cheops01
asked on
ASA Failover abnormal behaviour
Hi,
My ASA goes on failover everyday at 5-6ish.
I haven't seen any errors on the interconnection ports. I finally turned off the passive ASA and I still got the same failover this morning. Is that a normal behaviour?
ASA-VV# show fail
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet1/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 100%
Monitored Interfaces 2 of 250 maximum
failover replication http
Version: Ours 8.2(1), Mate Unknown
Last Failover at: 05:36:32 CEDT Sep 8 2010
This host: Primary - Active
Active time: 15201 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface management (172.10.5.252): Normal (Not-Monitored)
Interface VMF_1001-U-INTERNET (178.251.16.40): Normal (Waiting)
Interface T2_INTERCO (172.32.4.254): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: empty
Interface management (0.0.0.0): Unknown (Not-Monitored)
Interface VMF_1001-U-INTERNET (0.0.0.0): Unknown (Waiting)
Interface T2_INTERCO (0.0.0.0): Unknown (Waiting)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : Failover GigabitEthernet1/0 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
ASA-VV#
ASA-VV# show fail his
==========================
From State To State Reason
==========================
05:35:47 CEDT Sep 8 2010
Not Detected Negotiation No Error
05:36:32 CEDT Sep 8 2010
Negotiation Just Active No Active unit found
05:36:32 CEDT Sep 8 2010
Just Active Active Drain No Active unit found
05:36:32 CEDT Sep 8 2010
Active Drain Active Applying Config No Active unit found
05:36:32 CEDT Sep 8 2010
Active Applying Config Active Config Applied No Active unit found
05:36:32 CEDT Sep 8 2010
Active Config Applied Active No Active unit found
==========================
ASA-VV#
Thank you
My ASA goes on failover everyday at 5-6ish.
I haven't seen any errors on the interconnection ports. I finally turned off the passive ASA and I still got the same failover this morning. Is that a normal behaviour?
ASA-VV# show fail
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet1/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 100%
Monitored Interfaces 2 of 250 maximum
failover replication http
Version: Ours 8.2(1), Mate Unknown
Last Failover at: 05:36:32 CEDT Sep 8 2010
This host: Primary - Active
Active time: 15201 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface management (172.10.5.252): Normal (Not-Monitored)
Interface VMF_1001-U-INTERNET (178.251.16.40): Normal (Waiting)
Interface T2_INTERCO (172.32.4.254): Normal (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: empty
Interface management (0.0.0.0): Unknown (Not-Monitored)
Interface VMF_1001-U-INTERNET (0.0.0.0): Unknown (Waiting)
Interface T2_INTERCO (0.0.0.0): Unknown (Waiting)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : Failover GigabitEthernet1/0 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
ASA-VV#
ASA-VV# show fail his
==========================
From State To State Reason
==========================
05:35:47 CEDT Sep 8 2010
Not Detected Negotiation No Error
05:36:32 CEDT Sep 8 2010
Negotiation Just Active No Active unit found
05:36:32 CEDT Sep 8 2010
Just Active Active Drain No Active unit found
05:36:32 CEDT Sep 8 2010
Active Drain Active Applying Config No Active unit found
05:36:32 CEDT Sep 8 2010
Active Applying Config Active Config Applied No Active unit found
05:36:32 CEDT Sep 8 2010
Active Config Applied Active No Active unit found
==========================
ASA-VV#
Thank you
Cheops01,
You are currently monitoring the following ports:
Interface VMF_1001-U-INTERNET (178.251.16.40): Normal (Waiting)
Interface T2_INTERCO (172.32.4.254): Normal (Waiting)
The are in a waiting state because the cannot communicate with the secondary device. But unless you remove them from being monitored the can still fail. Something as simple as a short down from your ISP can cause your device to see a failure and flop over the secondary unit. To test further remove the most likely culprit from being monitored ( VMF_1001-U-INTERNET) and let it run if it run correctly then you know that the internet is going up and down.
Regards,
3nerds
You are currently monitoring the following ports:
Interface VMF_1001-U-INTERNET (178.251.16.40): Normal (Waiting)
Interface T2_INTERCO (172.32.4.254): Normal (Waiting)
The are in a waiting state because the cannot communicate with the secondary device. But unless you remove them from being monitored the can still fail. Something as simple as a short down from your ISP can cause your device to see a failure and flop over the secondary unit. To test further remove the most likely culprit from being monitored ( VMF_1001-U-INTERNET) and let it run if it run correctly then you know that the internet is going up and down.
Regards,
3nerds
ASKER
I connected this morning through SSH. I canceled the authentication and lost the access to the management. Lost the tunnels as well. I checked then the failover history and this is the buffer:
From State To State Reason
==========================
10:06:59 CEDT Sep 9 2010
Not Detected Negotiation No Error
10:07:44 CEDT Sep 9 2010
Negotiation Just Active No Active unit found
10:07:44 CEDT Sep 9 2010
Just Active Active Drain No Active unit found
10:07:44 CEDT Sep 9 2010
Active Drain Active Applying Config No Active unit found
10:07:44 CEDT Sep 9 2010
Active Applying Config Active Config Applied No Active unit found
10:07:44 CEDT Sep 9 2010
Active Config Applied Active No Active unit found
10:14:05 CEDT Sep 9 2010
Active Disabled Set by the config command
Then at 10:14, I accessed again and turned off the failover until I can troubleshoot the problem. I don't see any input/output errors nor no up/down links on the ASA intercos.
Thanks
From State To State Reason
==========================
10:06:59 CEDT Sep 9 2010
Not Detected Negotiation No Error
10:07:44 CEDT Sep 9 2010
Negotiation Just Active No Active unit found
10:07:44 CEDT Sep 9 2010
Just Active Active Drain No Active unit found
10:07:44 CEDT Sep 9 2010
Active Drain Active Applying Config No Active unit found
10:07:44 CEDT Sep 9 2010
Active Applying Config Active Config Applied No Active unit found
10:07:44 CEDT Sep 9 2010
Active Config Applied Active No Active unit found
10:14:05 CEDT Sep 9 2010
Active Disabled Set by the config command
Then at 10:14, I accessed again and turned off the failover until I can troubleshoot the problem. I don't see any input/output errors nor no up/down links on the ASA intercos.
Thanks
A config would be helpful.
Regards,
3nerds
Regards,
3nerds
ASKER
Here is the configuration.
