Solved

ASA Failover Management Crossover

Posted on 2008-06-12
5
1 solution
3,347 Views
Last Modified: 2008-06-25
I have a question related to the configuration below. I have a live ASA 5520 and another ASA with a default configuration. What I need to do is have the Lan/stateful failover occur on the Management Int using a crossover between the two. Since one of my firewalls is already live, I believe the only option is the management int. WIth this said, could I use the code below and simply replace the int with manament?

Also, if the primary manament address had physical int address of 192.168.199.2 and secondary of .3 would not the failover interface ip ASA failover addresses be flipped on the Primary and Secondary? I ask because below it has them the same. Thanks. --Rob.




Hi all,

I just setup two ASA and I am trying to configuring stateful failover using a crossover cable but both devices don't seem to detect each other. Below is the failover configuration:

interface GigabitEthernet0/3
 description LAN/STATE Failover Interface

Primary
failover
failover lan unit primary
failover lan interface ASA_Failover GigabitEthernet0/3
failover link ASA_Failover GigabitEthernet0/3
failover interface ip ASA_Failover 192.168.199.2 255.255.255.252 standby 192.168.199.3

FW00# sh fail state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         None
Other host -   Secondary
               Not Detected   Comm Failure             06:33:57 CST Mar 1 2007

====Configuration State===
====Communication State===

Secondary:
interface GigabitEthernet0/3
 description LAN/STATE Failover Interface

failover
failover lan unit secondary
failover lan interface ASA_Failover GigabitEthernet0/3
failover link ASA_Failover GigabitEthernet0/3
failover interface ip ASA_Failover 192.168.199.2 255.255.255.252 standby 192.168.199.3
0
Comment
Question by:rclaxton1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Join The Community
  • 4
5 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 21778678
issue a sho ver command

you can only do this if you have a security plus licence on the firewalls (otherwise the management port can only be used as a management port)
0
 

Author Comment

by:rclaxton1
ID: 21781106
Ok, How about a VPN Plus license?  Same thing?
0
 

Author Comment

by:rclaxton1
ID: 21781278
Here's the show version:

Licensed features for this platform:                                            
Maximum Physical Interfaces  : Unlimited                                        
Maximum VLANs                : 150                                              
Inside Hosts                 : Unlimited                                        
Failover                     : Active/Active                                    
VPN-DES                      : Enabled                                          
VPN-3DES-AES                 : Enabled                                          
Security Contexts            : 2                                                
GTP/GPRS                     : Disabled                                        
VPN Peers                    : 750                                              
WebVPN Peers                 : 2                                                
AnyConnect for Mobile        : Disabled                                        
AnyConnect for Linksys phone : Disabled                                        
Advanced Endpoint Assessment : Disabled                                        
                                                                               
This platform has an ASA 5520 VPN Plus license.  
0
 

Author Comment

by:rclaxton1
ID: 21798764
Hi Pete-
You had helped Sudosu for question: Failover on ASA 5520s using virtual interfaces-- which is basically exactly like mine. Could I somehow get in touch with Sudosu for an config or version example? Thanks.
0
 

Accepted Solution

by:
rclaxton1 earned 0 total points
ID: 21803268
For the record a VPN Plus License works as well. What needs to be done is to take out the nameif of the management interface and then apply the following code-
failover
failover lan unit primary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2

On the secondary unit make sure to issue:
no failover
failover lan unit secondary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2

Then when you are ready to pull down the config from the primary issue the failover command.
Replication should begin and the active light on your secondary asa should turn to orange indicating successful secondary status.

--Rob
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Register Now
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question
Amazon and Azure outages show growing pains of “hyper-hyper-scale” public cloud
Article by: Concerto Cloud
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Why You May Need A Cloud Services Provider For Your SaaS Solution
Article by: Concerto Cloud
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Live Webinar Part 1- Top Ten Winning Strategies to Partnership in the Cloud
Video by: Concerto Cloud
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Top Ten Winning Strategies to Partnership in the Cloud
Video by: Concerto Cloud
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Advertise Here
Suggested Courses

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Advertise Here