history of ASA failover

Similar Questions

• Cisco ASA failover KeepAlive - classification and prioritization

  Hello

  I have a busy layer two link between data centers and must ensure that traffic keepalive failover between ASA firewalls at each data center goes through.

  I want to implement layer 2 quality of service on the route. Can you classify and prioritize ASA failover keep alive the traffic? If so what ports should I use or it is already ranked by the ASA?

  Thank you

  Hello

  If you want to apply the QoS on switching between ASA link, you need to do:

  -Mark traffic on switches facing interface failover ASA

  -All intermediate switches must approve the value of QoS and applye your QoS policy (reservation of bandwidth based on qos value chosen before).

  Assume that your main unit failover ip is 192.168.100.1 and 192.168.100.2 for the secondary unit.

  The acl to classify the traffic is:

  Of with the ASA2 ASA1

  HA - ASA extended IP access list

  permit ip host 192.168.100.1 192.168.100.2

  Of ASA2 to ASA1:

  HA - ASA extended IP access list

  ip licensing 192.168.100.2 host 192.168.100.1

  Hope that answers your question.

  Thank you.

  PS: If this solved your problem, please do not forget to note and mark it as correct.

• ASA failover license

  I have two firewalls autonomous asa5525-x,

  on two of them, the command show version shows as active/active failover license. Can I use these two to make a pair of active failover / standby?

  ASA what are failover license types? Is this different from PIX?

  Active/active failover is available only for ASAs in multiple context mode. In an active/active failover configuration, the two ASAs can pass network traffic.

  Active failover / standby allows you to use an ASA helps to support the features of a failed unit. When the active unit fails, it changes sleep state while the rescue unit moves to the active state.

  For Active hybrid in multiple context mode, the ASA can switch the entire unit (including all contexts) but cannot switch on different contexts separately.

  In an active/active couple, amounts of license (if any) are merged. For example, the two 5510 s seats in a pair/active every 100 Premium SSL. The licenses will merge to have a total of 200 SSL VPN has helped the pair. The total number should be below the limit of the platform. If the number exceeds the limit of the platform (e.g. 250 SSL VPN connection on a 5510) the limit of the platform will be used on each.

  You can use the active / standby for you.

  You can check your information to license under the 'show version' and 'show activation key '. Here is an example:

  The devices allowed for this platform:<-----------------FEATURES which="" are="" available="" by="" your="">

  The maximum physical Interfaces: 8

  VLAN: 20, unrestricted DMZ

  Internal hosts: unlimited

  Failover: Active / standby

  VPN - A: enabled

  VPN-3DES-AES: enabled

  SSL VPN peers: 2

  The VPN peers total: 25

  Two Internet service providers: enabled

  VLAN Trunk Ports: 8

  Sharing license: disabled

  AnyConnect for Mobile: disabled

  AnyConnect VPN phone Cisco: enabled

  AnyConnect Essentials: disabled

  Assessment of Advanced endpoint: disabled

  Proxy sessions for the UC phone: 2

  Total number of Sessions of Proxy UC: 2

  Botnet traffic filter: disabled

  This platform includes an ASA 5505 Security Plus license.<--------------------- type="" of="" your="">

  Serial number: JMX00000000<------------------SERIAL>

  Activation key running: 0 x... 0x........ 0x........ 0x........ 0 x...<--------- activation="">

  ASA # display the keySerial activation number: JMX00000000Running activation key permanent: 0 x - 0 x - 0 x - 0 x - 0 x - x 0.
  Activation key running time: 0 x "' 0 x" ' 0 x "' 0 x" ' 0 x "' 0 x" '

  Licenses required for active/active failover

  #

  The following table shows the licenses required for this function:

  # #

  # Model	# Condition of licence
  # ASA 5505	# No support.
  # ASA 5510 ASA 5512-X	# Security Plus license.
  # All other models	# Base license.

  Conditions of licence for an active failover / standby

  #

  The following table shows the licenses required for this function:

  # #

  # Model	# Condition of licence
  # ASA 5505	# Security Plus license. (Dynamic failover is not supported).
  # ASA 5510 ASA 5512-X	# Security Plus license.
  # All other models

  #

  Base license.

