Re: ASA-Failover

Hello Friends,

But the above command is for LAN failover,??? that means i can use the same
interface for LAN failover and stateful failover.???,

what configuration i have to do on secondary firewall, the above configs in
my previous mail whay i have mentioned are correct, i don't have to
specify any ip address on the inside interface of the secondary firewall,
and if so then what will be the command syntax;

ip add (secondary IP ) 255.255.255.0 standby (primary IP)

*OR*

IP add (primary IP ) 255.255.255.0 standby (secondary IP )

If i don't specify any IP address on inside interface then how the configs
will replicate ??? i hope by the failover link.???? correct me if i m
wrong??

Thanks for your support.

On Sun, Jun 6, 2010 at 3:36 PM, karim jamali <karim.jamali_at_gmail.com> wrote:

> Hi,
>
> It seems you haven't chosen the failover interface this command does it:
> failover lan interface <name> interface
>
> Note that the failover link interface you have used pertains to stateful
> failover, i.e. replicating the connections & state tables from one firewall
> to another.
>
> Regards,
>
> On Sun, Jun 6, 2010 at 1:36 PM, adam gibs <adamgibs7_at_gmail.com> wrote:
>
>> Hi,
>>
>> I have ASA with same hardware and software version, I have configured
>> *stateful
>> failover*, after configuring primary ,i have booted the secondary and i
>> issued a write standby command on primary but no effect on secondary, My
>> inside interface and failover interface are on the same switch but in
>> different vlan.
>>
>> I have read in book that while configuring STATEFUL FAILOVER u dont need
>> to
>> configure anything on secondary. But Still i have specified inside ip
>> address but no output, where i m missing something friends,i have used 1
>> dedicated interface for failover and rest 3 for inside,outside,DMZ,
>>
>> failover lan unit primary
>> failover link failover gig0/3
>> failover interface ip failover 192.168.3.1 255.255.255.0 standby
>> 192.168.3.2
>> failover key cisco
>> failover replication http
>> failover
>>
>> *Secondary:*
>> failover lan unit secondary
>> failover link failover GigabitEthernet0/3
>> failover key cisco
>> failover interface ip Failover 192.168.3.1 255.255.255.0 standby
>> 192.168.3.2
>> failover replication http
>> failover
>> I m getting this warning.on secondary
>>
>> WARNING: Failover enabled but the failover interface configuration is
>> incomplete
>> Failover will not take effect until the interface is fully
>> configured
>>
>> *Secondary:*
>>
>> ciscoasa(config)# sh failover
>> Failover On
>> Failover unit Secondary
>> Failover LAN Interface: not Configured
>> Unit Poll frequency 1 seconds, holdtime 15 seconds
>> Interface Poll frequency 5 seconds, holdtime 25 seconds
>> Interface Policy 1
>> Monitored Interfaces 1 of 250 maximum
>> failover replication http
>> Version: Ours 8.0(4), Mate Unknown
>> Last Failover at: 02:53:07 UTC Jun 6 2010
>> This host: Secondary - Disabled
>> Active time: 0 (sec)
>> slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
>> Interface management (192.168.1.1): No Link (Waiting)
>> slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E4) status (Up/Up)
>> IPS, 6.0(6)E4, Up
>> Other host: Primary - Not Detected
>> Active time: 0 (sec)
>> slot 0: empty
>> Interface management (0.0.0.0): Unknown (Waiting)
>> slot 1: empty
>> Stateful Failover Logical Update Statistics
>> Link : failover GigabitEthernet0/3 (up)
>> Stateful Obj xmit xerr rcv rerr
>> General 0 0 0 0
>> sys cmd 0 0 0 0
>> up time 0 0 0 0
>> RPC services 0 0 0 0
>> TCP conn 0 0 0 0
>> UDP conn 0 0 0 0
>> ARP tbl 0 0 0 0
>> Xlate_Timeout 0 0 0 0
>> VPN IKE upd 0 0 0 0
>> VPN IPSEC upd 0 0 0 0
>> VPN CTCP upd 0 0 0 0
>> VPN SDI upd 0 0 0 0
>> VPN DHCP upd 0 0 0 0
>> SIP Session 0 0 0 0
>> Logical Update Queue Information
>> Cur Max Total
>> Recv Q: 0 0 0
>> Xmit Q: 0 0 0
>>
>> PRIMARY:
>> Failover On
>> Failover unit Primary
>> Failover LAN Interface: not Configured
>> Unit Poll frequency 1 seconds, holdtime 15 seconds
>> Interface Poll frequency 5 seconds, holdtime 25 seconds
>> Interface Policy 1
>> Monitored Interfaces 4 of 250 maximum
>> failover replication http
>> Version: Ours 8.0(4), Mate Unknown
>> Last Failover at: 22:11:24 UTC Jun 5 2010
>> This host: Primary - Disabled
>> Active time: 0 (sec)
>> slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
>> Interface management (192.168.1.1): No Link (Waiting)
>> Interface outside (172.16.1.1): No Link (Waiting)
>> Interface inside (192.168.2.1): Normal (Waiting)
>> Interface DMZ (10.146.254.2): No Link (Waiting)
>> slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E4) status (Up/Up)
>> IPS, 6.0(6)E4, Up
>> Other host: Secondary - Not Detected
>> Active time: 0 (sec)
>> slot 0: empty
>> Interface management (0.0.0.0): Unknown (Waiting)
>> Interface outside (172.16.1.3): Unknown (Waiting)
>> Interface inside (192.168.2.2): Unknown (Waiting)
>> Interface DMZ (10.146.254.3): Unknown (Waiting)
>> slot 1: empty
>> Stateful Failover Logical Update Statistics
>> Link : failover GigabitEthernet0/3 (up)
>> Stateful Obj xmit xerr rcv rerr
>> General 0 0 0 0
>> sys cmd 0 0 0 0
>> up time 0 0 0 0
>> RPC services 0 0 0 0
>> TCP conn 0 0 0 0
>> UDP conn 0 0 0 0
>> ARP tbl 0 0 0 0
>> Xlate_Timeout 0 0 0 0
>> VPN IKE upd 0 0 0 0
>> VPN IPSEC upd 0 0 0 0
>> VPN CTCP upd 0 0 0 0
>> VPN SDI upd 0 0 0 0
>> VPN DHCP upd 0 0 0 0
>> SIP Session 0 0 0 0
>> Logical Update Queue Information
>> Cur Max Total
>> Recv Q: 0 0 0
>> Xmit Q: 0 0 0
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> KJ

Blogs and organic groups at http://www.ccie.net
Received on Sun Jun 06 2010 - 16:34:34 ART