mode with LAN-based failover active/Standy. You must perform the configuration of failover after conversion of the appliance in transparent mode.

  I saw an example on the cisco site, but I'll give you an example of one of the projects I run. Infact its very easy to configure failover in transparent mode. Less work.

  I have listed the configs on both the firewall for your reference

  Main firewall

  ============

  interface GigabitEthernet0/0

  nameif outside

  security-level 0

  No tap

  !

  interface GigabitEthernet0/1

  nameif inside

  security-level 100

  No tap

  !

  interface GigabitEthernet0/2

  Shutdown

  No nameif

  no level of security

  !

  interface GigabitEthernet0/3

  Failover LAN Interface Description

  !

  192.168.9.2 IP address 255.255.255.0 watch 192.168.9.7

  failover

  primary failover lan unit

  local failover FAILINT GigabitEthernet0/3 network interface

  failover abcdef keys

  failover interface ip FAILINT 172.16.9.1 255.255.255.0 watch 172.16.9.7

  The secondary firewall

  =================

  failover

  secondary failover lan unit

  local failover FAILINT GigabitEthernet0/3 network interface

  failover abcdef keys

  failover interface ip FAILINT 172.16.9.1 255.255.255.0 watch 172.16.9.7

  int GigabitEthernet0/3

  No tap

  Hope the above helps.

• Active/active failover configuration LAN-based PIX / ASA

  Hi all

  I would like to ask, if there is a restriction of length between the two ASA5510 in a LAN failover? Should not be, or I'm wrong?

  Thank you

  Norbert

  Hello

  normal duration of 100 m Ethernet. Or you can use the switches between them. I do not have a direct link.

  Best regards, Celio

• ASA-SSM-20 on the active failover configuration

  You can synchronize configuration between two IPS systems data?

  I have two ASA-SSM-20 (6.1.1 E3) one in each of my the SAA. Of the SAA is the shift in assets. During the configuration of the IPS module I always make these same changes also in the standby unit. Is it possible to synchronize to the top of these two survey periods, so when it is configured the other is updated?

  Thank you very much

  Unlike the SAA, there not an automatic function to preserve the configuration synchronization through SSMs 2.

  A few options:

  You can use the command copy to copy the configuration of a sensor to a ftp/scp server.

  Then use the copy on the second sensor command to copy the configuration on the second sensor. During the copy, it will ask whether to change the IP of the probe to what is in the configuration file. You will need to tell it to NOT change IP of the probe, otherwise you end up with 2 SSMs with the same IP address and are struggling to connect to them.

  Another option is to use the CSM. CSM has configuration that applies to simple sensors, but also the group configuration that can be applied across multiple sensors.

  If you have used the group configuration, then you could make one change to the configuration of the Group and apply it in all the sensors in the Group (you will place your SSMs 2 in the same group).

• need a clarification on "active player" in LC ES

  Is "Reader enabled" some plug-in or all simply an option to 'mark' before you start developing the new form? Couldn't find much in the LC help but I see its very important for user-end later (like sending pdf) functions filled by e-mail with only adobe reader.... If there is a plugin, you need only on developer station or all the users of this form?

  Please advice.

  Hello

  I have a summary of the player which allows a form here: http://cookbooks.adobe.com/post_Using_LiveCycle_Forms_in_Acrobat_and_Reader-16518.html

  If you scroll down to the end, there is a PDF which summarizes the deployment of a form in Acrobat and Reader. In the PDF, there are screenshots if you mouse over the question marks.

  There are two ways to activate Reader a form:

  (1) is to use Acrobat Professional or Acrobat Standard (v9) (v8 or lower). In Acrobat, v9 under the Advanced menu is an option to activate the form. Click here and save the form under a different name. There are license restrictions when you use Acrobat.

  (2) adobe have a server for their Enterprise Suite LC component called LC ES2 Extension Reader. This is designed to allow a large number of forms or for a large number of recipients. It is an expensive option because it is server based and intended for large organizations or Government agencies.

  Once you select a form, users with reader will be able to save the form (this ability is necessary if you do not get the user to send the PDF form). They are not a plugin, as the process of application of the reader extensions will unlock player features (for forms only).

  However please be aware that when you select the form, while some features will be disabled, others will close (like data connections).

