Stateful FailOver
Hello
Is it possible to use a Virtual Interface on the PIX (when 802. 1 q trunking enabled) for more information of dynamic rollover?
A serial cable will always be used for regular failover.
Kind regards
Naman
Naman,
No, sorry. Dynamic rollover link must remain a physical dedicated interface because of the huge amount of traffic that is sent over this connection in most cases. I hope this helps.
Scott
Tags: Cisco Security
Similar Questions
-
Is availble for IPsec VPN FOS 6.3 support stateful failover
Is availble for IPsec VPN FOS 6.3 support stateful failover
SAJ
Hello Saj,
Unfortunately not... stateful failover replica information such as:
Table of connection TCP, udp xlate table ports, h.323, PAT port allocation table...
they replicate data such as:
user authentication (uauth) table
Table ISAKMP / IPSEC SA
ARP table
Routing information
Therefore, in the case where the main breaks down, the IPSEC vpn will be reformed for the failover... Meanwhile, the user will not be able to access the applications...
I hope this helps... all the best... the rate of responses if deemed useful...
REDA
-
on the stateful failover active / standby
Hello guys.
I have two ASA, same model and material. ASA have configured stateful failover active / standby by someone a few years ago. It worked normally until recently and no one changed the configuration. Then the secondary unit can't. Ping between 2 interfaces is ok. Please help me solve this problem.
on the main site
interface Management0/0
STATE failover Interface Description
management only
interface GigabitEthernet1/1
Failover LAN Interface Description
failover
primary failover lan unit
failover lan interface failover GigabitEthernet1/1
The link with failover Management0/0 status
failover failover interface ip 172.16.1.1 255.255.255.0 ensures 172.16.1.2
State of the failover interface ip 172.16.0.1 255.255.255.0 ensures 172.16.0.2
on the secondary site
interface Management0/0
STATE failover Interface Description
management only
interface GigabitEthernet1/1
Failover LAN Interface Description
output of the show failover on PRIMARY
Show execution of failover
failover
primary failover lan unit
failover lan interface failover GigabitEthernet1/1
The link with failover Management0/0 status
failover failover interface ip 172.16.1.1 255.255.255.0 ensures 172.16.1.2
State of the failover interface ip 172.16.0.1 255.255.255.0 ensures 172.16.0.2
See the resumption of F1 #.
Failover on
Unit of primary failover
Failover LAN interface: GigabitEthernet1/1 failover (maximum)
Frequency of survey unit 1 seconds, 15 seconds holding time
Survey frequency interface 5 seconds, 25 seconds hold time
1 political interface
Monitored 5 256 maximum Interfaces
Version: Our 8.2 (2), Matt 8.2 (2)
Last failover to: 08:03:11 ULAST January 1, 2003
This host: primary: enabled
Activity time: 5755203 (s)
slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)
Interface Backup2 (10.2.5.1): Normal (pending)
Internet (202.131.225.90) interface: No link (pending)
Interface Backup1 (10.3.5.1): Normal (pending)
The interface server (192.168.227.1): Normal (pending)
Bank interface (10.20.1.1): Normal (pending)
Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)
Another host: secondary - failed
Activity time: 0 (s)
slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)
Backup2 (0.0.0.0) interface: no connection (pending)
Interface (0.0.0.0) Internet: No link (pending)
Interface (0.0.0.0) Backup1: Normal (pending)
The interface server (0.0.0.0): Normal (pending)
Bank interface (0.0.0.0): Normal (pending)
Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)
Failover stateful logical Update Statistics
Link: State Management0/0 (top)
Stateful Obj xmit rcv rerr xerr
General 76184539 0 767513 6
sys cmd 767328 0 767326 1
up time 0 0 0 0
RPC services 0 0 0 0
25878669 0 11 5 TCP Conn
Conn UDP 40545710 0 40 0
ARP 8987688 0 136 tbl 0
Xlate_Timeout 0 0 0 0
Tbl IPv6 ND 0 0 0 0
VPN IKE upd 1140 0 0 0
VPN IPSEC upd 4004 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP session 0 0 0 0
Logical update queue information
Heart Max Total
Q: recv 0 7 6522961
Xmit Q: 0 34 106685671
output of the secondary recovery
See the resumption of F1 #.