Note: I isolated the 5550. I turned off the failover. It keeps rebooting more or less every 4 hours. I changed the ASA with the same configuration yesterday - same mishaps. I included a jpeg. You will see the red lines indicate a reboot of the platform.
: Saved
: Written by Administrator at 11:47:05.209 CEDT Fri Sep 10 2010
!
ASA Version 8.2(1)
!
hostname ASA-VPN
domain-name default.domain.invalid
enable password czn4HPAhrG7bVPkm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.33.24.252 RemoteHost_Intrum
name 192.168.93.206 RemoteHost_IVRA10
name 192.168.196.103 RemoteHost_IVRA11
name 192.168.196.105 RemoteHost_IVRA12
name 192.168.93.217 RemoteHost_IVRA13
name 192.168.77.15 RemoteHost_TV2
name 192.168.188.29 RemoteHost_IVRA3
name 192.168.189.102 RemoteHost_IVRA4
name 172.16.197.107 RemoteHost_IVRA5
name 192.168.95.66 RemoteHost_IVRA6
name 192.168.93.207 RemoteHost_IVRA7
name 172.16.61.136 RemoteHost_IVRA8
name 192.168.188.30 RemoteHost_IVRA9
name 10.0.0.0 RemoteNet_Interact
name 192.168.1.0 RemoteNet_Lalpack
name 10.29.2.0 RemoteNet_Soreco
name 10.150.26.64 RemoteNet_Paco
name 10.92.254.0 RemoteNet_Tackti
name 10.99.8.44 RemoteHost_IVRA1
name 172.32.2.150 TV2virgin
name 192.168.79.110 test_pc-TV2
name 172.20.229.0 RemoteNet_Sears
name 195.81.2.29 RemoteHost_Intrum1
name 172.20.1.0 Remote_Net_Astor1
name 172.20.3.0 Remote_Net_Astor2
name 192.168.196.104 Remote_Host_CFT
name 172.20.13.0 NAT_RemoteNet_Astor1
name 172.20.14.0 NAT_RemoteNet_Astor2
name 172.22.24.32 RemoteHost_AH_Simpsons1
name 172.22.24.33 RemoteHost_AH_Simpsons2
name 172.20.1.96 NAT_RemoteHost_Simpsonse1
name 172.20.1.97 NAT_RemoteHost_Simpsonse2
name 172.20.1.98 NAT_RemoteHost_Simpsonse3
name 193.12.60.0 AH_IP_ToAstor
name 192.168.85.0 AH_456-OFFICE-SERV
name 192.168.196.96 AH_455-PROD-SERV
name 192.168.198.80 AH_887-SegmentBlue description AH_SegmentBlue
name 192.168.95.28 AH_EUTV2DBB
name 192.168.67.160 AH_EUIVRALAB_09
name 193.12.93.148 AH_FRMOBCOMMANDES
name 192.168.93.243 AH_FRTV2CC3MOB
name 192.168.93.201 AH_FRTV2DB1
name 193.12.60.248 AH_MinisterDev
name 192.168.93.237 AH_RDBMS
name 172.16.33.81 AH_DITO
name 172.16.33.82 AH_EDISON
name 172.16.241.7 AH_EIFFEL
name 172.168.95.32 AH_EUTV2DBD
name 172.16.241.8 AH_KEPLER
name 172.16.60.77 AH_LOGON
name 172.168.188.29 AH_LUAHLUCFRUD
name 172.16.33.80 AH_NOTES
name 172.16.33.0 AH_AZUKNotes1
name 172.16.241.0 AH_AZUKNotes2
name 193.12.60.77 AH_AZUKNotes3
name 10.99.8.0 AH_FTPTRANSIT
name 192.168.189.96 AH_167-IVR
name 172.16.16.0 AH_SCANNING_IVR_MAINTENANC
!
interface GigabitEthernet0/0
description DATA
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
speed 100
duplex full
nameif MGMAH
security-level 100
ip address 172.30.99.100 255.255.255.248
management-only
!
interface Management0/0
speed 100
duplex full
nameif MGMT
security-level 100
ip address 172.30.5.252 255.255.255.0
!
interface GigabitEthernet1/0
description LAN/STATE Failover Interface
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
!
interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/1
nameif AHR_1001-U-INTERNET
security-level 0
allow-ssc-mgmt
ip address 178.251.16.40 255.255.255.192
ospf cost 10
ospf authentication-key AHR#OsPf
ospf authentication
!
interface RedundanAH
member-interface GigabitEthernet1/2
member-interface GigabitEthernet1/3
no nameif
security-level 90
allow-ssc-mgmt
no ip address
!
