 asked on
asa failover
How would I create asa failover in this scenario if the edge device is a router and the interface number 1 and 2 cannot be on the same subnet obviously? Let's say im using 192.168.1.1 on interface 3 of the ASA1. The r2 router has an ip of 192.168.1.2. What should i do for interface 1?
![2016-09-16_14-19-42.jpg]()
CiscoRoutersNetwork Architecture
Last Comment
Shark Attack
Put a switch between R2 and ASA failover cluster.
ASKER
that would be the only option right? I couldn't think of anything else
Can you:
  interface g1/0.10
   dot.1q
   ip unnumbered loopback 10
  interface g2/0.10
   dot.1q
   ip unnumbered loopback 10
Â
 int loopback 10
  ip address GATEWAY.IP GATEWAY.MASK
  interface g1/0.10
   dot.1q
   ip unnumbered loopback 10
  interface g2/0.10
   dot.1q
   ip unnumbered loopback 10
Â
 int loopback 10
  ip address GATEWAY.IP GATEWAY.MASK
ASKER
hmmm, I will give it a shot and let you know. thanks!
ASKER
i have one more question, my failover configuration is working. I can sync the ASA's and when viewing the "show failover" on both ASA's I can tell which is on standby and which is active, I can switch them easily by doing the "failover active" but I have a problem, I cannot reach anything e once the standby firewall takes over. I cannot even ping it's connected interface from R1 switch, nor can I ping port 4 from R2. All interfaces show as UP Any suggestions?
![rehge.jpg]()
You have to do the same at the inside router that you did with the outside one.
ASKER
not sure if I understand. what exactly I have to do on the routers.? both routers are configured identically
ASKER
I forgot to mention that I replaced the top router with l3 switch so I didn't have to do the sub-interfaces. neither top on bottom switch can ping its connect interfaces. from the asa2
May we have an updated diagram and configurations, please?
ASKER
Yes!
![2016-09-20_9-40-33.jpg]()
R1 switch
R2 switch
ASA1
ASA2
R1 switch
R1#show ip int br | ex un
Interface IP-Address OK? Method Status Protocol
Vlan2 2.2.2.2 YES manual up up
Vlan3 3.3.3.1 YES manual up up
R1#
R1#show run int f1/0
Building configuration...
Current configuration : 59 bytes
!
interface FastEthernet1/0
switchport access vlan 2
end
R1#show run int f1/1
Building configuration...
Current configuration : 59 bytes
!
interface FastEthernet1/1
switchport access vlan 2
end
R1#show run | i route
ip route 0.0.0.0 0.0.0.0 2.2.2.1
R1#ping 10.140.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.140.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/51/68 ms
R2 switch
R2#show ip int br | ex un
Interface IP-Address OK? Method Status Protocol
Vlan2 1.1.1.2 YES manual up up
Vlan140 10.140.10.1 YES manual up up
R2#show run int f1/0
Building configuration...
Current configuration : 59 bytes
!
interface FastEthernet1/0
switchport access vlan 2
end
R2#show run int f1/1
Building configuration...
Current configuration : 59 bytes
!
interface FastEthernet1/1
switchport access vlan 2
end
R2#show run | i route
ip route 0.0.0.0 0.0.0.0 1.1.1.1
R2#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/52/76 ms
ASA1
interface Ethernet0/0
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.0 standby 2.2.2.3
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 1.1.1.1 255.255.255.0 standby 1.1.1.3
!
interface Ethernet0/4
description LAN Failover Interface
!