Failover on
Secondary failover unit
Failover LAN interface: GigabitEthernet1/1 failover (maximum)
Frequency of survey unit 1 seconds, 15 seconds holding time
Survey frequency interface 5 seconds, 25 seconds hold time
1 political interface
Monitored 5 256 maximum Interfaces
Version: Our 8.2 (2), Matt 8.2 (2)
Last failover at: 03:36:23 ULAST December 15, 2013
This host: secondary - failed
Activity time: 0 (s)
slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)
Backup2 (0.0.0.0) interface: no connection (pending)
Interface (0.0.0.0) Internet: No link (pending)
Interface (0.0.0.0) Backup1: Normal (pending)
The interface server (0.0.0.0): Normal (pending)
Bank interface (0.0.0.0): Normal (pending)
Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)
Another host: primary: enabled
Activity time: 5743217 (s)
slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)
Interface Backup2 (10.2.5.1): Normal (pending)
Internet (202.131.225.90) interface: No link (pending)
Interface Backup1 (10.3.5.1): Normal (pending)
The interface server (192.168.227.1): Normal (pending)
Bank interface (10.20.1.1): Normal (pending)
Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)
Failover stateful logical Update Statistics
Link: State Management0/0 (top)
Stateful Obj xmit rcv rerr xerr
General 765518 0 35843181 874
sys cmd 765518 0 765516 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP 0 0 12671303 80 Conn
UDP 0 0 13432853 133 Conn
ARP 0 0 8968384 661 tbl
Xlate_Timeout 0 0 0 0
Tbl IPv6 ND 0 0 0 0
VPN IKE 0 0 1137 upd 0
VPN IPSEC 0 0 3988 upd 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP session 0 0 0 0
Logical update queue information
Heart Max Total
Q: recv 0 9 72011189
Xmit Q: 0 1 765518
You have a couple no link on your high school as well as a message no link on your primary.
Backup2 (0.0.0.0) interface: no connection (pending)
Interface (0.0.0.0) Internet: No link (pending)
I recommend that you check these cables. Don't forget that if you changed the default configuration, a failure of the single, or problems of connectivity even interface between an interface on the two ASAs fail.
If this does not help, try entering the command interface of the monitor for the interfaces.
--
Please do not forget to rate and choose a good answer -
ASA 5540 Stateful failover routing errors
Hello
Having two 5540's configuration in a failover scenario. Make the LAN failover and failover state. * See attachment *.
Failover LAN use 192.168.2.1 as active and 192.168.2.2 as before, with the subnet mask of 30. On both LAN failover use G0/2 and there is a crossover cable connecting them.
The failover of the State uses 192.168.3.1 as active and 192.168.3.2 as before, with the subnet mask of 30. With "enable HTTP replication" checked in ASDM. On both devices State failover uses G0/3 and there is a crossover cable connecting them.
The ASDM syslog connects errors every 10 seconds or so to say that:
SOURCE IP ADDRESS: 192.168.3.1
DESTINATION IP: 192.168.3.2
Description:
"Routing could not locate the next hop for igrp NP identity 192.168.3.1/0 in statefull:192.168.3.2/0".
The ASA use static routes to meet the network, these roads, there are two, and both are in the 10.x.x.x network. No routing protocol is in use.
I don't know why these errors are "spamming" my syslog and would like to get rid of them.
Glad to hear that it works, that's the most important thing. I don't mean to preach, but Cisco does not recommend using ADJUSTABLE wires to fail on. Devices cannot always say that the captain should be and usually causes questions more than a simple link to the bottom.
-
IPSEC Stateful failover using two switches to 4507RE
Hello
I tried to find configuration for a cat4500e-universalk9 guides. Spa.03.04.00.SG.151 - 2.SG, with entservices license.
We have an immediate need to build an HA IPSEC VPN to two switches of 4507RE, in the meantime the new ASA to be configured. I don't think that we can do, in the configuration of the HA.
Opinion is welcome.
Thank you
Nick
Nick,
IPsec is not supported on platform cat4500.
We are working on the withdrawal of orders for the new IKE/IPsec in IOS XE:
http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCuh60386
M.
(Edited typos)
nicholas boran wrote:
Hello
I have been trying to find the configuration guides for a cat4500e-universalk9.SPA.03.04.00.SG.151-2.SG, with entservices license.
