Replace an ASA in a Cluster

I have a cluster active / standby with two ASA5510 and I want to change one of them, because an ASA5510 is damaged. Both have a CSC - SSM module. What should I consider?

(Licensing, Configuration,...)

In the failover configuration, make sure that both units in a failover configuration must have the same hardware configuration. They must be of the same model, have the same number and types of interfaces, the same amount of RAM and installed the same SSMs, ASA 5500 series security appliance (if any).

The two units do not have to have the same size Flash memory. If using units with memory sizes different Flash in your failover configuration, check the unit with the smaller Flash memory has enough space to accommodate the files the software image and configuration files. If it is not the case, the synchronization of the configuration of the device with the largest Flash memory to the unit with the smaller Flash memory will fail.

Tags: Cisco Security

Similar Questions

  • Trying to replace a table in a cluster

    I have a table 1 d to a type with a cluster of 5 elements. One of the elements is a picture that I want to replace. Can someone help me understand how to do this?

    Thank you.

    It would work better if you used the same type of data. You a digital picture of the cluster and that you try to replace it with an array of strings.

  • SSL VPN using ASA 5520 mode cluster - several problems

    I configured 2 ASA 5520 s in the load balancing cluster mode. I connect using anyconnect and I download the customer the first time and everything works well except outlook. I don't know why outlook does not work.

    The second problem is after the anyconnect client is installed on your machine, he remembers that ASA (say ASA2) he first connected and the GUI shows the address IP of ASA2 instead of the virtual IP address of the cluster. I want users always connect using the virtual IP address.

    The third problem I have is there is a default group of SSL VPN and I want all users to use this group. In the initial web page, there is a drop down menu which shows that this group, but I still want to disable this menu drop-down.

    Any suggestions?

    To disable the drop-down menu, you can turn it off with the command

    WebVPN

    no activation of tunnel-group-list

    This will take care of your last issue.

    ***************************

    You can create a profile of the Anyconnect client with the name of the server you want to connect with and that make the ASA that will solve your problem of virtual IP.

    **************************

    Regarding Outlook, do you use specific ports which allows inspection of the ASA. Take a look at the list of inspection on the SAA and perhaps try to disable inspection and see if it works.

    *****************************

  • Replace the master VCS counterpart cluster (hardware failure)

    We need to replace a faulty Cisco VCS in a cluster. The peer was the master before failing.

    I if I understand cluster documentation we need to remove the VCs of the cluster and add it back in.

    My question is this will incur any interruption of on-line service on the cluster itself? Must the existing direct VCs or replacement be restarted etc.?

    the cluster is running X7.1

    Thank you

    David

    Hi David,

    No, the cluster will be always operational, just with a less VCS in its composition.

    Obviously, all calls that are active on the VCS that you delete will be affected, but the whole of the activities of the VCS will not (the other but many other you have in the cluster devices will be continuous without any required restart).

    Check out creation of Cluster VCS and service guide for complete instructions.

    Wayne
    --
    Remember the frequency responses and mark your question as answered as appropriate.

  • How to replace the element in the cluster in a table?

    Hello

    I understood better choice is to initialize the array first and replace the items in a table instead of insert the new item in a table for example in a while loop.

    So I started to evaluate since I asked where I want to read a lot of measures from a txt file and display them in a XY Chart. XY graph must show Y value and corresponding value X is red if it is out of reach and green if it is in range. I found a solution to do it with an array of clusters.

    In the attached example, I have represented two different methodologies. My problem is that a superior solution does not display the contents of all measures. Can someone tell me what I am doing wrong?

    Kind regards

    Petri

    I changed your VI top so that it works. Please take a look and see what I've done. It is also much faster.

  • replacement of a cluster member

    I tested on a cluster 2 VSA nodes since the past few days and had been very happy with the results.

    However, I am struck at this time where I try to simulate a complete crash on 1 of the cluster member. Assuming that 2 or more drives failed on 1 of the Member and the ESXi on this server is unbootable. The 2nd Member will be able to take in charge the entire VSAD and VMs.

    After appreciated the hard drive replaced and I re-installed ESXi (of course adding the ESXi to the cluster in VC), I cannot replace members who have not completely. If I clicked on the 'replace' device, I got an error on the network not available.

    "Enter VSA Cluster Maintenance Mode" and "Network Mode reconfigure enter" all seem to hang at the bar during the night process. I closed my client and reconnect it again and the status bar disappeared, that is to say I can still click on the SUB page

    How can I replace a member of the cluster with a new ESXi installation in the event of complete failure of the server?

    Understand clearly state that you are now.  We need to look at the logs, or it may be easier to recreate the cluster.