interface Ethernet0/5
description STATE Failover Interface
failover
failover lan unit primary
failover lan interface FAILO Ethernet0/4
failover key *****
failover link LINKFO Ethernet0/5
failover interface ip FAILO 5.5.5.1 255.255.255.0 standby 5.5.5.5
access-list 100 extended permit ip any any
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
route inside 10.140.10.0 255.255.255.0 1.1.1.2 1
ASA-PRI/pri/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILO Ethernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 00:06:32 UTC Nov 30 1999
This host: Primary - Active
Active time: 1179 (sec)
slot 0: empty
Interface outside (2.2.2.1): Normal
Interface inside (1.1.1.1): Normal
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: empty
Interface outside (2.2.2.3): Normal
Interface inside (1.1.1.3): Normal
slot 1: empty
Stateful Failover Logical Update Statistics
Link : LINKFO Ethernet0/5 (Configuration incomplete)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
ASA2
ASA-PRI/sec/stby# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAILO Ethernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 00:00:00 UTC Nov 30 1999
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: empty
Interface outside (2.2.2.3): Normal
Interface inside (1.1.1.3): Normal
slot 1: empty
Other host: Primary - Active
Active time: 1208 (sec)
slot 0: empty
Interface outside (2.2.2.1): Normal
Interface inside (1.1.1.1): Normal
slot 1: empty
Stateful Failover Logical Update Statistics
Link : LINKFO Ethernet0/5 (Configuration incomplete)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
ASKER
Also, here are the hosts and when switching asa2 to active
R4#PING 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/68/76 ms
R4#
ASA-PRI/sec/stby(config)# failover active
Switching to Active
R4#PING 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ASA-PRI/pri/stby(config)# failover active
Switching to Active
R4#PING 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/64/84 ms
R4's default route should be R2 interface IP.
R2's default route should be the inside interface IP of the ASA.
ASA1 (and by default ASA2) default route should be the interface IP of R1.
R1's default route should be the interface IP of R3.
R2's default route should be the inside interface IP of the ASA.
ASA1 (and by default ASA2) default route should be the interface IP of R1.
R1's default route should be the interface IP of R3.
ASKER
R4's default route should be R2 interface IP.
10.140.10.1 is the vlan interface IP
R2's default route should be the inside interface IP of the ASA.
that also looks right
ASA1 (and by default ASA2) default route should be the interface IP of R1.
R1's default route should be the interface IP of R3.
R1#show run | i route
ip route 0.0.0.0 0.0.0.0 2.2.2.1
10.140.10.1 is the vlan interface IP
R4#show run | i route
ip route 0.0.0.0 0.0.0.0 [b]10.140.10.1[/b]
R2#show ip int br | ex un
Interface IP-Address OK? Method Status Protocol
Vlan2 1.1.1.2 YES manual up up
Vlan140 [b]10.140.10.1[/b] YES manual up up
R2's default route should be the inside interface IP of the ASA.
that also looks right
R2#show run | i route
ip route 0.0.0.0 0.0.0.0 [b]1.1.1.1[/b]
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/0 outside 2.2.2.1 255.255.255.0 manual
Ethernet0/1 inside [b] 1.1.1.1 [/b] 255.255.255.0 manual
Ethernet0/4 FAILO 5.5.5.1 255.255.255.0 unset
ASA1 (and by default ASA2) default route should be the interface IP of R1.
ASA-PRI/pri/act(config)# show run | i route
route outside 0.0.0.0 0.0.0.0 [b]2.2.2.2 1[/b]
route inside 10.140.10.0 255.255.255.0 1.1.1.2 1
R1#show ip int br | ex un
Interface IP-Address OK? Method Status Protocol
Vlan2 [b]2.2.2.2 [/b] YES manual up up
Vlan3 3.3.3.1 YES manual up up
R1's default route should be the interface IP of R3.
R1#show run | i route
ip route 0.0.0.0 0.0.0.0 2.2.2.1
R3#show ip int br | ex un
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 [b]3.3.3.3 [/b] YES manual up up
Yes, that last one is confusing. Â What's the goal?
ASKER
r3 is configured as a host. it's default route is 3.3.3.1 which is the R1's interface. R1 doesn't need any route to R3 since it's directly connected.
The problem is, when I make the ASA2 ACTIVE, I cannot ping across between the hosts anymore and I have no idea why.