  Active/active failover

  You cannot use the active/active failover and VPN; If you want to use VPN, use active failover / standby.

  http://www.Cisco.com/en/us/docs/security/ASA/asa83/license_standalone/license_management/license.html

  Please note!

  Post edited by: sachin gelin

• ASA 5510, 8.4 (4) totally confused 1 NAT

  I'll try to keep this simple. I spent about 18 hours of research, research and experiences and it is an honest figure, I kept track of my time so far.
  I need to run a home server on our network inside, but have the outside be able to reach it through the protocols and specific ports 3.
  I had HOPED to use objects and groups of y to achieve and do not have to redefine this server or 3 times the host and execute instructions from NAT 3 or more like this losses completely the concept and purpose of things, isn't? But the NAT statement seems to refuse to deal with the GROUPS. I can put a single SERVICE or a single port in the NAT, but I can't get a single NAT line under a single object - this server to several ports which are not a range.

  Here the need - I'll set every thing first to hold simple and straight (at least in my head):
  Interface that must face or sits on the dirty Internet is named "WAN" (why I don't know, but it is and it is too complex to change it now)
  The WAN, the external interface has an IP address of 1.1.1.66
  Our supplier has given us 16 public guests or we can use the addresses.
  (1.1.1.67 is on the ASA failover for the same interface).
  My server inside LAN is 10.10.10.70
  I need to use ANOTHER address I need to keep it out of 1.1.1.66 and 1.1.1.67 on the WAN 5510 interface pair.

  I want to use a specific 1.1.1.68 to outside Internet address to access the server sitting on 10.10.10.70 inside.
  BUT, I want access to UDP 500 and UDP 4500, ESP only, nothing else.

  The idea is this - something outdoors, which means on the Internet, need my server inside, so hit the WAN interface this IP 1.1.1.68 port UDP 500 or 4500 or ESP for join my server on the LAN inside.
  The ASA has noticed the UDP 500 traffic, 4500 and ESP to 1.1.1.68 and it translates the SAME ports on 10.10.10.70.
  So I need a NAT device that will tell hit 1.1.1.68 UDP 500 or UDP 4500 or ESP traffic should be sent to 10.10.10.70 UDP 500, or UDP 4500 or ESP.

  The server must meet the back course!
  If very simple, he did all the time. "port forwarding" and a static NAT - this server always would be 1.1.1.68 If you were to research outside and he also always came out under this address. but inside we know it as 10.10.10.70

  I can't seem to get the SENATE to take if I use a single service or define a single service, but when I create a service group that has ESP, UDP 4500 and UDP 500 in it, it does not recognize any group - he pours out if I say any word except the NAT statement SERVICE.

  It is in a way I tried, but then 8.3 and later do not seem to like it and the term "origin" is killing me and I cannot find mention anywhere.

  Object service VPN-4500
  service destination udp 4500 eq
  Object service VPN - 500
  udp destination eq isakmp service

  service object-group mygroup
  purpose purpose of service VPN-4500
  purpose purpose of service VPN-500

  (I also now ESP in there but it is of no consequence that it won't work even with just these two)

  network servernetworkobject object
  Home 10.10.10.70
  My server description
  vpn-out network object
  Home 1.1.1.68
  Second description IP address to use when the view from my server

  NAT (inside, WAN) source static servernetworkobject WANsecondIP service mygroup mygroup

  where servernetworkobject is the name I've defined for the network object in the ASA and WANsecondIP is the address that I want to use defined as a network and mygroup object is the group, I created which contains the 3 services or ports.
  These aren't real names or addresses is not really that lame in the configuration, I just cleaned it for public use

  All of THE examples that I find on the web, including Cisco sites, are very similar to this, but then I also see, it must be defined with the object network itself and which is different from that of the samples on Cisco websites! I'm SO confused... Object should simplify this in spades, instead it is making it much more difficult and make configuration a lot bigger and clumsier.