  Good luck

  Niall

• Failover active/active pix

  Hello

  First of all, thank you for your time. I have a question on a pix with 7.0 active/active failover implementation. I have two pix 535 with 3 Ethernet networks (inside, outside and failover). So far, they were in Active/pasive but I would like to implement active/active. Is it possible to do this without HAVING to install the ethernet cards more? More and more, is possible using a single context? I found this info:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a008045247e.html#wp1096075

  I can it implement another way?

  Sincere greetings,

  Fernando

  CCIE #144XX CCNP CCDP

  Hello

  IMHO the "active/active" is just sales talk. Cisco mean when they saids active/active in pix7 / ASA is just load balancing if you run multiple contexts of fw.

  For each virtual firewall install you a physical fw as active and the other passive. If you have 4 virutal fw:s (contexts), you define A Fw as active for context 1 and 2 and B Fw as active for context 3 and 4. In this way, when a device does not work, two contexts that are active on this unit will switch to the other device.

  If you run no multiple contexts in your firewall, you cannot use Active/active failover.

  Sorry, it disappointed me too, when I realized...

  Consider Jimmy

• VPN works in Active Active Firewall failover mode?

  I want to clarify these two things!
  1. what VPN works in active/active mode failover mode?

  2. what failover active/Pasive mode?

  Kind regards!

  Hello

  With the help of an active/active failover means that firewalls will be in Multiple context mode. In other words the virtual firewall.

  This means that you can ONLY use the L2L IPsec VPN connections on the virtual firewall if you run level software on the firewall 9.x. Any form of Client and clientless VPN is not supported in multiple context Mode right now.

  Now with active / standby, it must make a distinction (if that is the word).

  IF you run a pair of active failover / normal standby time of ASAs IS NOT in Multiple context mode, YOU CAN use any type of VPN support ASAs.

  IF you run a pair of ASAs in several Mode of context and active / standby, you will naturally meet the limitation of VPN in Multiple Mode of context support and do WILL NOT be able to use any other VPN other than IPsec VPN L2L connections as long as you run the 9.x software that supports.

  Hope this helps

  -Jouni

• Design of switching between Nexus7K and active / standby firewall

  In the attached diagram, Nexus7K is used in two ways: on the left side, pair NX7K connects to the firewall as layer 2 trunks. vPC VLAN are shared through resources. The firewall is a pair in Active mode / standby. On the right side, another pair of NX7K connects to the firewall as layer 3 rotued links. HSRP or VRRP is running between the pair of NX7K for firewall VLAN SVI.

  Because even NX7K have mesh connections to the active firewall units / standby, I want to make sure in failover scenarios (failover firewalls or failures of NX7K), the link that remains between the pair of NX7K and the firewall can actually send traffic (not perforated black).

  Failure scenarios I can think of include: Firewall active failover on the eve, failure of the main device NX7K, double NX7K active and failure of peers-link NX7K vPC. I would like to get some advice on what I should consider and implement in these scenarios to achieve high availability.

  Many thanks for any advice.

  Hello

  your topology, I see that the main problem is that the physical connectivity from the firewall to the pair of devices nexus in topologies to fails to a redundant link to the N7K

  first since you're using vPC with one counterpart vPC linking the pair of N7K then you must follow the recommendations of Cisco firewalls of L2 and L3 link connection

  L2 if you pass vPC vlan on the trunk in your topology and firewall then there is a possibility of blocking traffic or drop cases underwritten by vPC loop prevention mechanism in the case for example a vPC counterpart link gose down

  the fix to the East either:

  use no-vPC VLAN and link to switch separate inter for VLANs (i thin that you already have this link)

  or multi home L2 connects each firewall for the two switch N7K and assuming that HSRP is configured in the N7K and static routing is used between the firewall and the N7K

  for links to L3 Firewalls:

  You must stream as well (if possible and recommend) and use a static routing between N7K and firewalls and firewalls must point to the VIP of HSRP N7K

  multiple L3 and L3 dyanaminc routing peering on the link of the vPC-peer is not supported design

  Look at the discussion that might help as well

  https://supportforums.Cisco.com/message/3792466#3792466

  hope this helps

  If useful rates

• AIP - SSM upgrade for ASA active / active

  Hello world!

  I need help on improving the aip - ssm modules to E4 on two s asa who are active/active state. I'll be able to do this without downtime? What are the considerations?