R3#show ip int br | ex un
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 3.3.3.3 YES manual up up
R1#show ip int br | ex un
Interface IP-Address OK? Method Status Protocol
Vlan2 2.2.2.2 YES manual up up
Vlan3 3.3.3.1 YES manual up up
R1#
The problem is, when I make the ASA2 ACTIVE, I cannot ping across between the hosts anymore and I have no idea why.
This is what I wrote:
   R1's default route should be the interface IP of R3.
This is the response:
   R1#show run | i route
   ip route 0.0.0.0 0.0.0.0 2.2.2.1
R1's default route should not be the ASA.
   R1's default route should be the interface IP of R3.
This is the response:
   R1#show run | i route
   ip route 0.0.0.0 0.0.0.0 2.2.2.1
R1's default route should not be the ASA.
ASKER
I see, I made that change still not working though. When I make the ASA2 ACTIVE, I can't even reach it's E1 interface from R2.
ASA2
R2
ASA2
R2
ASA2
ASA-PRI/sec/act# show fail
Failover On
Failover unit Secondary
Failover LAN Interface: FAILO Ethernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 01:25:53 UTC Nov 30 1999
This host: Secondary - Active
Active time: 283 (sec)
R2
R2#show ip int br | ex un
Interface IP-Address OK? Method Status Protocol
Vlan2 1.1.1.2 YES manual up up
Vlan140 10.140.10.1 YES manual up up
ASA2
ASA-PRI/sec/act# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/0 outside 2.2.2.1 255.255.255.0 CONFIG
Ethernet0/1 inside 1.1.1.1 255.255.255.0 CONFIG
Ethernet0/4 FAILO 5.5.5.1 255.255.255.0 unset
R2
R2#show run | i route
ip route 0.0.0.0 0.0.0.0 1.1.1.1
R2#
R2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ASKER
i dont know if this is gns error or is there something wrong with my config
The inside interfaces (anything with a security level greater than 0) block ICMP by default.
ASKER
Ok, my traceroute to the R3 ends on r2. I am assuming I wont see the asa on the traceroute eitherway
is there any way i can troubleshoot this ?
R4#traceroute 3.3.3.3
Type escape sequence to abort.
Tracing the route to 3.3.3.3
1 10.140.10.1 24 msec 36 msec 16 msec
2 * * *
3
is there any way i can troubleshoot this ?
I would expect that the packets would be completely blocked.
If you want to enable it for testing:
access-list inside_in extended permit icmp any any
access-list inside_in extended permit ip any any
access-group inside_in in interface inside
! substitute "inside" with the nameif of the inside interface
If you want to enable it for testing:
access-list inside_in extended permit icmp any any
access-list inside_in extended permit ip any any
access-group inside_in in interface inside
! substitute "inside" with the nameif of the inside interface
ASKER
Ok, there is a problem clearly. I have made the ASA2 the ACTIVE. When I created the ACL and attached it, the traffic seems to be forwarding to ASA1 because I can see hot counts on ASA1 and not ASA2.
ASA2 - ACTIVE
ASA1 - Standby
ASA1
ASA2
ASA2 - ACTIVE
ASA-PRI/sec/act# show access-l inside_in
access-list inside_in; 2 elements
access-list inside_in line 1 extended permit icmp any any (hitcnt=0) 0xb92ed037
access-list inside_in line 2 extended permit ip any any (hitcnt=0) 0xb80bc887
ASA1 - Standby
ASA-PRI/pri/stby(config)# show access-l inside_in
access-list inside_in; 2 elements
access-list inside_in line 1 extended permit icmp any any (hitcnt=27) 0xb92ed037
access-list inside_in line 2 extended permit ip any any (hitcnt=0) 0xb80bc887
ASA1
Failover On
Failover unit Primary
Failover LAN Interface: FAILO Ethernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 01:25:55 UTC Nov 30 1999
This host: Primary - Standby Ready
ASA2
ASA-PRI/sec/act# SHOW FAIL
Failover On
Failover unit Secondary
Failover LAN Interface: FAILO Ethernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 01:25:53 UTC Nov 30 1999
This host: Secondary - Active
Active time: 2726 (sec)
Would you please post an updated configuration (interface IPs, any routing) for R4 and R2?