We have an immediate requirement to build a HA IPSEC VPN from two 4507RE switches, while we wait for new ASA's to be provisioned. I don't think we can do it, in HA setup.
Advice is very welcome.
Thanks
Nick
-
standby ip addresses? are required on all interfaces monitored for failover
Hi all
I need clarification on an interesting question that I observed during the configuration of an active installation / standby to be able to use 2 x 5525 cisco with version 8.6;
Here is the configuration, we have 4 subnets that we need to keep separate. I have each of the ASAs connected to different subnets. However, only 1 subnet's IP address configured standby while all other subnets have only an active address on the active firewall. As this is a failover scenario, I have 2 interfaces for LAN and stateful failover.
I just test the failover on 2 subnets without any standby ip address and to my surprise, everything seems to work as expected. Just need for clarification on why we need sleep on the monitored interfaces addresses when clearly the installer can work without any configured. Are there implications with instance without standby ip addresses?
Thank you
Especially at your facility can happen many things cannot be recognized by the ASA without a correct installation of failover. This could be a port of mafunctioning in your infrastructure for example.
But leave approach it the other way around: what advantages do you see in the implementation in a non-standard way? Or what kind of problems do you expect? Usually the night before IP is not configured if there is no IP address for example on the outside interface.
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Cisco IOS IPSec failover | Route based VPN with HSRP
I can find the redundancy of vpn IPSec using policy based VPN with HSRP.
Any document which ensures redundancy of the road-base-vpn with HSRP?
OK, I now understand the question. Sorry, I have no documents for this task.
I can see in the crypto ipsec profile that you will use under the Tunnel interface configuration to enable the protection, you can configure the redundancy:
cisco(config)#crypto ipsec profile VTIcisco(ipsec-profile)#?Crypto Map configuration commands: default Set a command to its defaults description Description of the crypto map statement policy dialer Dialer related commands exit Exit from crypto map configuration mode no Negate a command or set its defaults redundancy Configure HA for this ipsec profile responder-only Do not initiate SAs from this device set Set values for encryption/decryption
cisco(ipsec-profile)#redundancy ? WORD Redundancy group name
cisco(ipsec-profile)#redundancy MRT ? stateful enable stateful failover
I suggest that it is the same as redundancy card crypto. But no documentation or examples found... -
PIX failover: failover cable disconnected and active the unit off
Hi all
We have 2 PIX 515E 6.3 (3) in the failover configuration (not stateful failover). Basically, the failover works very well. Recently, we did some testing of failover and had the following situation:
When we force the active PIX failover cable is disconnected, the rest-aid box inactive and has not changed in the active state.
It is the 'normal' behavior or is there something wrong?
Thank you for your response.
Daniel Ruch
Daniel,
As mentioned previously, the behavior you report is expected. If the failover cable is removed from a pair of PIX failover during the race, each PIX will maintain it's State as active it or standby PIX. Remove the failover cable in effect, disables the failover of both units to avoid having two devices moving to an active state.
Does make sense? I'm still confused what about * why * you test this though. Is this something you think that will happen in your environment?
Scott
-
PIX 6.3 (4) failover strangeness with VLAN
I have a failover pair 535 6.3 (4) running and have experienced strange things while he was trying to get the dynamic failover to work. We use the serial cable to failover and a GE dedicated to the traffic of State via a cable directly connected x. We have a mix of standard interfaces for non - VLAN'ed, but also a physical I / f including 10 ~ VLAN. We are well within the limits of i / f allowed on the PIX so that isn't a problem. Also the
VLAN'ed i / f on the two firewalls connects via a 802. 1 q trunk on the same switch Procurve 9315. All the required them VLAN is configured as marked on the two ports on the switch.
The problem we had was that all as-based interfaces on the VLAN and physics i / f associated with these virtual local networks were perpetually in the State (pending) and we had no stats in the status section of the command 'show fail', which implies to me that stateful failover did not in fact. Failover works and traffic passes regardless of which firewall is enabled.
Based on things I've read that I concluded that the problem is probably that 'Hello' messages were not being seen on each VLAN. So I did a bunch of capture on the VLAN different i / f of the PIX expecting to see outgoing Hello in the local unit, but saw nothing. Then I had a thought that maybe they were sent out without a label on the physical I / f, so I made a capture on it and also got nothing else than to the Hellos coming out to the physical interface.