  AIPs are independent of the resumption of the SAA, however, the SAA can consider the status of the AIP in passage of failover, which means it can failover

  If it detects a module AIP descending on the active device.

  The best method for upgrading in this situation will be the status of active failover Setup for all groups on the SAA primary, then upgrade the AIP of the ASA high school.

  Once the agreement in principle of the school is completely updated and functional, then set all groups to be active with the ASA failover secondary.

  Then the primary AIP.

  Once the primary AIP is completely level and working, you can then restore the status of the ASAs failover, by setting the active failover for the Group on the ASAs specific you want them to be active on...

  Kind regards

• "Move" failover to different / interface port

  Sorry if this is in the wrong place, we had if rarely to issues which were not covered otherwise I frequent this area.

  How is it difficult to change the interface used for active failover / standby? This is a pair of work, already configured with standby, but I need to move the cable crossed and tell them to use a different interface.
  Pair of ASA 5510, already put in place and work with failover, which was originally set on Ethernet port 0/3 by senior network administrator. It seems that its use of interfaces or ports he used things straight out of the examples on the web, including the interfaces used.
  The admin network senior retired last spring and left me "supported", gee, thanks.
  I need to make some changes and Ethernet port need for an important new project.
  The management interface 0/0 is unused and shut down. We manage by inside the interface from a specific inside subnet so do not need the interface dedicated management.
  I want to spend the shift IN management TO Ethernet 0/3 0/0

  * This is the current configuration:

  Output of the command: "sh run failover.

  failover
  primary failover lan unit
  failover failover lan interface Ethernet0/3
  failover failover Ethernet0/3 link
  failover interface ip failover 169.254.255.1 255.255.255.252 ensures 169.254.255.2

  * And it's the current 0/3 interface and management configuration:

  interface Ethernet0/3
  STATE/LAN failover Interface Description
  !
  interface Management0/0
  Speed 100
  full duplex
  Shutdown
  nameif management
  security-level 0
  no ip address
  OSPF cost 10

  I know that it can work on the management interface 0/0 because I see a lot of 'how to configure' as if the SAA is brand-new and several examples there indeed be setup on the management.

  I'm looking to find out how to take a pair of ASA is currently configured and has a functional work and all failover configuration simply "tilting move" to a different hole, or change the interfaces used for the 'heartbeat' somehow.

  I guess that's not difficult - but I also assume that there is a specific sequence of events that must occur in order to prevent the pair to enter the failover and switching of the main roles...
  For example - would have turned off or turn off the power switch and if so, how and on what ASA (frankly, I don't know how to access education secondary or standby if it needs to be done, suspended or on the rescue unit, because I never did that 'deep' a before config)
  CLI is very well - I'd be too comfortable in ASDM or cli.

  I really hope this makes sense - I have more than one convenience store and fixer than a designer or network engineer...
  And thank you very much - get this moved will release the interface I need and can really make a big bump in my list of project while the project manager is on vacation this week! I'd love to have done this and before his return.

  Oh, in case it is important as I said, it's running license and version shown here:

  Cisco Adaptive Security Appliance Software Version 4,0000 1
  Version 6.4 Device Manager (7)

  Updated Friday, June 14, 12 and 11:20 by manufacturers
  System image file is "disk0: / asa844-1 - k8.bin.
  The configuration file to the startup was "startup-config '.

  VRDSMFW1 141 days 4 hours
  failover cluster upwards of 141 days 4 hours

  Material: ASA5510, 1024 MB RAM, Pentium 4 Celeron 1600 MHz processor
  Internal ATA Compact Flash, 256 MB
  BIOS Flash M50FW080 @ 0xfff00000, 1024 KB

  Hardware encryption device: edge Cisco ASA - 55 x 0 Accelerator (revision 0 x 0)
  Start firmware: CN1000-MC-BOOT - 2.00
  SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03
  Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.06
  Number of Accelerators: 1

  0: Ext: Ethernet0/0: the address is 0024.972b.e020, irq 9
  1: Ext: Ethernet0/1: the address is 0024.972b.e021, irq 9
  2: Ext: Ethernet0/2: the address is 0024.972b.e022, irq 9
  3: Ext: Ethernet0/3: the address is 0024.972b.e023, irq 9
  4: Ext: Management0/0: the address is 0024.972b.e01f, irq 11
  5: Int: not used: irq 11
  6: Int: not used: irq 5

