Re: ASA-Failover

hello

Thanks guys it is working, when i connected with a crossover cable between
two firewall it works but when i connect through DMZ switch it is not
working, But cisco says that we shld connect through switch i have kept the
port's on switch in same vlan with no default-gateway on switch .

Thanks

Do i have to configure

On Sun, Jun 6, 2010 at 5:47 AM, karim jamali <karim.jamali_at_gmail.com> wrote:

> Hello Adam,
>
> Regarding the first question you can specify one interface for failover
> (where keepalives are being sent) and if one fails the standby ASA will take
> over, and you can specify another interface(could be the same) for stateful
> failover; where the connection/states are being replicated from one ASA to
> another. As I said these interfaces can be the same or can be different
> depending on your case & the number of connection states involved.
>
> On the secondary firewall the ip address for the interface is the same
> syntax as you specified for the primary.
>
> if Active is: failover interface ip <NAME> 10.10.10.1 255.255.255.252
> standby 10.10.10.2
> Standby is: failover interface ip <NAME> 10.10.10.1 255.255.255.252 standby
> 10.10.10.2
>
> Same configurations on both!
>
> I believe replication will work even if no ip address is specified on
> inside interface, although I am not 100% sure.
>
> Best Regards,
>
>
> On Sun, Jun 6, 2010 at 3:34 PM, adam gibs <adamgibs7_at_gmail.com> wrote:
>
>> Hello Friends,
>>
>> But the above command is for LAN failover,??? that means i can use the
>> same interface for LAN failover and stateful failover.???,
>>
>> what configuration i have to do on secondary firewall, the above configs
>> in my previous mail whay i have mentioned are correct, i don't have to
>> specify any ip address on the inside interface of the secondary firewall,
>> and if so then what will be the command syntax;
>>
>> ip add (secondary IP ) 255.255.255.0 standby (primary IP)
>>
>> *OR*
>>
>> IP add (primary IP ) 255.255.255.0 standby (secondary IP )
>>
>> If i don't specify any IP address on inside interface then how the configs
>> will replicate ??? i hope by the failover link.???? correct me if i m
>> wrong??
>>
>>
>>
>>
>>
>> Thanks for your support.
>>
>>
>> On Sun, Jun 6, 2010 at 3:36 PM, karim jamali <karim.jamali_at_gmail.com>wrote:
>>
>>> Hi,
>>>
>>> It seems you haven't chosen the failover interface this command does it:
>>> failover lan interface <name> interface
>>>
>>> Note that the failover link interface you have used pertains to stateful
>>> failover, i.e. replicating the connections & state tables from one firewall
>>> to another.
>>>
>>> Regards,
>>>
>>> On Sun, Jun 6, 2010 at 1:36 PM, adam gibs <adamgibs7_at_gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I have ASA with same hardware and software version, I have configured
>>>> *stateful
>>>> failover*, after configuring primary ,i have booted the secondary and i
>>>> issued a write standby command on primary but no effect on secondary,
>>>> My
>>>> inside interface and failover interface are on the same switch but in
>>>> different vlan.
>>>>
>>>> I have read in book that while configuring STATEFUL FAILOVER u dont need
>>>> to
>>>> configure anything on secondary. But Still i have specified inside ip
>>>> address but no output, where i m missing something friends,i have used
>>>> 1
>>>> dedicated interface for failover and rest 3 for inside,outside,DMZ,
>>>>
>>>> failover lan unit primary
>>>> failover link failover gig0/3
>>>> failover interface ip failover 192.168.3.1 255.255.255.0 standby
>>>> 192.168.3.2
>>>> failover key cisco
>>>> failover replication http
>>>> failover
>>>>
>>>> *Secondary:*
>>>> failover lan unit secondary
>>>> failover link failover GigabitEthernet0/3