What we did that fixed it was to add the VLAN physics to the list of allowed VLANS labeled on firewall connected switch ports. As if by magic the physics I / f to the Normal State, as did all the local VIRTUAL network interfaces, and we started to get statistics on the State of the output of the show fail command section.
And yet a capture on any of the interfaces VLAN does still not show the Hellos, and a capture on the physical displays now the bidirectional Hello for the physical LAN. Weird.
So my questions are:
1 > why the VLAN interfaces are dependent on their physical I / f for failover. I was told that you need not have any IP or configured for physical integrity, nameif I / f it's just must be enabled for the VLAN I / fs to work.
2 > how are the VLAN I / f passing Hellos to the other.
I can include my config if that helps.
Peter
Peter,
(1) why is a good question. AFAIK that is according to the doc (same link below)
"When you set up failover for an interface VLAN, Hello packets are sent through the physical interface, so the physical interface must be configured with an ip address."
(2) I don't think that they are:
One of the guides
"Note that failover is supported with VIRTUAL local network interfaces. But the failover LAN interface command does not support VIRTUAL local network interfaces or failover link commands. "
So basically it looks like helo packets are sent only on physical interfaces (dumped on any vlan you put them) and the VLAN will be "failover" If the pix, but if you had a failure in one vlan particular the pix would not notice it until the vlan the physical interface has been awarded to failed.
Of course, it works in the equivalent level of the FWSM code - but FWSM never had the physical interfaces.
The train 7.x supports subinterfaces, obviously.
-Jason
Please rate this message if it helps!
-
ASA 8.3 - WebVPN and failover (Act/Stby)
In the old version of the code that WebVPN wasn't a feature supported on the SAA, however to 8.x and specifically the 8.3 the note rel attribute is no longer the list as a feature not supported - means that WebVPN is fully supported by failover (Act/Stby) 8.3?
I can see on my pair of failover Act/Stby 8.3 "CLI" basic config WebVPN to replicate as you can imagine, but I don't see that the config file (used in train 8.x) XML for things such as customizing portal or bookmarks according to the ASA ensures.
I see the config XML based file WebVPN using ASDM, ASA-related intelligence and it eventualy expires when you try to browse the portal customization or bookmarks.
The config XML based file WebVPN get reproduced in a failover pair?
or if not how the contents of the box?
Thank you
SEZ
According to the following document, it states that:
"In Version 8.0 and later, some elements of the configuration for WebVPN (such as bookmarks and personalization) use VPN failover subsystem, which is part of Failover Stateful." You use Stateful Failover to synchronize these items among members of the failover pair. Stateless (regular) failover is not recommended for WebVPN. »
http://www.Cisco.com/en/us/docs/security/ASA/asa83/configuration/guide/ha_overview.html#wp1078936
If you have enabled dynamic failover, and bookmarks and personalization for webvpn Portal is not always replicated to forward, I suggest that you open a TAC case in order to study the question.
-
Solution of failover VShield Edge on the roadmap?
Sorry, that it was inaugurated the community vshield as well but no response, then try here as well:
As many VSE devices can be implemented in an ORG who use several external networks, VSE GWs (VMs) devices becomes crucial for this ORG.
FWs normally have a failover mechanism of a certain type, in order to maintain the sessions open through primary relicate FW FW backup so if primary fails
sessions are not disconnected.
Now, you mention VSE VM is monitored and use normal vmware HA as a virtual machine vmware "regularly", so I guess that a new VSE is lunch and the replacement of GW on a free ESX there...
my questions are:
1. how long will it take to backup VSE replace primary?
2. what happens to sessions through the stock MARKET which has failed?
3. If the sessions are all droped and it will re-initiated by ORG VMs after new VSE is up - you have ability "stateful failover" in the roadmap for VSE?
Now, you mention VSE VM is monitored and use normal vmware HA as a virtual machine vmware "regularly", so I guess that a new VSE is lunch and the replacement of GW on a free ESX there...
It is NOT a new VSE, it's the same VSE device on a different host. This is what HA. HA is not application aware, only updated on the status of the host. In addition, you can enable VM monitoring which can monitor the "guest operating system" to see if the problems occurred at this level, if if the virtual machine can be restarted. Again, it is the same virtual machine to be restarted.