  The devices allowed for this platform:
  The maximum physical Interfaces: unlimited perpetual
  VLAN maximum: 100 perpetual
  Guests of the Interior: perpetual unlimited
  Failover: Active/active perpetual
  VPN - A: enabled perpetual
  VPN-3DES-AES: activated perpetual
  Security contexts: 2 perpetual
  GTP/GPRS: Disabled perpetual
  AnyConnect Premium peers: 2 perpetual
  AnyConnect Essentials: 250 perpetual
  Counterparts in other VPNS: 250 perpetual
  Total VPN counterparts: 250 perpetual
  Shared license: disabled perpetual
  AnyConnect for Mobile: disabled perpetual
  AnyConnect Cisco VPN phone: disabled perpetual
  Assessment of Advanced endpoint: disabled perpetual
  Proxy UC phone sessions: 2 perpetual
  Proxy total UC sessions: 2 perpetual
  Botnet traffic filter: disabled perpetual
  Intercompany Media Engine: Disabled perpetual

  This platform includes an ASA 5510 Security Plus license.

  Cluster failover with license features of this platform:
  The maximum physical Interfaces: unlimited perpetual
  VLAN maximum: 100 perpetual
  Guests of the Interior: perpetual unlimited
  Failover: Active/active perpetual
  VPN - A: enabled perpetual
  VPN-3DES-AES: activated perpetual
  Security contexts: 4 perpetual
  GTP/GPRS: Disabled perpetual
  AnyConnect Premium peer: 4 perpetual
  AnyConnect Essentials: 250 perpetual
  Counterparts in other VPNS: 250 perpetual
  Total VPN counterparts: 250 perpetual
  Shared license: disabled perpetual
  AnyConnect for Mobile: disabled perpetual
  AnyConnect Cisco VPN phone: disabled perpetual
  Assessment of Advanced endpoint: disabled perpetual
  Proxy UC phone sessions: 4 perpetual
  Proxy total UC sessions: 4 perpetual
  Botnet traffic filter: disabled perpetual
  Intercompany Media Engine: Disabled perpetual

  This platform includes an ASA 5510 Security Plus license.

  Serial number: ABC12345678
  Running permanent activation key: eieioandapartridgeinapeartree
  Registry configuration is 0x1
  Last modified by me to 15:03:07.132 CDT MON Sep 15 2014 configuration

  Disconnect an interface monitored on your rescue unit that will ensure that it does not take as active. Then cut the failover link and modify its failover parameters. (You will need to first remove the nameif for M0/0).

  Then, make the changes on the primary unit similar free game active. Reconnect the failover link, confirm the synchronization of the units and finally reconnect the interface of production on the rescue unit.

• Deleting a failover of PIX

  We have two PIX 515 currently configured in a failover. We must remove the additional pix for a few days, is there something special we have to do, or should we just unplug it and let it do its normal failover. And since we're on the subject, which would need to be done when we put the pix in. Thanks in advance.

  If you delete the previous day, just turn it off and remove it, the active PIX remains active.

  If you remove the active PIX, do a "active failover" on the day before to make it active and then turn it off.

  Remember however that if your secondary PIX is a failover only license, then it restarts every 24 hours or so if it detects that the primary is not connected. When it happens you will have to do an another "active failover" manually in this topic, that it will not automatically become the active unit. Make sure you leave the failover cable connected to this unit, otherwise it starts up at all.

• Pictrivia 15 - what type of failover is?

  

  What is Pictrivia?

  It's a story presented as an image - image more, fewer words. If you like solving puzzles, dig your brain on the puzzle, you should love this one.

  Who can participate?

  It is open to all. You can participate on Facebook, Twitter or here. If you subscribe to our channels of Facebook or Twitter , you will see the message posted on early Saturday morning Pacific time.

  How many times post you something?

  Once a week on Friday.

  How do I answer?

  You can answer by responding to this discussion. If you have seen the post on our Facebook page or Twitter, just comment on the post or respond to our tweet.

  What I get?

  The intellectual stimulation, emotion and fun to solve a puzzle!

  What is the skill level required?

  Beginners

  When will I know the right answer?

  On the following Wednesday.

  Active failover / standby ASA (/pix)