interface RedundanAH.2100
vlan 2100
nameif AH_INTERCO
security-level 90
ip address 172.32.1.254 255.255.255.0
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network Partner_Sears
network-object RemoteNet_Sears 255.255.255.0
object-group network Partner_INTERACT
network-object RemoteNet_Interact 255.255.255.0
object-group network Partner_INTRUM
network-object host RemoteHost_Intrum
object-group network Partner_Lalpack
network-object RemoteNet_Lalpack 255.255.255.0
object-group network Partner_SORECO
network-object RemoteNet_Soreco 255.255.255.0
object-group network Partner_Paco
network-object RemoteNet_Paco 255.255.255.224
object-group network Partner_Tackti
network-object RemoteNet_Tackti 255.255.255.0
object-group network Partner_TV2AB
network-object host RemoteHost_IVRA5
network-object host RemoteHost_IVRA8
network-object host RemoteHost_IVRA3
network-object host RemoteHost_IVRA9
network-object host RemoteHost_IVRA4
network-object host RemoteHost_IVRA11
network-object host RemoteHost_IVRA12
network-object host RemoteHost_TV2
network-object AH_456-OFFICE-SERV 255.255.255.0
network-object host RemoteHost_IVRA10
network-object host RemoteHost_IVRA7
network-object host RemoteHost_IVRA13
network-object host RemoteHost_IVRA6
network-object host RemoteHost_IVRA1
network-object host AH_EIFFEL
network-object host AH_KEPLER
network-object host AH_NOTES
network-object host AH_DITO
network-object host AH_EDISON
network-object host AH_LOGON
network-object host AH_LUAHLUCFRUD
network-object host AH_EUTV2DBD
network-object 172.32.1.0 255.255.255.0
network-object host AH_EUIVRALAB_09
network-object host AH_FRTV2DB1
network-object host AH_RDBMS
network-object host AH_FRTV2CC3MOB
network-object host AH_EUTV2DBB
network-object AH_IP_ToAstor 255.255.255.0
network-object host AH_MinisterDev
network-object host AH_FRMOBCOMMANDES
network-object AH_SCANNING_IVR_MAINTENANC
network-object 10.143.52.0 255.255.255.0
network-object 10.30.60.0 255.255.255.0
network-object AH_FTPTRANSIT 255.255.255.0
network-object AH_AZUKNotes2 255.255.255.0
network-object AH_AZUKNotes1 255.255.255.0
network-object host AH_AZUKNotes3
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_1
network-object host RemoteHost_IVRA8
network-object host RemoteHost_IVRA9
network-object host RemoteHost_TV2
network-object AH_456-OFFICE-SERV 255.255.255.0
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_2
network-object host RemoteHost_IVRA8
network-object host RemoteHost_IVRA9
network-object host RemoteHost_TV2
network-object host RemoteHost_IVRA10
network-object host RemoteHost_IVRA13
network-object host RemoteHost_IVRA1
network-object host RemoteHost_IVRA3
network-object host RemoteHost_IVRA6
network-object AH_IP_ToAstor 255.255.255.0
network-object 172.16.32.0 255.255.240.0
network-object 172.19.16.0 255.255.252.0
network-object 172.19.92.0 255.255.252.0
network-object 172.16.196.0 255.255.252.0
network-object 192.168.92.0 255.255.252.0
network-object RemoteNet_Paco 255.255.255.224
network-object AH_AZUKNotes2 255.255.255.0
network-object AH_AZUKNotes1 255.255.255.0
network-object host AH_AZUKNotes3
network-object AH_FTPTRANSIT 255.255.255.0
network-object 192.168.67.0 255.255.255.0
network-object 172.16.224.0 255.255.255.0
network-object 172.24.251.0 255.255.255.0
network-object host RemoteHost_IVRA5
network-object host RemoteHost_IVRA7
network-object AH_SCANNING_IVR_MAINTENANC
network-object 10.143.52.0 255.255.255.0
network-object 192.168.102.0 255.255.255.0
network-object 192.168.196.128 255.255.255.128
network-object 192.168.197.64 255.255.255.224
network-object 192.168.101.0 255.255.255.0
network-object 172.16.219.0 255.255.255.0
network-object 10.30.60.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object host RemoteHost_Intrum
network-object RemoteNet_Sears 255.255.255.0
network-object RemoteNet_Soreco 255.255.255.0
network-object host RemoteHost_Intrum1
group-object Partner_Lalpack
network-object Remote_Net_Astor1 255.255.255.0
network-object Remote_Net_Astor2 255.255.255.0
network-object RemoteNet_Tackti 255.255.255.0
network-object host RemoteHost_AH_Simpsons1
network-object host RemoteHost_AH_Simpsons2
network-object AH_456-OFFICE-SERV 255.255.255.0
network-object AH_455-PROD-SERV 255.255.255.224
network-object AH_887-SegmentBlue 255.255.255.240
network-object AH_167-IVR 255.255.255.240
group-object Partner_INTERACT
network-object RemoteNet_Paco 255.255.255.224
object-group service intrum_1570 tcp
port-object eq 1570
object-group service intrum_3389 tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_5
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_4
network-object host RemoteHost_IVRA10
network-object host RemoteHost_IVRA13
object-group network DM_INLINE_NETWORK_5
network-object host RemoteHost_IVRA10
network-object host RemoteHost_IVRA13
object-group service DM_INLINE_SERVICE_6
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_7
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_10
service-object ip
service-object icmp
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_11
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_8
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_9
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_11
network-object NAT_RemoteNet_Astor1 255.255.255.0
network-object NAT_RemoteNet_Astor2 255.255.255.0
network-object Remote_Net_Astor1 255.255.255.0
network-object Remote_Net_Astor2 255.255.255.0
object-group network DM_INLINE_NETWORK_12
network-object Remote_Net_Astor1 255.255.255.0
network-object Remote_Net_Astor2 255.255.255.0
network-object NAT_RemoteNet_Astor1 255.255.255.0
network-object NAT_RemoteNet_Astor2 255.255.255.0
object-group service DM_INLINE_SERVICE_12
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_13
service-object ip
service-object icmp echo-reply
service-object icmp echo
object-group service DM_INLINE_SERVICE_15
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_16
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network Partner_SimpsonsE
network-object host NAT_RemoteHost_Simpsonse1
network-object host NAT_RemoteHost_Simpsonse2
network-object host NAT_RemoteHost_Simpsonse3
object-group network DM_INLINE_NETWORK_6
network-object host RemoteHost_AH_Simpsons1
network-object host RemoteHost_AH_Simpsons2
object-group network DM_INLINE_NETWORK_7
network-object host RemoteHost_AH_Simpsons1
network-object host RemoteHost_AH_Simpsons2
object-group network DM_INLINE_NETWORK_8
network-object host RemoteHost_AH_Simpsons1
network-object host RemoteHost_AH_Simpsons2