ASKER
R2#
R2#show run
Building configuration...
Current configuration : 1564 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
switchport access vlan 2
shutdown
!
interface FastEthernet1/1
switchport access vlan 2
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
switchport access vlan 140
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 1.1.1.2 255.255.255.0
!
interface Vlan140
ip address 10.140.10.1 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
R4#show run
Building configuration...
Current configuration : 895 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.140.10.100 255.255.255.0
speed 100
full-duplex
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.140.10.1
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
On R2, you should have both f1/0 and f1/1 no shut.
Put the ACL on the ASA, reboot the secondary and when it comes up:
1) ping from R4 to R2 to ASA to R3 to R1, one at a time
2) "sh failover" on the active ASA
3) "sh route" on the active ASA
Put the ACL on the ASA, reboot the secondary and when it comes up:
1) ping from R4 to R2 to ASA to R3 to R1, one at a time
2) "sh failover" on the active ASA
3) "sh route" on the active ASA
ASKER
ASA-PRI/pri/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILO Ethernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 02:21:13 UTC Nov 30 1999
This host: Primary - Active
Active time: 5136 (sec)
slot 0: empty
Interface outside (2.2.2.1): Normal
Interface inside (1.1.1.1): Normal
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: empty
Interface outside (2.2.2.3): Normal
Interface inside (1.1.1.3): Normal
slot 1: empty
Stateful Failover Logical Update Statistics
Link : LINKFO Ethernet0/5 (Configuration incomplete)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
ASA-PRI/pri/act# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 2.2.2.2 to network 0.0.0.0
C 1.1.1.0 255.255.255.0 is directly connected, inside
C 2.2.2.0 255.255.255.0 is directly connected, outside
C 5.5.5.0 255.255.255.0 is directly connected, FAILO
S 10.140.10.0 255.255.255.0 [1/0] via 1.1.1.2, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 2.2.2.2, outside
ASA-PRI/pri/act#
ASKER
also f1/0 and f1/1 are both ON and ON. Not sure why they don't show "no shut" but I checked and verified
You may have done a "show conf" instead of a "show run". Â If the configuration wasn't saved after a "no shut" on that interface then it will show as admin down on the saved configuration.
Pings?
Pings?
ASKER
R4#ping 10.140.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.140.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/18/28 ms
ASA-PRI/pri/act(config)# ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/30 ms
R1(config)#do ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/33/68 ms
R1(config)#
From R4, can you ping 3.3.3.3?
If your ASA is doing NAT, that subnet should be routed from R1 to R3 and again from R3 to ASA.
Else the 10.40.10.0/24 should be routed in the same direction.
OSPF is a very helpful interior protocol.
If your ASA is doing NAT, that subnet should be routed from R1 to R3 and again from R3 to ASA.
Else the 10.40.10.0/24 should be routed in the same direction.
OSPF is a very helpful interior protocol.
ASKER
asa's are not doing nat, im starting to think this is a GNS3 issue. Even with OSPF it's not working
Zack, from primary ASA can you do the following:
ping outside 2.2.2.3
ping inside 1.1.1.3
ping outside 2.2.2.3
ping inside 1.1.1.3
ASKER
yep
ASA-PRI/pri/act# ping outside 2.2.2.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.3, timeout is 2 seconds:
!!!!!
ASA-PRI/pri/act# ping inside 1.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA-PRI/pri/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILO Ethernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 03:42:10 UTC Nov 30 1999
This host: Primary - Active
ASKER
i have full access from end to end when primary is ACTIVE. When i switch over to ASA2 to ACTIVE, it all goes down.