Good suggestion for the road map, it is something that I have suggested some time. As Massimo also asserts, it is perhaps interesting to try to get a contact at VMware to get of the topics covered at an appropriate level,
Thank you
Duncan
VMware communities user moderator | VCDX
-
-
ASA-SSM-20/40 IPS Software upgrade quesiton
I'm looking to upgrade the IPS modules (ASA-SSM-20 and ASA-SSM-40) on two different ASA to ver 7.1 (11) E4 under this field notice:
http://www.Cisco.com/c/en/us/support/docs/field-notices/640/fn64080.html
My question is around if traffic through the firewall is affected during this update and subsequent restart of the IPS module.
On the ASAs, a service policy is in place that will allow the traffic in the case where the IPS module becomes unavailable. It comes, it will actually happen during the update?
Suggestions and comments are welcome.
Thanks in advance.
John
If your IPS is inline and as a whole do not open then the traffic through the ASA (in assuming an ASA standalone and do not form part of a pair of HA) will not be affected when the service IPS module reload.
If an SAA is in a pair of HA and a service (ips, cxsc, or sfr) module fails, it will be by default triggers a failover event. (ASA 9.5 introduces the possibility to change this behavior.) The result is the same - no service interruption (Although TCP connections may need to restore if you have not configured stateful failover).
-
Loading of PDM on upgrade PIX 525 pair
Hello
Recently updated a pair of 525 s of the PIX to 6.3 (3) running in stateful failover and want to load PDM on them. I have some queries:
(1) because they are in the production environment, you reload the PIX for PDM work?
(2) is there a recommended way to install PDM on a pair of live PIX?
(1) no charging is required.
(2) the installation is no different. The only thing to note is that you will need mode configuration of the standby firewall that will generate a warning. You can ignore it. When you're done, use [sleep command] writing on the active firewall as a precaution.
-
S - S VPN between ASA and ASR1001
Hello
We have 2 routers ASR to connected to ISP headquarters and there are new remote sites that must be connected to the AC over the site to site VPN. Each remote branch will be ASA, IPs outside of these two recommendations are in the same subnet.
1. is it possible to reach redudancy beside HQ in this design?
2. can I create L2L tunnels to two ASR? If yes how can I do 1 active tunnel and other secondary?
| ASR1
Users---L3SW---ASA---ISP---CPE---|
| ASR2
Any suggestions are welcome
Thank you
There are two ways:
- IPSec stateful failover
http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/sec_conn_vpnav/configuration/15-Mt/sec-VPN-availability-15-Mt-book/Sec-State-fail-IPSec.html
http://packetlife.net/blog/2009/Aug/17/fun-IPSec-stateful-failover/ - VPN config with two counterparts one ASA.
Here you have two individual bridges on the HQ and the ASA has two tunnel-groups en the two bridges but only a single sequence in the crypto plan. Peer education has two HQ - IPs configured.
- IPSec stateful failover
-
Dynamic rollover through the logical interface?
Hi all
Does anyone know if a logical interface can be configured like dynamic link or do I have to use a dedicated physical link?
Thank you
You must use a physical interface dedicated for the failover interface (if do LAN after failover) and the stateful failover link.
I hope this helps.
Scott
Maybe you are looking for
-
How to completely remove Flash Player on the MacOS Sierra?
I want to delete entirely. Not only out of sight.
-
We cannot connect to Outlook - this isn't an isolated problem!
The last count, 49 other people had this problem and it has not been processed correctly. There are 16 other entries newly affected when I looked last. Firefox insists on the fact that the hotmail Web site is not an approved connection, i.e. does not
-
Error message: Firefox download (not answer).
I can not download photos or files - been happening for 2 days now. Does not work in Mode safe either. Everything in Firefox works fine, by the way, and I haven't added anything new. Would be grateful for the help, I run two or three online companies
-
Before I did a reset of firefox every time I open a new tab with ctrl + n, that I could write to it directly, now I have to click on the area of navigation to be able to write to it. I use Firefox on Windows 7 25.0.1.
-
I have a HP Photosmart Plus B210. Is there a way to know what ink cartridge is low? I don't want to change all if one is necessary.