object-group network DM_INLINE_NETWORK_9
network-object AH_455-PROD-SERV 255.255.255.224
network-object AH_456-OFFICE-SERV 255.255.255.0
network-object AH_887-SegmentBlue 255.255.255.240
network-object AH_167-IVR 255.255.255.240
object-group network DM_INLINE_NETWORK_10
network-object AH_455-PROD-SERV 255.255.255.224
network-object AH_456-OFFICE-SERV 255.255.255.0
object-group network DM_INLINE_NETWORK_13
network-object AH_455-PROD-SERV 255.255.255.224
network-object AH_456-OFFICE-SERV 255.255.255.0
network-object AH_887-SegmentBlue 255.255.255.240
network-object AH_167-IVR 255.255.255.240
object-group service DM_INLINE_SERVICE_14
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_17
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_15
network-object AH_AZUKNotes2 255.255.255.0
network-object AH_AZUKNotes1 255.255.255.0
network-object host AH_AZUKNotes3
network-object AH_FTPTRANSIT 255.255.255.0
network-object host 172.16.197.19
network-object host 172.16.32.14
network-object host 172.16.224.36
network-object 192.168.93.0 255.255.255.0
network-object host AH_EUIVRALAB_09
network-object host 193.12.60.104
network-object 10.30.60.0 255.255.255.0
object-group network DM_INLINE_NETWORK_14
network-object host RemoteHost_IVRA5
network-object host RemoteHost_IVRA8
network-object host RemoteHost_IVRA3
network-object host RemoteHost_IVRA4
network-object host RemoteHost_IVRA7
network-object host RemoteHost_IVRA6
object-group service DM_INLINE_SERVICE_18
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_19
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_16
network-object host RemoteHost_IVRA5
network-object host RemoteHost_IVRA8
network-object host RemoteHost_IVRA3
network-object host RemoteHost_IVRA4
network-object host RemoteHost_IVRA7
network-object host RemoteHost_IVRA6
object-group service DM_INLINE_SERVICE_20
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_17
network-object 10.30.60.0 255.255.255.0
network-object host RemoteHost_IVRA5
network-object host 172.16.224.53
network-object host 172.16.60.10
network-object host 172.16.60.11
network-object RemoteNet_Paco 255.255.255.224
object-group network DM_INLINE_NETWORK_18
network-object host RemoteHost_IVRA5
network-object host 172.16.224.53
network-object host 172.16.60.10
network-object host 172.16.60.11
network-object 10.143.52.0 255.255.255.0
object-group service DM_INLINE_SERVICE_21
service-object ip
service-object icmp echo
object-group service DM_INLINE_SERVICE_22
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_23
service-object ip
service-object icmp echo
service-object icmp echo-reply
access-list AHR_1001-U-INTERNET_1_cryp
access-list AH_INTERCO_nat0_outbound extended permit ip RemoteNet_Sears 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list AH_INTERCO_nat0_outbound extended permit ip object-group Partner_INTERACT object-group DM_INLINE_NETWORK_16
access-list AH_INTERCO_nat0_outbound extended permit ip host RemoteHost_Intrum1 object-group DM_INLINE_NETWORK_5
access-list AH_INTERCO_nat0_outbound extended permit ip RemoteNet_Soreco 255.255.255.0 host RemoteHost_IVRA10
access-list AH_INTERCO_nat0_outbound extended permit ip object-group Partner_Tackti object-group Partner_TV2AB
access-list AH_INTERCO_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_6 host RemoteHost_IVRA6
access-list AH_INTERCO_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_10 object-group Partner_TV2AB
access-list AH_INTERCO_nat0_outbound extended permit ip host AH_167-IVR object-group Partner_TV2AB
access-list AH_INTERCO_nat0_outbound extended permit ip RemoteNet_Paco 255.255.255.224 10.143.52.0 255.255.255.0
access-list TEST_INTER_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list TEST_INTER_nat0_outbound extended permit ip host TV2virgin host test_pc-TV2
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_2 RemoteNet_Sears 255.255.255.0 object-group Partner_TV2AB
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_5 host RemoteHost_Intrum1 object-group DM_INLINE_NETWORK_4
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_6 RemoteNet_Soreco 255.255.255.0 host RemoteHost_IVRA10
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_10 object-group Partner_Tackti object-group Partner_TV2AB
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_11 object-group Partner_Lalpack object-group Partner_TV2AB
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_12 object-group DM_INLINE_NETWORK_11 AH_IP_ToAstor 255.255.255.0
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_15 object-group DM_INLINE_NETWORK_7 host RemoteHost_IVRA6
access-list AH_INTERCO_access_in remark AH_Ouverture sur 3 LocalNets
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_17 object-group DM_INLINE_NETWORK_9 any
access-list AH_INTERCO_access_in remark AH_Ouverture sur RemoteNet
access-list AH_INTERCO_access_in extended permit ip any RemoteNet_Paco 255.255.255.224
access-list AH_INTERCO_access_in remark AH_Ouverture sur RemoteNet
access-list AH_INTERCO_access_in extended permit ip any object-group DM_INLINE_NETWORK_15
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_18 object-group Partner_INTERACT object-group DM_INLINE_NETWORK_14
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_22 RemoteNet_Paco 255.255.255.224 object-group DM_INLINE_NETWORK_18
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AH_INTERCO_nat_static extended permit ip NAT_RemoteNet_Astor1 255.255.255.0 object-group Partner_TV2AB
access-list NDM extended permit ip 172.31.0.0 255.255.0.0 host 172.32.1.254
pager lines 24
logging enable
logging standby
logging trap debugging
logging asdm informational
logging host MGMT 172.31.12.22
mtu MGMAH 1500
mtu MGMT 1500
mtu AHR_1001-U-INTERNET 1500
mtu AH_INTERCO 1500
no failover
failover lan unit primary
failover lan interface Failover GigabitEthernet1/0
failover interface-policy 100%
failover key *****
failover replication http
failover link Failover GigabitEthernet1/0
failover interface ip Failover 172.30.93.3 255.255.255.0 standby 172.30.93.4
no monitor-interface AHR_1001-U-INTERNET
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (AHR_1001-U-INTERNET) 2 192.168.85.100 netmask 255.0.0.0
global (AH_INTERCO) 1 172.30.110.2 netmask 255.255.255.255
nat (AH_INTERCO) 0 access-list AH_INTERCO_nat0_outbound
static (AH_INTERCO,AHR_1001-U-INT
access-group AHR_1001-U-INTERNET_access
access-group AH_INTERCO_access_in in interface AH_INTERCO
!
router ospf 1
log-adj-changes
!
router ospf 110
network 178.251.16.0 255.255.255.192 area 0
area 0 authentication
log-adj-changes
!