On each ASA, "show failover"
ASKER
ASA1
ASA2
ASA-PRI/pri/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILO Ethernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 03:42:10 UTC Nov 30 1999
This host: Primary - Active
Active time: 6848 (sec)
slot 0: empty
Interface outside (2.2.2.1): Normal
Interface inside (1.1.1.1): Normal
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 3569 (sec)
slot 0: empty
Interface outside (2.2.2.3): Normal
Interface inside (1.1.1.3): Normal
slot 1: empty
Stateful Failover Logical Update Statistics
Link : LINKFO Ethernet0/5 (Configuration incomplete)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
ASA2
ASA-PRI/sec/stby# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAILO Ethernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 01:16:24 UTC Nov 30 1999
This host: Secondary - Standby Ready
Active time: 3569 (sec)
slot 0: empty
Interface outside (2.2.2.3): Normal
Interface inside (1.1.1.3): Normal
slot 1: empty
Other host: Primary - Active
Active time: 6853 (sec)
slot 0: empty
Interface outside (2.2.2.1): Normal
Interface inside (1.1.1.1): Normal
slot 1: empty
Stateful Failover Logical Update Statistics
Link : LINKFO Ethernet0/5 (Configuration incomplete)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
ASA-PRI/sec/stby#
ASKER
i can ping 3.3.3.3 from R4 but not from R2. I noticed. So seesm like i have connectivity from the 10.140.10.0 network to 3.3.3.0
R4#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/71/80 ms
R4#
R2#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ASKER
from source vlan it obviously works
R2#ping 3.3.3.3 source 10.140.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.140.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/50/64 ms
ASKER
should the f1/0 on R2 be a trunk?
No, it's a single vlan.
ASKER
when I get rid of the failover config on ASA1 and promost the ASA2 to active, it works. As soon as I configure the ASA1 with failover, it goes down again
On each ASA, "show failover".
I'd like to see both at the same time.
I'd like to see both at the same time.
ASKER
ASA1
ASA2
ASA-PRI/pri/stby# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILO Ethernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 00:00:01 UTC Nov 30 1999
This host: Primary - Standby Ready
Active time: 0 (sec)
slot 0: empty
Interface outside (2.2.2.3): Normal (Waiting)
Interface inside (1.1.1.3): Normal (Waiting)
slot 1: empty
Other host: Secondary - Active
Active time: 386 (sec)
slot 0: empty
Interface outside (2.2.2.1): Normal (Waiting)
Interface inside (1.1.1.1): Normal (Waiting)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : LINKFO Ethernet0/5 (Configuration incomplete)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
ASA2
ASA-PRI/sec/act# show fail
Failover On
Failover unit Secondary
Failover LAN Interface: FAILO Ethernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 00:00:57 UTC Nov 30 1999
This host: Secondary - Active
Active time: 403 (sec)
slot 0: empty
Interface outside (2.2.2.1): Normal (Waiting)
Interface inside (1.1.1.1): Normal (Waiting)
slot 1: empty
Other host: Primary - Standby Ready
Active time: 0 (sec)
slot 0: empty
Interface outside (2.2.2.3): Failed (Waiting)
Interface inside (1.1.1.3): Failed (Waiting)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : LINKFO Ethernet0/5 (Configuration incomplete)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
I'd like to see a "show int" of each of these interfaces:
1) ASA2 inside
2) ASA2 outside
3) R1 f1/1
4) R2 f1/1
1) ASA2 inside
2) ASA2 outside
3) R1 f1/1
4) R2 f1/1
Also please [re]post your failover configuration on both ASAs.
And a "show int" of both ASA failover interfaces.
ASA2 inside and outside are in a failed state.
And a "show int" of both ASA failover interfaces.
ASA2 inside and outside are in a failed state.
You know what it looks like to me? Â Like you independently configured both ASAs.
This is what you do with ASA2:
* wipe the configuration
* put a unique IP in the same subnet as ASA1 on the outside interface, same mask
* create the failover configuration
* wr mem
* on ASA1 do a "wr stand"
And nothing else.