    The procedure for the replacement of a node contains the following:

    1) once the host ESXi and Appliance VSA are greyed out do NOT delete

    (2) reinstall the failed host but you did before except for use a different address to hostname/ip for the host (caveat for 1.0)

    (3) adds to the data center of VC.

    (4) through the device Wizard replace.

    When the replacement is complete, you can remove the greyed out ESXi host.

    Dishes to go - do NOT remove the key host ESXi or VSA VM greyed and do NOT reuse the same address IP/Hostname after reinstallation

  • Writing only to certain parts of the cluster in an array by reference

    Hello

    I have an array of clusters that I use as well to view and enter data, i.e. elements of the cluster are unmodifiable (disabled) controls used as indicators of "false" (numeric values, strings, LEDs) and some are normal witnesses (numerical values, buttons).

    The "indicator" part of this cluster table must be constantly updated (for example with the positions of the engines), normally by replacing the elements according to cluster in a loop and writing in the table. This can lead to conditions of race with the part 'control': If the user enters data in a 'bad' timing control, it gets immediately replaced by the old value - in this case the update process began just before the user input and completed just after the entrance of (which may be a simple click is enough) , so the old values of controls are rewritten on user controls, as the table should be rewritten as a whole.

    Now, I'm looking for a solution to this critical race condition without changing this 'mixed' approach of control/indicator (e.g. by control and indicator tables separated next to each other and paired scrolling or so - which would make it much more horrible GUI design, among other disadvantages). I know that it is possible to change the value of an element in the cluster without having to rewrite the entire cluster using the element reference. However, it's more complicated if you have an array of clusters, because you want the cluster to a certain index table and to my knowledge, there is no such property that gives you for example the reference to the item table located in an index of certain (who is a lack of long date in the table of Labview manipulation). If you change the 'value' of an element of the cluster property in a table, it seems to affect the 'last active' element of the array, at least it is correlated with the array element that was clicked on last. Maybe there's a way somehow programmatically set that ' last active ' array element and browse the table in this way (setting the flag "correspondent" elements of the cluster by reference) or maybe someone knows a solution 'Nice' and elegant?

    I hope you understand what I mean

    Thanks in advance!

    To avoid such conditions of race, make sure what you write on the Board in the same place change you and write only the data for the indicators. Practically, this means that if you have an event for the control change value, you must have another case of event in the same structure of update of the indicators (timeout or a user event) and make sure that the indicator event takes the rest of the data of the current value (for example through a terminal or a local variable or the DVR suggested Steve). Similarly, you can use the terminal control to the current value of the control for the indicators rather than depend on the event containing the correct value.

  • Add to an array of cluster (cluster)

    Hey guys,.

    I try to add a cluster, as a new item in an existing array of clusters. Cannot find any block/function that does this.

    thaks in advance for your answers,

    Adrian

    As I said, we must add the function bundle in a cluster to a cluster. A line of wire with which broke the wire or replace the function Array of Cluster build with a table function to build. If you use the function of bundle, you have drag to make a unique entrance instead of the normal two. For my money, it would be simpler to use the table to build instead of the Bay of Cluster building.

  • CSM 4.1 - ASA desfichiersde configuration backup via TFTP

    I'm fairly new to WSC, so this may be a matter of newbee.  In the "old days" we would write mem to save the current configuration to run at startup, and then write net to save the running configuration to a file defined on a TFTP server.  But now that we use the CSM, there is no net write function that happens during the process of deployment of a change to the config.  The actual configuration is saved to the CSM somewhere since we actually changes him before deploying a change, right?  But this isn't in a format where I could replace an ASA failed by "copy startup-config tftp?

    I read where you can "Preview settings", and then copy / paste the configuration 'ASA (Full)', but there is one major flaw in this plan.  The displayed output mask all passwords. I.e. allow, passwd, Ganymede + and radius key, local user name password.  Next to s, copy/paste ever was the best option to set up initially, or to replace a failed unit.  You just hope the running configuration is not interfere with what you paste. (The factory for DHCP Config comes to mind).

    Is there a function where I can export the entire configuration in a file that matches the full boot configuration?  Or, is there a function I could afford to have SAA periodically "Net Write?"

    You can configure a FlexConfig to one or several ASAs in order to run the command copy before and/or after a surge in config.  I just tested this on my server MCS 4.2 and it worked.  You will want to use the /noconfirm option so that the terminal does not have interactive guests to the CSM.

  • ASA 1000V and ASA 5500

    I hope someone can help me to answer this question:

    Currently, we have redundant FWSM and consider a migration of standalone ASA 5500 series firewalls. However, we have a complete VMWare environment and look at the Nexus 1000V. I understand the Nexus 1000V and ESR architecture and implementation, and I don't understand that the ASA 1000V is designed for cloud environments. But I have a question about the ASA 1000V.