route AH_INTERCO RemoteNet_Interact 255.255.255.0 172.32.1.253 1
route AH_INTERCO RemoteNet_Soreco 255.255.255.0 172.32.1.253 1
route AH_INTERCO RemoteHost_Intrum 255.255.255.255 172.32.1.253 1
route AH_INTERCO RemoteNet_Tackti 255.255.255.0 172.32.1.253 1
route AH_INTERCO RemoteNet_Paco 255.255.255.224 172.32.1.253 1
route AH_INTERCO Remote_Net_Astor1 255.255.255.0 172.32.1.253 1
route AH_INTERCO Remote_Net_Astor2 255.255.255.0 172.32.1.253 1
route AH_INTERCO NAT_RemoteNet_Astor1 255.255.255.0 172.32.1.253 1
route AH_INTERCO NAT_RemoteNet_Astor2 255.255.255.0 172.32.1.253 1
route AH_INTERCO RemoteNet_Sears 255.255.255.0 172.32.1.253 1
route AH_INTERCO RemoteHost_AH_Simpsons1 255.255.255.255 172.32.1.253 1
route AH_INTERCO RemoteHost_AH_Simpsons2 255.255.255.255 172.32.1.253 1
route MGMT 172.31.0.0 255.255.0.0 172.30.5.254 2
route AH_INTERCO RemoteNet_Lalpack 255.255.255.0 172.32.1.253 1
route AH_INTERCO AH_456-OFFICE-SERV 255.255.255.0 172.32.1.253 1
route AH_INTERCO AH_167-IVR 255.255.255.240 172.32.1.253 1
route AH_INTERCO AH_455-PROD-SERV 255.255.255.224 172.32.1.253 1
route AH_INTERCO AH_887-SegmentBlue 255.255.255.240 172.32.1.253 1
route AH_INTERCO RemoteHost_Intrum1 255.255.255.255 172.32.1.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
http server enable
http 172.30.0.0 255.255.0.0 MGMAH
http 172.30.0.0 255.255.0.0 MGMT
http 172.31.0.0 255.255.0.0 MGMAH
http 172.31.0.0 255.255.0.0 MGMT
snmp-server host MGMT 172.31.12.17 community ******
no snmp-server location
no snmp-server contact
snmp-server community ******
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map AHR_1001-U-INTERNET_map 1 match address AHR_1001-U-INTERNET_1_cryp
crypto map AHR_1001-U-INTERNET_map 1 set peer 90.132.11.4
crypto map AHR_1001-U-INTERNET_map 1 set transform-set ESP-3DES-MD5
crypto map AHR_1001-U-INTERNET_map interface AHR_1001-U-INTERNET
crypto isakmp enable AHR_1001-U-INTERNET
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 172.30.0.0 255.255.0.0 MGMAH
ssh 172.31.0.0 255.255.0.0 MGMAH
ssh 172.31.0.0 255.255.0.0 MGMT
ssh 172.30.0.0 255.255.0.0 MGMT
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.32.1.253 source AH_INTERCO
webvpn
group-policy Policy_TV2AB internal
group-policy Policy_TV2AB attributes
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
username Administrator password ZUlb3Nc9fYOvZKpq encrypted privilege 15
tunnel-group 90.132.11.4 type ipsec-l2l
tunnel-group 90.132.11.4 general-attributes
default-group-policy Policy_TV2AB
tunnel-group 90.132.11.4 ipsec-attributes
pre-shared-key ***
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f30ec815041
: end
Data.jpg
Note: I isolated the 5550. I turned off the failover. It keeps rebooting more or less every 4 hours. I changed the ASA with the same configuration yesterday - same mishaps. I included a jpeg. You will see the red lines indicate a reboot of the platform.
: Saved
: Written by Administrator at 11:47:05.209 CEDT Fri Sep 10 2010
!
ASA Version 8.2(1)
!
hostname ASA-VPN
domain-name default.domain.invalid
enable password czn4HPAhrG7bVPkm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.33.24.252 RemoteHost_Intrum
name 192.168.93.206 RemoteHost_IVRA10
name 192.168.196.103 RemoteHost_IVRA11
name 192.168.196.105 RemoteHost_IVRA12
name 192.168.93.217 RemoteHost_IVRA13
name 192.168.77.15 RemoteHost_TV2
name 192.168.188.29 RemoteHost_IVRA3
name 192.168.189.102 RemoteHost_IVRA4
name 172.16.197.107 RemoteHost_IVRA5
name 192.168.95.66 RemoteHost_IVRA6
name 192.168.93.207 RemoteHost_IVRA7
name 172.16.61.136 RemoteHost_IVRA8
name 192.168.188.30 RemoteHost_IVRA9
name 10.0.0.0 RemoteNet_Interact
name 192.168.1.0 RemoteNet_Lalpack
name 10.29.2.0 RemoteNet_Soreco
name 10.150.26.64 RemoteNet_Paco
name 10.92.254.0 RemoteNet_Tackti
name 10.99.8.44 RemoteHost_IVRA1
name 172.32.2.150 TV2virgin
name 192.168.79.110 test_pc-TV2
name 172.20.229.0 RemoteNet_Sears
name 195.81.2.29 RemoteHost_Intrum1
name 172.20.1.0 Remote_Net_Astor1
name 172.20.3.0 Remote_Net_Astor2
name 192.168.196.104 Remote_Host_CFT
name 172.20.13.0 NAT_RemoteNet_Astor1
name 172.20.14.0 NAT_RemoteNet_Astor2
name 172.22.24.32 RemoteHost_AH_Simpsons1
name 172.22.24.33 RemoteHost_AH_Simpsons2
name 172.20.1.96 NAT_RemoteHost_Simpsonse1
name 172.20.1.97 NAT_RemoteHost_Simpsonse2
name 172.20.1.98 NAT_RemoteHost_Simpsonse3
name 193.12.60.0 AH_IP_ToAstor
name 192.168.85.0 AH_456-OFFICE-SERV
name 192.168.196.96 AH_455-PROD-SERV
name 192.168.198.80 AH_887-SegmentBlue description AH_SegmentBlue
name 192.168.95.28 AH_EUTV2DBB
name 192.168.67.160 AH_EUIVRALAB_09
name 193.12.93.148 AH_FRMOBCOMMANDES
name 192.168.93.243 AH_FRTV2CC3MOB
name 192.168.93.201 AH_FRTV2DB1
name 193.12.60.248 AH_MinisterDev
name 192.168.93.237 AH_RDBMS
name 172.16.33.81 AH_DITO
name 172.16.33.82 AH_EDISON
name 172.16.241.7 AH_EIFFEL
name 172.168.95.32 AH_EUTV2DBD
name 172.16.241.8 AH_KEPLER
name 172.16.60.77 AH_LOGON
name 172.168.188.29 AH_LUAHLUCFRUD
name 172.16.33.80 AH_NOTES
name 172.16.33.0 AH_AZUKNotes1
name 172.16.241.0 AH_AZUKNotes2
name 193.12.60.77 AH_AZUKNotes3
name 10.99.8.0 AH_FTPTRANSIT
name 192.168.189.96 AH_167-IVR
name 172.16.16.0 AH_SCANNING_IVR_MAINTENANC
!