This is what you do with ASA2:
* wipe the configuration
* put a unique IP in the same subnet as ASA1 on the outside interface, same mask
* create the failover configuration
* wr mem
* on ASA1 do a "wr stand"
And nothing else.
ASKER
ASA-PRI/sec/stby# show int e0/0
Interface Ethernet0/0 "outside", is up, line protocol is up
Hardware is linaeth, BW 1000 Mbps, DLY 1000 usec
Auto-Duplex(Full-duplex), (100 Mbps)
MAC address 00ab.a72f.0100, MTU 1500
IP address 2.2.2.3, subnet mask 255.255.255.0
0 packets input, 4111 bytes, 0 no buffer
Received 13 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 308 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (128/128) software (0/3)
output queue (curr/max packets): hardware (0/0) software (0/1)
Traffic Statistics for "outside":
64 packets input, 3265 bytes
21 packets output, 1788 bytes
39 packets dropped
1 minute input rate 0 pkts/sec, 25 bytes/sec
1 minute output rate 0 pkts/sec, 17 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
ASA-PRI/sec/stby# show int e0/1
Interface Ethernet0/1 "inside", is up, line protocol is up
Hardware is linaeth, BW 1000 Mbps, DLY 1000 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Media-type configured as RJ45 connector
MAC address 00ab.a72f.0101, MTU 1500
IP address 1.1.1.3, subnet mask 255.255.255.0
0 packets input, 4065 bytes, 0 no buffer
Received 12 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 430 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (128/128) software (0/3)
output queue (curr/max packets): hardware (0/0) software (0/1)
Traffic Statistics for "inside":
58 packets input, 2949 bytes
24 packets output, 1792 bytes
36 packets dropped
1 minute input rate 0 pkts/sec, 20 bytes/sec
1 minute output rate 0 pkts/sec, 14 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
R1
R1#show int f1/1
FastEthernet1/1 is up, line protocol is up
Hardware is Fast Ethernet, address is c200.52e4.f101 (bia c200.52e4.f101)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 4 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
R2
R2#SHOW INT F1/1
FastEthernet1/1 is up, line protocol is up
Hardware is Fast Ethernet, address is c201.52e4.f101 (bia c201.52e4.f101)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 6 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
ASKER
yeah, I did all of that and still nothing. I don't trust GNS3 that much with this. Either way, last question, if I already have an ASA in production and want to incorporate a standby firewall for failover, will connecting the firewalls to each other or configuring them will in anyway impact the network connectivity?
It shouldn't. Â
But the problem that I have with your configuration is that:
* the Active ASA has the outbound IP inside and outside (as it should)
* the Standby ASA has an alternate outbound IP inside and outside.
  => as if the inside interface was configured before the failover.
     this is wrong.  the standby is supposed to get everything
     except the alternate outside IP and the failover configuration
     from the active ASA.
But the problem that I have with your configuration is that:
* the Active ASA has the outbound IP inside and outside (as it should)
* the Standby ASA has an alternate outbound IP inside and outside.
  => as if the inside interface was configured before the failover.
     this is wrong.  the standby is supposed to get everything
     except the alternate outside IP and the failover configuration
     from the active ASA.
ASKER
should I have the standby reconfigured or is it centrifuged correctly? At first, I thought I needed to configure the stamdby IP and point the R2 switch to the standby IP but that was wrong
ASA1
ASA2
ASA1
ASA-PRI/pri/act(config)# show run int e0/1
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 1.1.1.1 255.255.255.0 standby 1.1.1.3
ASA-PRI/pri/act(config)# show run int e0/0
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.0
ASA-PRI/pri/act(config)#
ASA2
SA-PRI/sec/stby(config)# show run int e0/1
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 1.1.1.1 255.255.255.0 standby 1.1.1.3
ASA-PRI/sec/stby(config)# show run int e0/0
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.0
No. Â Again, your inside interface does not have a standby IP.