  The best way to do this is:

  1. define the static nat rule

  2. Add an access-list (or access list entry in the existing WAN_in (or what you call)) to allow the service group.

  So you should have:

  network servernetworkobject object
  Home 10.10.10.70
  My server description
  vpn-out network object
  Home 1.1.1.68
  Second description IP address to use when the view from my server

  NAT (inside, WAN) source static vpn-out servernetworkobject

  .. .and

  WAN_in list extended access allowed object-group mygroup any object servernetworkobject

• AIP - SSM upgrade for ASA active / active

  Hello world!

  I need help on improving the aip - ssm modules to E4 on two s asa who are active/active state. I'll be able to do this without downtime? What are the considerations?

  AIPs are independent of the resumption of the SAA, however, the SAA can consider the status of the AIP in passage of failover, which means it can failover

  If it detects a module AIP descending on the active device.

  The best method for upgrading in this situation will be the status of active failover Setup for all groups on the SAA primary, then upgrade the AIP of the ASA high school.

  Once the agreement in principle of the school is completely updated and functional, then set all groups to be active with the ASA failover secondary.

  Then the primary AIP.

  Once the primary AIP is completely level and working, you can then restore the status of the ASAs failover, by setting the active failover for the Group on the ASAs specific you want them to be active on...

  Kind regards

• IPS Failover online

  Hello

  I want online proposed IPS in a network, but have as ASA failover option. If an IPS has failed, then the entire network down then what to do.

  So what I take work decession IPS in promicious mode. Pls can expect good suggation.

  Concerning

  Handsome

  Unfortunately there is no mechanism for failover for IPS sensors.  You can configure the sensor to fail open so that if the IPS Engine don't traffic will bypass inspection and continue to pour in.

• The requirements for standby Firewall ASA

  Hello

  I have ASA 5510 firewall with security more license bundle is running in our production environment, and I am now to buy another box for Firewall ensures according to my understanding, the wait should be same as an active firewall.

  Here are the specifications for this run into our existing environment

  1 ASA 5510 Firewall (security more Bundle license, 1 GB RAM, 256 MB Flash)

  And buy the replica of above with security @ License bundle, 1 GB RAM, 256 MB of memory Flash.

  My question is, is there anything else that I'm missing for the firewall to sleep?

  Kind regards

  Saeed

  ASA failover partners must have the same number?

  Hereby I guess that you are referring to the same number of interfaces.  These interfaces must also be of the same type.  so you can't have an ASA with 4 interfaces of concert and the other with 2 interfaces Gig.  Or you can, but you will not be able to use the failover for 2 of the interfaces on the SAA with 4 Gig interfaces.  Similarly, if both ASAs have 4 interfaces but an ASA has 4 interfaces Gig while the other has 4 Fastethernet interfaces, then this only would be not supported.

  --

  Please do not forget to select a correct answer and rate useful posts

• Anyconnect VPN logs

  Hello people!

  I would like to know how I can see the story of anyconnect VPN.

  See current webvpn or ssl vpn client session, I now this command can be using, but I Don t know about history.
  ASA # display webvpn vpn-sessiondb
  or ASA # display vpn-sessiondb svc

  Thank you

  Marcio

  Hi Marcio,

  To do this you must configure a syslog server.

  Please visit this link:

  http://www.Cisco.com/c/en/us/support/docs/security/PIX-500-series-Securi...

  You would be able to extract the information from the Anyconnect users who have a link in the past.

  It will be useful.

  Kind regards

  Aditya

  Please evaluate the useful messages.

• ASA status interface failover: Normal (pending)

  I've been struggling with this, I have two ASA running 8.6 that show the interfaces being monitored as well.

  I'm under 9.2 on these and tell waiting interfaces. Also can I disable SPI monitored? I ask only the cause at the time where the IPS is a module of the SAA, if I had to restart, the units would be tipping. I don't know if it's the same now with the IPS is a software based inside the ASA running on a separate hard drive.

