HANUMAAN
asked on
Firewall ASA Synchronization Trouble
I have couple pairs of cisco Pix 5510 Firewall . Dual or Pair of 5510 is used for redundancy purpose . They are working fine . From Pair one is Active & other guy is in Standby mode. For most of the time they are synchronizing the rules with eachother but some times they are not synchronizing the changes made on one of the ASA. Logically they should synchronize even minor changes .
Here i want to ask whether there is an another way around to force the synchronization with other member when it is not synchronizing it's changes to firewall rules ?
I only know only way to synchronize is to issuse write terminal command.
By the way i am always modifying the firewall rules from the Cisco ASDM instead of command prompt. I thought to get rid of synchroniziation problem would be -----> modifying the access-lists entry exactly on the other pair on which synchronization is not taking place.
Please do find the list of messages as mentioned below , that i get from Cisco ASDM for your reference. I hope you have smart brain than me to nudge this out.
ASDM received messages(s) below when one or more of the commands below were sent to the ASA.
[OK] means success,[ERROR] means failure,[INFO] means information and [WARNING] means warning
message received.
[ERROR] no access-list corporate-in line 76 extended permit ip object-group switches 0.0.0.0 0.0.0.0
**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
[ERROR] no access-list corporate-in line 75 remark This is to allow UDP Traffic for TFTP to write configuration Files
**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
[ERROR] access-list corporate-in line 75 remark This is to allow UDP Traffic for TFTP to write configuration Files
**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
[ERROR] access-list corporate-in line 76 extended permit udp object-group switches eq tftp host X.X.X.X eq tftp
**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
Here i want to ask whether there is an another way around to force the synchronization with other member when it is not synchronizing it's changes to firewall rules ?
I only know only way to synchronize is to issuse write terminal command.
By the way i am always modifying the firewall rules from the Cisco ASDM instead of command prompt. I thought to get rid of synchroniziation problem would be -----> modifying the access-lists entry exactly on the other pair on which synchronization is not taking place.
Please do find the list of messages as mentioned below , that i get from Cisco ASDM for your reference. I hope you have smart brain than me to nudge this out.
ASDM received messages(s) below when one or more of the commands below were sent to the ASA.
[OK] means success,[ERROR] means failure,[INFO] means information and [WARNING] means warning
message received.
[ERROR] no access-list corporate-in line 76 extended permit ip object-group switches 0.0.0.0 0.0.0.0
**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
[ERROR] no access-list corporate-in line 75 remark This is to allow UDP Traffic for TFTP to write configuration Files
**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
[ERROR] access-list corporate-in line 75 remark This is to allow UDP Traffic for TFTP to write configuration Files
**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
[ERROR] access-list corporate-in line 76 extended permit udp object-group switches eq tftp host X.X.X.X eq tftp
**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
Last Comment
ASKER
Yes I am performing ( addition / changes / Modification of rules ) it on Active ASA only through cisco ASDM . but sometimes my secondry which is standby that is active and synchronization does not happen . so i was looking for work around in this situation.
Thanks......
Thanks......
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Ok , i will try this one out and see what happens after issusing the command Write standby .
Thanks........
Thanks........
ASKER
By the way , What could be a cause of problem for not Synchronizing the changes from Active ASA to Standby ASA. Since the main purpose of using & configuring Dual ASA is to have redundancy and high availabilty all the time to avoid single point of failure ?
ASKER
Thanks
Networking Hardware-Other
Networking hardware includes the physical devices facilitating the use of a computer network. Typically, networking hardware includes gateways, routers, network bridges, modems, wireless access points, networking cables, line drivers, switches, hubs, and repeaters. But it also includes hybrid network devices such as multilayer switches, protocol converters, bridge routers, proxy servers, firewalls, network address translators, multiplexers, network interface controllers, wireless network interface controllers, ISDN terminal adapters and other related hardware.
28K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
When you make a config change, make sure you always perform the change on the primary (active) ASA, and configs will be synced.
read all about it here :
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml
Kurt