interface GigabitEthernet0/0
description DATA
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
speed 100
duplex full
nameif MGMAH
security-level 100
ip address 172.30.99.100 255.255.255.248
management-only
!
interface Management0/0
speed 100
duplex full
nameif MGMT
security-level 100
ip address 172.30.5.252 255.255.255.0
!
interface GigabitEthernet1/0
description LAN/STATE Failover Interface
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
!
interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/1
nameif AHR_1001-U-INTERNET
security-level 0
allow-ssc-mgmt
ip address 178.251.16.40 255.255.255.192
ospf cost 10
ospf authentication-key AHR#OsPf
ospf authentication
!
interface RedundanAH
member-interface GigabitEthernet1/2
member-interface GigabitEthernet1/3
no nameif
security-level 90
allow-ssc-mgmt
no ip address
!
interface RedundanAH.2100
vlan 2100
nameif AH_INTERCO
security-level 90
ip address 172.32.1.254 255.255.255.0
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network Partner_Sears
network-object RemoteNet_Sears 255.255.255.0
object-group network Partner_INTERACT
network-object RemoteNet_Interact 255.255.255.0
object-group network Partner_INTRUM
network-object host RemoteHost_Intrum
object-group network Partner_Lalpack
network-object RemoteNet_Lalpack 255.255.255.0
object-group network Partner_SORECO
network-object RemoteNet_Soreco 255.255.255.0
object-group network Partner_Paco
network-object RemoteNet_Paco 255.255.255.224
object-group network Partner_Tackti
network-object RemoteNet_Tackti 255.255.255.0
object-group network Partner_TV2AB
network-object host RemoteHost_IVRA5
network-object host RemoteHost_IVRA8
network-object host RemoteHost_IVRA3
network-object host RemoteHost_IVRA9
network-object host RemoteHost_IVRA4
network-object host RemoteHost_IVRA11
network-object host RemoteHost_IVRA12
network-object host RemoteHost_TV2
network-object AH_456-OFFICE-SERV 255.255.255.0
network-object host RemoteHost_IVRA10
network-object host RemoteHost_IVRA7
network-object host RemoteHost_IVRA13
network-object host RemoteHost_IVRA6
network-object host RemoteHost_IVRA1
network-object host AH_EIFFEL
network-object host AH_KEPLER
network-object host AH_NOTES
network-object host AH_DITO
network-object host AH_EDISON
network-object host AH_LOGON
network-object host AH_LUAHLUCFRUD
network-object host AH_EUTV2DBD
network-object 172.32.1.0 255.255.255.0
network-object host AH_EUIVRALAB_09
network-object host AH_FRTV2DB1
network-object host AH_RDBMS
network-object host AH_FRTV2CC3MOB
network-object host AH_EUTV2DBB
network-object AH_IP_ToAstor 255.255.255.0
network-object host AH_MinisterDev
network-object host AH_FRMOBCOMMANDES
network-object AH_SCANNING_IVR_MAINTENANC
network-object 10.143.52.0 255.255.255.0
network-object 10.30.60.0 255.255.255.0
network-object AH_FTPTRANSIT 255.255.255.0
network-object AH_AZUKNotes2 255.255.255.0
network-object AH_AZUKNotes1 255.255.255.0
network-object host AH_AZUKNotes3
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_1
network-object host RemoteHost_IVRA8
network-object host RemoteHost_IVRA9
network-object host RemoteHost_TV2
network-object AH_456-OFFICE-SERV 255.255.255.0
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_2
network-object host RemoteHost_IVRA8
network-object host RemoteHost_IVRA9
network-object host RemoteHost_TV2
network-object host RemoteHost_IVRA10
network-object host RemoteHost_IVRA13
network-object host RemoteHost_IVRA1
network-object host RemoteHost_IVRA3
network-object host RemoteHost_IVRA6
network-object AH_IP_ToAstor 255.255.255.0
network-object 172.16.32.0 255.255.240.0
network-object 172.19.16.0 255.255.252.0
network-object 172.19.92.0 255.255.252.0
network-object 172.16.196.0 255.255.252.0
network-object 192.168.92.0 255.255.252.0
network-object RemoteNet_Paco 255.255.255.224
network-object AH_AZUKNotes2 255.255.255.0
network-object AH_AZUKNotes1 255.255.255.0
network-object host AH_AZUKNotes3
network-object AH_FTPTRANSIT 255.255.255.0
network-object 192.168.67.0 255.255.255.0
network-object 172.16.224.0 255.255.255.0
network-object 172.24.251.0 255.255.255.0
network-object host RemoteHost_IVRA5
network-object host RemoteHost_IVRA7
network-object AH_SCANNING_IVR_MAINTENANC
network-object 10.143.52.0 255.255.255.0
network-object 192.168.102.0 255.255.255.0
network-object 192.168.196.128 255.255.255.128
network-object 192.168.197.64 255.255.255.224
network-object 192.168.101.0 255.255.255.0
network-object 172.16.219.0 255.255.255.0
network-object 10.30.60.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object host RemoteHost_Intrum
network-object RemoteNet_Sears 255.255.255.0
network-object RemoteNet_Soreco 255.255.255.0
network-object host RemoteHost_Intrum1
group-object Partner_Lalpack
network-object Remote_Net_Astor1 255.255.255.0
network-object Remote_Net_Astor2 255.255.255.0
network-object RemoteNet_Tackti 255.255.255.0
network-object host RemoteHost_AH_Simpsons1
network-object host RemoteHost_AH_Simpsons2
network-object AH_456-OFFICE-SERV 255.255.255.0
network-object AH_455-PROD-SERV 255.255.255.224
network-object AH_887-SegmentBlue 255.255.255.240
network-object AH_167-IVR 255.255.255.240
group-object Partner_INTERACT
network-object RemoteNet_Paco 255.255.255.224
object-group service intrum_1570 tcp
port-object eq 1570
object-group service intrum_3389 tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_5
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_4
network-object host RemoteHost_IVRA10
network-object host RemoteHost_IVRA13
object-group network DM_INLINE_NETWORK_5
network-object host RemoteHost_IVRA10
network-object host RemoteHost_IVRA13
object-group service DM_INLINE_SERVICE_6
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_7
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_10
service-object ip
service-object icmp
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_11
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_8
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_9
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_11
network-object NAT_RemoteNet_Astor1 255.255.255.0
network-object NAT_RemoteNet_Astor2 255.255.255.0
network-object Remote_Net_Astor1 255.255.255.0
network-object Remote_Net_Astor2 255.255.255.0
object-group network DM_INLINE_NETWORK_12
network-object Remote_Net_Astor1 255.255.255.0
network-object Remote_Net_Astor2 255.255.255.0
network-object NAT_RemoteNet_Astor1 255.255.255.0
network-object NAT_RemoteNet_Astor2 255.255.255.0
object-group service DM_INLINE_SERVICE_12
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_13
service-object ip
service-object icmp echo-reply
service-object icmp echo
object-group service DM_INLINE_SERVICE_15
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_16
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network Partner_SimpsonsE
network-object host NAT_RemoteHost_Simpsonse1
network-object host NAT_RemoteHost_Simpsonse2