  ASA5515-01 # show failover
  Failover on
  Unit of primary failover
  Failover LAN interface: FAILOVER of GigabitEthernet0/5 (top)
  Frequency of survey unit 1 seconds, 15 seconds holding time
  Survey frequency interface 5 seconds, 25 seconds hold time
  1 political interface
  Watched 3 114 maximum Interfaces
  MAC address move Notification not defined interval
  Version: Our 9.2 (2) 4, Mate 4 9.2 (2)
  Last failover at: 03:55:44 CDT October 21, 2014
  This host: primary: enabled
  Activity time: 507514 (s)
  slot 0: ASA5515 rev hw/sw (1.0/9.2(2)4 State) (upward (Sys)
                    Interface to the outside (4.35.7.90): Normal (pending)
                    Interface inside (172.20.16.30): Normal (pending)
  Interface Mgmt (172.20.17.10): Normal (pending)
  Slot 1: IPS5515 rev hw/sw (N/A 7.1 (4) E4) State (to the top/to the top)
  IPS, 7.1 (4) E4, upward
  Another host: secondary - ready Standby
  Activity time: 0 (s)
  slot 0: ASA5515 rev hw/sw (1.0/9.2(2)4 State) (upward (Sys)
                    Interface (0.0.0.0) outdoors: Normal (pending)
  Interface (0.0.0.0) inside: Normal (pending)
  Interface (0.0.0.0) Mgmt: Normal (pending)
  Slot 1: IPS5515 rev hw/sw (N/A 7.1 (4) E4) State (to the top/to the top)
  IPS, 7.1 (4) E4, upward

  Failover stateful logical Update Statistics
  Relationship: unconfigured.

  ASA5515-01 # poster run | failover Inc.
  failover
  primary failover lan unit
  LAN failover FAILOVER GigabitEthernet0/5 interface
  failover interface ip FAILOVER 10.10.1.1 255.255.255.252 ensures 10.10.1.2
  ASA5515-01 # ping 10.10.1.2
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 10.10.1.2, time-out is 2 seconds:
  !!!!!
  Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10
  # ASA5515-01

  ------------

  I read also not to use a design where a cable is directly connected to each unit, and instead each interface must connect on a downstream switch port so that the status of the link is still up to a firewall interface if the other firewall interface fails. Otherwise, the two units detects a link down condition and assume that their own interface is down. Never really thought about it in that sense. Anyone use a direct attached cable and have problems?

  Hello

  I rarely troubleshoot failover configurations so I am little rusty with associated with these problems.

  First thing that comes to mind is that configurations under interfaces has "standby" configured IP address? I wondered as the changeover seems to be configured and the link between the units is fine but the unit ready standby shows just 0.0.0.0 for each interface.

  -Jouni

• ASA with different failover module IPS

  Hi all

  Is it possible to configure the failover of the ASA with different IPS module configuration because we have: ASA 5585-X with firepower PHC-10 and ASA 5585-X with IPS SSP-10

  Thank you

  N °

  Inventories of material (basic unit, memory and optional modules) must be the same in a pair of failover ASA.

• Licenses of the ASA, a license or two for a failover pair

  I had two units ASA firewall configured as a failover pair.  Now I need increases the SSL VPN license, do I need a licence for the ASA pair or two licenses, one for each unit.  Can use a key of activation on both units?

  One thing I know for sure, put the key on the Active unit, cannot synchronize the license to the standby unit.

  Thank you very much in advance.

  It depends on the version. The ASA 8.3 and later versions, you can share a single license through an HA pair.

• AIP - SSM recreate the image in secondary ASA 5500 (failover) with virtual contexts

  Hello guys,.

  The scenario is as follows:

  2 ASA 5500 with virtual contexts for failover.

  The ASA elementary school has the work of the AIP-SSM20.

  ASA school (which is in active / standby) has its SSM20 AIP to work now and everything is in production.

  Someone tried to configure this 2nd AIP - SSM, changed the password and lost, so I tried to re - the image (without authorized passage recovery), but the connection fails on the TFTP server, where is the image of the AIP - SSM.

  Now questions, documentation Cisco re-imaging view orders under ASA #.

  but as this scenario has several virtual contexts the ASA # shell contains no IP address as you know (which I suppose is the reason why the ASA cannot download the image from the TFTP server) and switch to another context (ASA / admin #) re-imaging commands do not work (hw-module module 1... etc...).