ASA1:
int e0/1
 nameif inside
 security-level 100
 ip address 1.1.1.1 255.255.255.0
int e0/0
 nameif outisde
 security-level 0
 ip address 2.2.2.1 255.255.255.0 standby 2.2.2.3
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
<your failover stuff and other nat, etc>
ASA2:
int e0/0
 nameif outside
 ip address 2.2.2.1 255.255.255.0 standby 2.2.2.3
int failover_interface_number
  no shut
<your failover stuff>
Connect the cable. Â Verify both interfaces up and operational. Â "Wr standby" on the Active unit.
ASA1:
int e0/1
 nameif inside
 security-level 100
 ip address 1.1.1.1 255.255.255.0
int e0/0
 nameif outisde
 security-level 0
 ip address 2.2.2.1 255.255.255.0 standby 2.2.2.3
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
<your failover stuff and other nat, etc>
ASA2:
int e0/0
 nameif outside
 ip address 2.2.2.1 255.255.255.0 standby 2.2.2.3
int failover_interface_number
  no shut
<your failover stuff>
Connect the cable. Â Verify both interfaces up and operational. Â "Wr standby" on the Active unit.
ASKER
Ok, i made all the changes and can't ping out still from the ASA2 while in ACTIVE.
I pasted the failover status
ASA1
ASA2
I pasted the failover status
ASA1
ASA-PRI/pri/stby# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILO Ethernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 01:25:43 UTC Nov 30 1999
This host: Primary - Standby Ready
Active time: 3550 (sec)
slot 0: empty
Interface outside (2.2.2.3): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
slot 1: empty
Other host: Secondary - Active
Active time: 231 (sec)
slot 0: empty
Interface outside (2.2.2.1): Normal (Waiting)
Interface inside (1.1.1.1): Normal (Waiting)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : LINKFO Ethernet0/5 (Configuration incomplete)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
ASA2
ASA-PRI/sec/act(config)# show fail
Failover On
Failover unit Secondary
Failover LAN Interface: FAILO Ethernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 00:53:01 UTC Nov 30 1999
This host: Secondary - Active
Active time: 251 (sec)
slot 0: empty
Interface outside (2.2.2.1): Normal (Waiting)
Interface inside (1.1.1.1): Normal (Waiting)
slot 1: empty
Other host: Primary - Standby Ready
Active time: 3550 (sec)
slot 0: empty
Interface outside (2.2.2.3): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : LINKFO Ethernet0/5 (Configuration incomplete)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
That looks much better.
What licensing do you have on these?
What licensing do you have on these?
ASKER
0: Ext: Ethernet0/0 : address is 00ab.a72f.0100, irq 255
1: Ext: Ethernet0/1 : address is 00ab.a72f.0101, irq 255
2: Ext: Ethernet0/2 : address is 0000.ab56.a502, irq 255
3: Ext: Ethernet0/3 : address is 0000.ab53.4503, irq 255
4: Ext: Ethernet0/4 : address is 00ab.a72f.0104, irq 255
5: Ext: Ethernet0/5 : address is 00ab.a72f.0105, irq 255
VLANs : 200
Failover : Active/Active
3DES-AES : Enabled
Security Contexts : 20
GTP/GPRS : Enabled
VPN Peers : 5000
WebVPN Peers : 2500
ADV END SEC : Enabled
Things to double-check:
1) failover licensing (good)
2) all interfaces up/up, proper speed and duplex
3) identical configurations on the ASAs
4) failover configuration properly (yes)
One thing to try would be to swap the outside and inside cables to see if the problem travels with the cables or stays with the unit.
Did you wipe ASA2 and start over or did you simply change the addressing of the interfaces?
1) failover licensing (good)
2) all interfaces up/up, proper speed and duplex
3) identical configurations on the ASAs
4) failover configuration properly (yes)
One thing to try would be to swap the outside and inside cables to see if the problem travels with the cables or stays with the unit.
Did you wipe ASA2 and start over or did you simply change the addressing of the interfaces?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
updated gns3