network-object host NAT_RemoteHost_Simpsonse3
object-group network DM_INLINE_NETWORK_6
network-object host RemoteHost_AH_Simpsons1
network-object host RemoteHost_AH_Simpsons2
object-group network DM_INLINE_NETWORK_7
network-object host RemoteHost_AH_Simpsons1
network-object host RemoteHost_AH_Simpsons2
object-group network DM_INLINE_NETWORK_8
network-object host RemoteHost_AH_Simpsons1
network-object host RemoteHost_AH_Simpsons2
object-group network DM_INLINE_NETWORK_9
network-object AH_455-PROD-SERV 255.255.255.224
network-object AH_456-OFFICE-SERV 255.255.255.0
network-object AH_887-SegmentBlue 255.255.255.240
network-object AH_167-IVR 255.255.255.240
object-group network DM_INLINE_NETWORK_10
network-object AH_455-PROD-SERV 255.255.255.224
network-object AH_456-OFFICE-SERV 255.255.255.0
object-group network DM_INLINE_NETWORK_13
network-object AH_455-PROD-SERV 255.255.255.224
network-object AH_456-OFFICE-SERV 255.255.255.0
network-object AH_887-SegmentBlue 255.255.255.240
network-object AH_167-IVR 255.255.255.240
object-group service DM_INLINE_SERVICE_14
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_17
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_15
network-object AH_AZUKNotes2 255.255.255.0
network-object AH_AZUKNotes1 255.255.255.0
network-object host AH_AZUKNotes3
network-object AH_FTPTRANSIT 255.255.255.0
network-object host 172.16.197.19
network-object host 172.16.32.14
network-object host 172.16.224.36
network-object 192.168.93.0 255.255.255.0
network-object host AH_EUIVRALAB_09
network-object host 193.12.60.104
network-object 10.30.60.0 255.255.255.0
object-group network DM_INLINE_NETWORK_14
network-object host RemoteHost_IVRA5
network-object host RemoteHost_IVRA8
network-object host RemoteHost_IVRA3
network-object host RemoteHost_IVRA4
network-object host RemoteHost_IVRA7
network-object host RemoteHost_IVRA6
object-group service DM_INLINE_SERVICE_18
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_19
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_16
network-object host RemoteHost_IVRA5
network-object host RemoteHost_IVRA8
network-object host RemoteHost_IVRA3
network-object host RemoteHost_IVRA4
network-object host RemoteHost_IVRA7
network-object host RemoteHost_IVRA6
object-group service DM_INLINE_SERVICE_20
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_17
network-object 10.30.60.0 255.255.255.0
network-object host RemoteHost_IVRA5
network-object host 172.16.224.53
network-object host 172.16.60.10
network-object host 172.16.60.11
network-object RemoteNet_Paco 255.255.255.224
object-group network DM_INLINE_NETWORK_18
network-object host RemoteHost_IVRA5
network-object host 172.16.224.53
network-object host 172.16.60.10
network-object host 172.16.60.11
network-object 10.143.52.0 255.255.255.0
object-group service DM_INLINE_SERVICE_21
service-object ip
service-object icmp echo
object-group service DM_INLINE_SERVICE_22
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_23
service-object ip
service-object icmp echo
service-object icmp echo-reply
access-list AHR_1001-U-INTERNET_1_cryp
access-list AH_INTERCO_nat0_outbound extended permit ip RemoteNet_Sears 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list AH_INTERCO_nat0_outbound extended permit ip object-group Partner_INTERACT object-group DM_INLINE_NETWORK_16
access-list AH_INTERCO_nat0_outbound extended permit ip host RemoteHost_Intrum1 object-group DM_INLINE_NETWORK_5
access-list AH_INTERCO_nat0_outbound extended permit ip RemoteNet_Soreco 255.255.255.0 host RemoteHost_IVRA10
access-list AH_INTERCO_nat0_outbound extended permit ip object-group Partner_Tackti object-group Partner_TV2AB
access-list AH_INTERCO_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_6 host RemoteHost_IVRA6
access-list AH_INTERCO_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_10 object-group Partner_TV2AB
access-list AH_INTERCO_nat0_outbound extended permit ip host AH_167-IVR object-group Partner_TV2AB
access-list AH_INTERCO_nat0_outbound extended permit ip RemoteNet_Paco 255.255.255.224 10.143.52.0 255.255.255.0
access-list TEST_INTER_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list TEST_INTER_nat0_outbound extended permit ip host TV2virgin host test_pc-TV2
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_2 RemoteNet_Sears 255.255.255.0 object-group Partner_TV2AB
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_5 host RemoteHost_Intrum1 object-group DM_INLINE_NETWORK_4
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_6 RemoteNet_Soreco 255.255.255.0 host RemoteHost_IVRA10
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_10 object-group Partner_Tackti object-group Partner_TV2AB
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_11 object-group Partner_Lalpack object-group Partner_TV2AB
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_12 object-group DM_INLINE_NETWORK_11 AH_IP_ToAstor 255.255.255.0
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_15 object-group DM_INLINE_NETWORK_7 host RemoteHost_IVRA6
access-list AH_INTERCO_access_in remark AH_Ouverture sur 3 LocalNets
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_17 object-group DM_INLINE_NETWORK_9 any
access-list AH_INTERCO_access_in remark AH_Ouverture sur RemoteNet
access-list AH_INTERCO_access_in extended permit ip any RemoteNet_Paco 255.255.255.224
access-list AH_INTERCO_access_in remark AH_Ouverture sur RemoteNet
access-list AH_INTERCO_access_in extended permit ip any object-group DM_INLINE_NETWORK_15
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_18 object-group Partner_INTERACT object-group DM_INLINE_NETWORK_14
access-list AH_INTERCO_access_in extended permit object-group DM_INLINE_SERVICE_22 RemoteNet_Paco 255.255.255.224 object-group DM_INLINE_NETWORK_18
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AHR_1001-U-INTERNET_access
access-list AH_INTERCO_nat_static extended permit ip NAT_RemoteNet_Astor1 255.255.255.0 object-group Partner_TV2AB
access-list NDM extended permit ip 172.31.0.0 255.255.0.0 host 172.32.1.254
pager lines 24
logging enable
logging standby
logging trap debugging
logging asdm informational
logging host MGMT 172.31.12.22
mtu MGMAH 1500
mtu MGMT 1500
mtu AHR_1001-U-INTERNET 1500
mtu AH_INTERCO 1500
no failover
failover lan unit primary
failover lan interface Failover GigabitEthernet1/0
failover interface-policy 100%
failover key *****
failover replication http
failover link Failover GigabitEthernet1/0
failover interface ip Failover 172.30.93.3 255.255.255.0 standby 172.30.93.4
no monitor-interface AHR_1001-U-INTERNET
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (AHR_1001-U-INTERNET) 2 192.168.85.100 netmask 255.0.0.0
global (AH_INTERCO) 1 172.30.110.2 netmask 255.255.255.255
nat (AH_INTERCO) 0 access-list AH_INTERCO_nat0_outbound
static (AH_INTERCO,AHR_1001-U-INT
access-group AHR_1001-U-INTERNET_access
access-group AH_INTERCO_access_in in interface AH_INTERCO
!