    Is it possible that a firewall series ASA 5500 be replaced by ASA 1000V? Basically, can an ASA 1000V to be a single firewall solution, or are that ASA 5500 is always necessary?

    Is there a datasheet anywhere that compares the ASA 1000V and ASA 5500 series?

    Thanks for your help.

    -Joe

    Depending on what you are using the ASA5500 series for now. If you use the ASA5500 for the remote access vpn and AnyConnect VPN, he will not rely on the first version of the ASA1000V yet.

    Here's the Q & A on ASA1000V which includes more information:

    http://www.Cisco.com/en/us/partner/prod/collateral/vpndevc/ps6032/ps6094/ps12233/qa_c67-688050.html

    Hope that answers your question.

  • Information on the ASA 55xx

    Hello

    I'm starting to read about ASA 55xx in Cisco's Web site. But after a good read, I have a few questions...

    1. In Cisco Docs on ASA55xx, I see the "Maximum simultaneous AnyConnect or VPN sessions without client" and "Maximum simultaneous site-to-site and VPN IPsec IKEv1 sessions" (e.g. 750 times): well, the concurrent sessions maximux are 750 + 750 (anyconnect + site to site), so I have to add both types of sessions? Or what are the maximum (of each type) concurrent sessions in ASA5520?
    2. So, at this point, if I want 750 AnyConnect Session and site to site 750 Session what license should I buy? ASA5500-SSL-750? ASA-VPN-1000? or whatelse?
    3. so, what are the license "shared"? Where and when do I need to buy?

    Thanks in advance.

    Good bye

    The platform and required capabilities are allowed as indicated in the data sheet of the product:

    Up to 750 AnyConnect and/or peer clientless VPN can be supported by each Cisco ASA 5520 by installing an essential element or a Premium AnyConnect VPN license; 750 VPN IPsec peers are supported on the base platform. Resilience and capacity VPN can be increased by taking advantage of the Cisco ASA 5520 clustering integrated VPN and load balancing features. The Cisco ASA 5520 supports up to 10 devices in a cluster, offering a maximum of 7500 AnyConnect and/or VPN without client peers or 7500 counterparts of IPsec VPN by cluster.

    Resuming:

    The ASA 5520 750 capacity VPN site-to-site is in the base license / product (part number ASA5520-BUN-K9 or ASA5520-K8 whther in function, you are eleigible to buy encryption strong (-BUN - K9) version)

    The user AnyConnect required licenses depending on if you need Anyconnect Essentials or Premium. The Anyconnect data sheet describes the differences. Essentials is a license that allows customers to use the device at the same time up to 750. Premium (which cannot be loaded at the same time as Essentials) requires that the licenses to buy according to the prioritized by the user schema.

    Shared licenses are shared between ASAs in a cluster (2 or more units configured together).

    There is the concept of licenses in a failover cluster (2 units). It's automatic - i.e. the license numbers are additive and shared up to the capacity of the platform. ASA5500-SSL-750 part would be used in this configuration.

    There is also the concept of a Premium Shared Server anyconnect. In this system, the shared server allocates licenses in 50 blocks of unity to the ars of cluster members they need. ASA-VPN-1000 part number you mention is used in this kind of configuration.

  • Call the DLL function with a pointer to a complex structure

    Hello

    I try to call a function by using COLD LAKE. My problem is the function parameters that I'm trying to access.

    Here is the function and its parameters:

    typedef struct _BAR_INFO
    
{
    
    ULONG              dwSize;
    
    ULONG              dwFlag.
    
} BAR_INFO, PBAR_INFO;
    

    typedef struct _DEVICE_INFO
    
{
    
    ULONG              dwBarNum;
    
    BAR_INFO           BarInfo [6];
    
} DEVICE_INFO, * PDEVICE_INFO;
    

    Int GetDeviceInfo DLLIMPORT)
    
    unsigned int      CIH.
    
    PDEVICE_INFO      pdevinfo
    
)
    
{
    
    ULONG             i;
    

    If (DFR > = DevNum)
    
        Return PCICORE_DEVICE_NO_FOUND;
    

    If (DevTable [JC]. DevHandle is NOTHING)
    
        Return PCICORE_DEVICE_NO_INITIALIZE;
    

    if(pdevinfo == null)
    
        Return PCICORE_INVALID_PARAMETER;
    

    pdevinfo-> dwBarNum = DevTable [JC]. DevInfo.dwBarNum;
    
    < pdevinfo-="">dwBarNum; i ++)
    
    {
    
        pdevinfo-> .dwFlag BarInfo [i] =
    
            DevTable [JC]. DevInfo.BarInfo [i] .dwFlag;
    
        pdevinfo-> .dwSize BarInfo [i] =
    
            DevTable [JC]. DevInfo.BarInfo [i] .dwSize;
    
    }
    

    Return PCICORE_SUCCESS;
    
}

    As an attachment, there is the Info.vi device Get trying to access this feature. The code crashes when the function is called.