>>>> failover key cisco
>>>> failover interface ip Failover 192.168.3.1 255.255.255.0 standby
>>>> 192.168.3.2
>>>> failover replication http
>>>> failover
>>>> I m getting this warning.on secondary
>>>>
>>>> WARNING: Failover enabled but the failover interface configuration is
>>>> incomplete
>>>> Failover will not take effect until the interface is fully
>>>> configured
>>>>
>>>> *Secondary:*
>>>>
>>>> ciscoasa(config)# sh failover
>>>> Failover On
>>>> Failover unit Secondary
>>>> Failover LAN Interface: not Configured
>>>> Unit Poll frequency 1 seconds, holdtime 15 seconds
>>>> Interface Poll frequency 5 seconds, holdtime 25 seconds
>>>> Interface Policy 1
>>>> Monitored Interfaces 1 of 250 maximum
>>>> failover replication http
>>>> Version: Ours 8.0(4), Mate Unknown
>>>> Last Failover at: 02:53:07 UTC Jun 6 2010
>>>> This host: Secondary - Disabled
>>>> Active time: 0 (sec)
>>>> slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
>>>> Interface management (192.168.1.1): No Link (Waiting)
>>>> slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E4) status
>>>> (Up/Up)
>>>> IPS, 6.0(6)E4, Up
>>>> Other host: Primary - Not Detected
>>>> Active time: 0 (sec)
>>>> slot 0: empty
>>>> Interface management (0.0.0.0): Unknown (Waiting)
>>>> slot 1: empty
>>>> Stateful Failover Logical Update Statistics
>>>> Link : failover GigabitEthernet0/3 (up)
>>>> Stateful Obj xmit xerr rcv rerr
>>>> General 0 0 0 0
>>>> sys cmd 0 0 0 0
>>>> up time 0 0 0 0
>>>> RPC services 0 0 0 0
>>>> TCP conn 0 0 0 0
>>>> UDP conn 0 0 0 0
>>>> ARP tbl 0 0 0 0
>>>> Xlate_Timeout 0 0 0 0
>>>> VPN IKE upd 0 0 0 0
>>>> VPN IPSEC upd 0 0 0 0
>>>> VPN CTCP upd 0 0 0 0
>>>> VPN SDI upd 0 0 0 0
>>>> VPN DHCP upd 0 0 0 0
>>>> SIP Session 0 0 0 0
>>>> Logical Update Queue Information
>>>> Cur Max Total
>>>> Recv Q: 0 0 0
>>>> Xmit Q: 0 0 0
>>>>
>>>> PRIMARY:
>>>> Failover On
>>>> Failover unit Primary
>>>> Failover LAN Interface: not Configured
>>>> Unit Poll frequency 1 seconds, holdtime 15 seconds
>>>> Interface Poll frequency 5 seconds, holdtime 25 seconds
>>>> Interface Policy 1
>>>> Monitored Interfaces 4 of 250 maximum
>>>> failover replication http
>>>> Version: Ours 8.0(4), Mate Unknown
>>>> Last Failover at: 22:11:24 UTC Jun 5 2010
>>>> This host: Primary - Disabled
>>>> Active time: 0 (sec)
>>>> slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
>>>> Interface management (192.168.1.1): No Link (Waiting)
>>>> Interface outside (172.16.1.1): No Link (Waiting)
>>>> Interface inside (192.168.2.1): Normal (Waiting)
>>>> Interface DMZ (10.146.254.2): No Link (Waiting)
>>>> slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E4) status
>>>> (Up/Up)
>>>> IPS, 6.0(6)E4, Up
>>>> Other host: Secondary - Not Detected
>>>> Active time: 0 (sec)
>>>> slot 0: empty
>>>> Interface management (0.0.0.0): Unknown (Waiting)
>>>> Interface outside (172.16.1.3): Unknown (Waiting)
>>>> Interface inside (192.168.2.2): Unknown (Waiting)
>>>> Interface DMZ (10.146.254.3): Unknown (Waiting)
>>>> slot 1: empty
>>>> Stateful Failover Logical Update Statistics
>>>> Link : failover GigabitEthernet0/3 (up)
>>>> Stateful Obj xmit xerr rcv rerr
>>>> General 0 0 0 0
>>>> sys cmd 0 0 0 0
>>>> up time 0 0 0 0
>>>> RPC services 0 0 0 0
>>>> TCP conn 0 0 0 0
>>>> UDP conn 0 0 0 0
>>>> ARP tbl 0 0 0 0
>>>> Xlate_Timeout 0 0 0 0
>>>> VPN IKE upd 0 0 0 0
>>>> VPN IPSEC upd 0 0 0 0
>>>> VPN CTCP upd 0 0 0 0
>>>> VPN SDI upd 0 0 0 0
>>>> VPN DHCP upd 0 0 0 0
>>>> SIP Session 0 0 0 0
>>>> Logical Update Queue Information
>>>> Cur Max Total
>>>> Recv Q: 0 0 0
>>>> Xmit Q: 0 0 0
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> KJ
>>>
>>
>>
>
>
> --
> KJ

Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 10 2010 - 00:49:14 ART