router ospf 1
log-adj-changes
!
router ospf 110
network 178.251.16.0 255.255.255.192 area 0
area 0 authentication
log-adj-changes
!
route AH_INTERCO RemoteNet_Interact 255.255.255.0 172.32.1.253 1
route AH_INTERCO RemoteNet_Soreco 255.255.255.0 172.32.1.253 1
route AH_INTERCO RemoteHost_Intrum 255.255.255.255 172.32.1.253 1
route AH_INTERCO RemoteNet_Tackti 255.255.255.0 172.32.1.253 1
route AH_INTERCO RemoteNet_Paco 255.255.255.224 172.32.1.253 1
route AH_INTERCO Remote_Net_Astor1 255.255.255.0 172.32.1.253 1
route AH_INTERCO Remote_Net_Astor2 255.255.255.0 172.32.1.253 1
route AH_INTERCO NAT_RemoteNet_Astor1 255.255.255.0 172.32.1.253 1
route AH_INTERCO NAT_RemoteNet_Astor2 255.255.255.0 172.32.1.253 1
route AH_INTERCO RemoteNet_Sears 255.255.255.0 172.32.1.253 1
route AH_INTERCO RemoteHost_AH_Simpsons1 255.255.255.255 172.32.1.253 1
route AH_INTERCO RemoteHost_AH_Simpsons2 255.255.255.255 172.32.1.253 1
route MGMT 172.31.0.0 255.255.0.0 172.30.5.254 2
route AH_INTERCO RemoteNet_Lalpack 255.255.255.0 172.32.1.253 1
route AH_INTERCO AH_456-OFFICE-SERV 255.255.255.0 172.32.1.253 1
route AH_INTERCO AH_167-IVR 255.255.255.240 172.32.1.253 1
route AH_INTERCO AH_455-PROD-SERV 255.255.255.224 172.32.1.253 1
route AH_INTERCO AH_887-SegmentBlue 255.255.255.240 172.32.1.253 1
route AH_INTERCO RemoteHost_Intrum1 255.255.255.255 172.32.1.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
http server enable
http 172.30.0.0 255.255.0.0 MGMAH
http 172.30.0.0 255.255.0.0 MGMT
http 172.31.0.0 255.255.0.0 MGMAH
http 172.31.0.0 255.255.0.0 MGMT
snmp-server host MGMT 172.31.12.17 community ******
no snmp-server location
no snmp-server contact
snmp-server community ******
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map AHR_1001-U-INTERNET_map 1 match address AHR_1001-U-INTERNET_1_cryp
crypto map AHR_1001-U-INTERNET_map 1 set peer 90.132.11.4
crypto map AHR_1001-U-INTERNET_map 1 set transform-set ESP-3DES-MD5
crypto map AHR_1001-U-INTERNET_map interface AHR_1001-U-INTERNET
crypto isakmp enable AHR_1001-U-INTERNET
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 172.30.0.0 255.255.0.0 MGMAH
ssh 172.31.0.0 255.255.0.0 MGMAH
ssh 172.31.0.0 255.255.0.0 MGMT
ssh 172.30.0.0 255.255.0.0 MGMT
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.32.1.253 source AH_INTERCO
webvpn
group-policy Policy_TV2AB internal
group-policy Policy_TV2AB attributes
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
username Administrator password ZUlb3Nc9fYOvZKpq encrypted privilege 15
tunnel-group 90.132.11.4 type ipsec-l2l
tunnel-group 90.132.11.4 general-attributes
default-group-policy Policy_TV2AB
tunnel-group 90.132.11.4 ipsec-attributes
pre-shared-key ***
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f30ec815041
: end
Data.jpg
ASKER
The line you see in red on the graph - it means, the ASA was unavailable (it rebooted).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Indeed, I swapped the ASA yesterday. I kept the same configuration that I injected in the standalone ASA 5500.
We've passed the 4-hour reboot time - hurray - It might be an IOS bug otherwise I'm off solutions.
I included one more graph here. (I'm in the Paris time zone).
Thank you
Graph2.jpg
We've passed the 4-hour reboot time - hurray - It might be an IOS bug otherwise I'm off solutions.
I included one more graph here. (I'm in the Paris time zone).
Thank you
Graph2.jpg
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It turned out:
I got a message from a TAC I opened up:
I understand that you are crashing and have decoded the crash and I could find the problem that you are facing now. The bug ID that you are facing now is CSCta02170.
I got a message from a TAC I opened up:
I understand that you are crashing and have decoded the crash and I could find the problem that you are facing now. The bug ID that you are facing now is CSCta02170.
ASKER
Thank you
ASKER
ASA-VV# show failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Comm Failure 05:36:51 CEDT Sep 8 2010
====Configuration State===
====Communication State===
ASA-VV#