This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button
COURSE of the MONTH
12 days, 12 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
ASA Failover Management Crossover
Posted on 2008-06-12
I have a question related to the configuration below. I have a live ASA 5520 and another ASA with a default configuration. What I need to do is have the Lan/stateful failover occur on the Management Int using a crossover between the two. Since one of my firewalls is already live, I believe the only option is the management int. WIth this said, could I use the code below and simply replace the int with manament?
Also, if the primary manament address had physical int address of 192.168.199.2 and secondary of .3 would not the failover interface ip ASA failover addresses be flipped on the Primary and Secondary? I ask because below it has them the same. Thanks. --Rob.
Hi all,
I just setup two ASA and I am trying to configuring stateful failover using a crossover cable but both devices don't seem to detect each other. Below is the failover configuration:
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
Primary
failover
failover lan unit primary
failover lan interface ASA_Failover GigabitEthernet0/3
failover link ASA_Failover GigabitEthernet0/3
failover interface ip ASA_Failover 192.168.199.2 255.255.255.252 standby 192.168.199.3
FW00# sh fail state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Not Detected Comm Failure 06:33:57 CST Mar 1 2007
====Configuration State===
====Communication State===
Secondary:
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
failover
failover lan unit secondary
failover lan interface ASA_Failover GigabitEthernet0/3
failover link ASA_Failover GigabitEthernet0/3
failover interface ip ASA_Failover 192.168.199.2 255.255.255.252 standby 192.168.199.3
Also, if the primary manament address had physical int address of 192.168.199.2 and secondary of .3 would not the failover interface ip ASA failover addresses be flipped on the Primary and Secondary? I ask because below it has them the same. Thanks. --Rob.
Hi all,
I just setup two ASA and I am trying to configuring stateful failover using a crossover cable but both devices don't seem to detect each other. Below is the failover configuration:
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
Primary
failover
failover lan unit primary
failover lan interface ASA_Failover GigabitEthernet0/3
failover link ASA_Failover GigabitEthernet0/3
failover interface ip ASA_Failover 192.168.199.2 255.255.255.252 standby 192.168.199.3
FW00# sh fail state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Not Detected Comm Failure 06:33:57 CST Mar 1 2007
====Configuration State===
====Communication State===
Secondary:
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
failover
failover lan unit secondary
failover lan interface ASA_Failover GigabitEthernet0/3
failover link ASA_Failover GigabitEthernet0/3
failover interface ip ASA_Failover 192.168.199.2 255.255.255.252 standby 192.168.199.3
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
4
5 Comments
Active 2 days ago
issue a sho ver command
you can only do this if you have a security plus licence on the firewalls (otherwise the management port can only be used as a management port)
you can only do this if you have a security plus licence on the firewalls (otherwise the management port can only be used as a management port)
Here's the show version:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
This platform has an ASA 5520 VPN Plus license.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
This platform has an ASA 5520 VPN Plus license.
Hi Pete-
You had helped Sudosu for question: Failover on ASA 5520s using virtual interfaces-- which is basically exactly like mine. Could I somehow get in touch with Sudosu for an config or version example? Thanks.
You had helped Sudosu for question: Failover on ASA 5520s using virtual interfaces-- which is basically exactly like mine. Could I somehow get in touch with Sudosu for an config or version example? Thanks.
For the record a VPN Plus License works as well. What needs to be done is to take out the nameif of the management interface and then apply the following code-
failover
failover lan unit primary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2
On the secondary unit make sure to issue:
no failover
failover lan unit secondary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2
Then when you are ready to pull down the config from the primary issue the failover command.
Replication should begin and the active light on your secondary asa should turn to orange indicating successful secondary status.
--Rob
failover
failover lan unit primary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2
On the secondary unit make sure to issue:
no failover
failover lan unit secondary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2
Then when you are ready to pull down the config from the primary issue the failover command.
Replication should begin and the active light on your secondary asa should turn to orange indicating successful secondary status.
--Rob
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty.
Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal.
As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’
As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month12 days, 12 hours left to enroll
777 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.