  What is the solution? Is there documentation for it (with security contexts)?

  Thank you very much for reading ;) comment on possible solutions.

  Yes,

  Some things to keep in mind.

  (1) run 'debug module start' on the SAA before running the command "hw-module module 1 recover boot. This will show you the ROMMON of the MSS output as it tries to make the new image and you can look for any errors.

  (2) before trying to download from the SSM, first use a machine separate download tftp from your laptop. This will ensure the TFTP on your laptop works and confirm what directory (if any) that you can use as the file location.

  (3) if the tftp download does not SSM, then the SSM is unable to properly connect to your laptop. You need a crossover cable to connect your laptop to the SSM. If you have a crossover cable, then you could try to connect the MSS and your laptop to a small hub, or configure a new vlan on your switch with only 2 ports and connect the MSS and your computer laptop this vlan 2 port.

  (4) also try the download first at the end of the gateway to 0.0.0.0 since your laptop and the SSM will be on the same subnet. If this does not work then you can try a non-existent 30.0.0.4 address as gateway.

  (5) understand that the IP address that you specify for the MSS using the command "configure the hw-module module 1 recover" is just temporary for download. Once an image is installed, then sitting at the module and run the "setup" command in order to configure the permanent address you want ure on external port of the SSM. This address in the "setup" command can the same as that used in the command 'get the 1 hw-module module configure' or a completely new (as in your case). Just make sure that you connect to the network just to what address you give.

• The ASA CX Module failover

  Hello

  I didn't send a CX module before. We are about to deploy firewalls 2xASA5585-X with CX (for STROKE and WSE) modules.

  I'm sure I know the answer to this (I've deployed a lot of old OLD ASA with CSC modules in them, and I'm guessing that the CX module has the same).

  1 will be the failure of the module CX trigger a failover event (fail-over active standby)? My guess is not?

  2. If it is not and policy service is set to 'closed' this means that the client should perform a manual failover to the secondary/sleep to restore access, web - this correct?

  Pete

  www.petenetlive.com

  Hi Pete,.

  1 will be the failure of the module CX trigger a failover event (fail-over active standby)? My guess is not.?

  Yes he custom of tipping your ASA, depends on configuration either will be allowed or close the traffic

  In the area if ASA CX card fails, click permit traffic or close traffic. The narrow traffic option defines the ASA to block all traffic if the ASA CX module is not available. Permits for movement option sets the ASA to allow all traffic through, if not inspected, the ASA CX module is not available.

  2 if it is not and the service policy is set to 'closed' this means that the client should perform a manual failover to the secondary/sleep to restore access, web - this correct? .When set to allow traffic CX failure, there is no need to manually failover your ASA firewall between HA

  

  Step 8 check the ASA CX check this box traffic flow.

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/Quick_Start/CX/cx_qsg.html#wp49530

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa84/configuration/guide/asa_84_cli_config/modules_cx.PDF

• ASA CX failover

  We have a pair of ASA 5515-X in the active/passive failover, each with CX module.

  While the ASAs remain aligned to any changes to the configuration, it is not the case for the module CX - which seems to be completely independent of each other and must be configured separately.

  We spent a lot of time trying to solve this problem, but without finding the solution:

  Is there a way to keep the same configuration between the CX, without using Prism Security Manager?
  It is obvious that I can not offer a customer who buys a pair of ASAs, also to implement a virtual appliance and purchase a license.

  Best regards

  Claudio

  PRSM in multi-device ("out of area") mode is the only way to maintain the automatic synchronization between a pair of modules CX installed in a pair of HA of the ASA.

  Without this, you will need to make the same changes manually in the module CX of each SAA via local PRSM (single device mode).

• FAILOVER OF THE ASA

  What is the reference of the item required to activate the failover of the asa?

  you first need to safety over the license to enable failover if you run of ASA 5510, otherwise if you're running 5520's and higher then follow the steps in the example located here:

  http://www.Cisco.com/en/us/customer/products/ps6120/prod_configuration_examples_list.html