    I have probably not pass parameters of data properly to COLD LAKE.

    Thank you for your lights.

    An array of fixed size in C is equivalent to a cluster of LabVIEW that contains the same number of identical items, replace the table with a cluster. In addition, structs are always passed by reference and the C function expects a pointer to a structure, you don't need to unbundle. Skip the cluster to function as a single parameter. Try the attached revised version of your VI.

  • CANdo dll driver

    Hello NOR forum,

    I'm doing a driver for CANdo

    http://www.canAnalyser.co.UK/candosdk.html

    I tried to make the clusters that are typedef, when I run the present I get the value of back 4 which means that a device of CANdo is not when I insert it in the USB port LabVIEW crashes.

    I'm not sure what I'm doing wrong. I hope that someone could tell me if the way I use the function is false.

    The I am using the function is:

    CANdoGetDevices its on page 5 the typedef is designated in Appendix a.

    / Marck

    Let's not the type of data that you pass to the DLL.  There are two problems:

    (1) you see the little classical 'fixed size array within a struct' as explained in many places, for example http://forums.ni.com/t5/LabVIEW/Passing-a-cluster-with-array-to-a-dll/m-p/1063907.  You cannot pass an array of LabVIEW within a cluster as an array of size fixed inside a structure. you will need to replace the table with a cluster containing the exact number of items.

    (2) you must pass an array of TCANdoDevice, rather than a single element.

  • AnyConnect VPN licenses

    Hello

    I want to know what is meant by in licensed ASA it supports maximum 10000 5000 AnyConnect or VPN users without client Sessions. I am referring to the link http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html# ~ mid - range

    This means that at a given point of time only 10000 or 5000 users can connect via Anyconnect VPN or it means something else?

    In my organization I have 25000 employees and all need SSL VPN to access spme or other resources on the company's intranet. I want to offer Anyconnect VPN users. How can I avieve only with the permission of restriction of the maximum number of 10000 users.

    Thanks in advance

    Deepak Khemani

    The counts of license you mention above are for the concurrent (simultaneous) users. If need more than 10,000 concurrent users, Clientless VPN, you need to use several ASAs.

    You could use a license shared on an ASA server and allocate licenses of it (up to 500,000 may be installed on the shared license server) as they are needed by the ASA of the cluster members.

  • IP overlapping between VPN remote access and within the interface

    Hi all

    I tried to replace an ASA and configured vpn for remote access using cisco VPN client.

    Remote access users are not able to access within the network, but have no problem accessing the network through a VPN site-to site.

    One thing to note is that remote access VPN users are assigned an ip address of 10.X.3.1 - 10.X.3.200 mask 255.255.255.0. The inside interface is on 10.X.1.2 255.255.0.0.

    Remote access users will have no problem to access within the network if the pool of the vpn client is changed to 192.168.1.1 to 192.168.1.100.

    ASA errors

    6 January 7, 2012 16:25:08 302013 10.X.3.1 27724 3389 10.X.1.66 built of TCP connections incoming 20940 for outside:10.X.3.1/27724 (10.X.3.1/27724)(LOCAL\Cisco) at inside:10.X.1.66/3389 (10.X.1.66/3389) (Cisco)

    6 January 7, 2012 16:25:08 106015 10.X.1.66 3389 10.X.3.1 27724 Deny TCP 10.X.1.66/3389 to 10.X.3.1/27724 flags SYN ACK on dmz interface (no link)

    I understand that the overlap between access ip address range remote vpn network interface network and inside will cause routing problems, but why the syn - ack makes its appearance in the DMZ interface? The interface of the DMZ is on ip address 172.16.Y.1 255.255.255.0.

    I intend to reduce the interface 10.X.0.0 255.255.254.0 inside if it is in fact a routing problem due to the IP address that overlap, but I understand why the syn - ack comes from the dmz interface and the diagnosis of the problem is correct. I check with the customer and was informed that the existing design works on an another ASA with no such problems.

    I agree what you said and also tried, but it does not work.

    http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml#overlap

    Solution, that you already know

    Solution

    Always ensure that the IP addresses in the pool should be assigned to VPN, network clients internal head unit and the internal network to the VPN Client must be in different networks. You can assign the same major network with different subnets, but sometimes the routing problems.

    Thank you

    Ajay

Maybe you are looking for