Solved

ASA Failover Pair - SNMP and ICMP issue to the passive box

Posted on 2009-07-16
12
1,563 Views
Last Modified: 2012-08-14
I have a pair of ASA5520's configured as active/passive failover to each other.

I have an NMS at my head office which has a VPN connection to the ASA pair. My NMS is able to ping the active box and pass SNMP back and forth with no issues, but it can't do the same to the passive box - SNMP and Ping both fail.

As the boxes both in essence have the same config running, is there something I'm missing that needs to be done to allow SNMP and Ping to work to both ASA's ??

TIA


Rob
0
Comment
Question by:ccfcfc
  • 6
  • 4
  • 2
12 Comments
 
LVL 13

Assisted Solution

by:3nerds
3nerds earned 50 total points
ID: 24870295
On your ASA you should have lines line this configured.

ip address 172.16.1.1 255.255.0.0 standby 172.16.1.2

This means that the active unit will have an address of 172.16.1.1 and the standby will have 172.16.1.2. You should be able to configure your NMS to pull from each separate IP address, giving you the info you want.

Regards,

3nerds
0
 
LVL 5

Assisted Solution

by:carlson777
carlson777 earned 100 total points
ID: 24870314
My assumption is that you are using a VPN tunnel with no NATing involved...  If this is the case then when your NMC device tries to ping your passive device it will try to initiate a VPN tunnel back to your corporate office as that is what its routing table tells it to do.  Have you looked in the logs to see if a VPN tunnel is initiated, looked at the passive ASA to see how routing is setup?
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24870337
Didn't even notice it was across a VPN tunnel. Good catch Carlson!

3nerds
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:ccfcfc
ID: 24873450
Thanks for the replies.

We have an IPSec L2L tunnel between the two sites. The tunnel is up constantly as the NMS monitors several devices at the remote site where the two ASAs are located, so I know that the tunnel itself is working and, as the two ASAs are on the same subnet, there should (in theory) be no issues getting to the secondary ASA.

The NMS is pointed at the IP address for both ASAs but can only get responses from the primary.
0
 
LVL 5

Expert Comment

by:carlson777
ID: 24873497
But if the passive devices routing table expects to use its own tunnel and it is not up that would be the issue.  Currently the primary tunnel is up.  One the passive firewall try to do a traceroute to the NMC.  Check the routing.  I know that the tunnel is good, just wondering if the passive device is trying to create its own tunnel to route back.
0
 

Author Comment

by:ccfcfc
ID: 24873833
Thanks for clarifying Carlson. I'll take a look at that.
0
 
LVL 5

Expert Comment

by:carlson777
ID: 24910020
Did you find anything?
0
 
LVL 5

Expert Comment

by:carlson777
ID: 24927665
What did you see?
0
 

Author Comment

by:ccfcfc
ID: 24932887
HE is holiday and as soon as he comes back i am sure he will tets and update for yourself......just thought I would update you....
0
 

Author Comment

by:ccfcfc
ID: 24970227
Sorry for the delay.

I have tried traceroute from the primary ASA, just to see what I get on the box that is working, but there doesn't seem to be a traceroute command on the ASA.

Instead I tried to ping the NMS from the primary ASA, but the ping fails. I can ping devices on the ASA subnets with no issues, but I can't ping devices on the remote end of the VPN.

I can ping devices on the remote end of the VPN from devices that are behind the ASA with no issues. I just can't ping them from the ASA itself.
0
 

Author Comment

by:ccfcfc
ID: 24970258
A little more info.....

The behaviour in my last update is the same from both ends of the VPN. On the PIX at the remote end I can't ping devices behind the ASA, but I can ping them from devices behind the PIX.
0
 

Accepted Solution

by:
ccfcfc earned 0 total points
ID: 25579263
No further update from any experts to my last comments.

Will award partial points for advuice given so far. We have now resolved the original query ourselves.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco vWLC DHCP issues 36 60
2 routers and 1 public IP Address. 10 55
How to access and configure Cisco Air LAP1142N 3 32
Linking Cisco Core switches together 6 13
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question