https://community.cisco.com/t5/network-security/interface-failover-issue/m-p/2191746#M359855 <HTML><HEAD></HEAD><BODY><P>I don't understand you you're trying to use HSRP between your router and switces. If you have l3 reachability (i.e. routing enabled between your asa/switches/router) just let eighp take care of redundancy. just don't see why you should use HSRP here, or maybe i'm missing something)). Maybe someone else can comment on this.</P></BODY></HTML> Fri, 22 Mar 2013 07:07:12 GMT Andrew Phirsov 2013-03-22T07:07:12Z https://community.cisco.com/t5/network-security/interface-failover-issue/m-p/2191741#M359850 <P>hello everyone,</P><P></P><P>I've got a ASA 5550 firewall interface failover issue.</P><P>Please take a look at the attached file.</P><P></P><P>when I shut down the inside interface Gi 1/1 of the left firewall(Active firewall),</P><P>It failed to failover.</P><P>but when I shut down the Gi 1/12 of the Core 1 switch,</P><P>The firewall failover very well.</P><P></P><P>I followed this guide but I was not able to failover.</P><P><A _jive_internal="true" href="https://community.cisco.com/thread/228489" rel="nofollow" target="_blank">https://supportforums.cisco.com/thread/228489</A></P><P></P><P>how can I configure so that when the Gi 1/1 or Gi 1/0 interface goes down,</P><P>it can failover ?</P><P></P><P>I appreciate any help,</P><P>Thanks,</P><P></P><P></P><P><SPAN style="color: #ff0000;">ASA config:</SPAN></P><P>.....</P><P>interface GigabitEthernet0/3</P><P>description STATE Failover Interface</P><P>!</P><P>interface Management0/0</P><P>description LAN Failover Interface</P><P>management-only</P><P>!</P><P>interface GigabitEthernet1/0</P><P>media-type sfp</P><P>nameif outside</P><P>security-level 0</P><P>ip address 192.168.2.1 255.255.255.0</P><P>!</P><P>interface GigabitEthernet1/1</P><P>media-type sfp</P><P>nameif inside</P><P>security-level 100</P><P>ip address 192.168.4.1 255.255.255.0</P><P>!</P><P>interface GigabitEthernet1/2</P><P>media-type sfp</P><P>nameif inside-backup</P><P>security-level 100</P><P>ip address 192.168.5.1 255.255.255.0</P><P>!</P><P>interface GigabitEthernet1/3</P><P>media-type sfp</P><P>nameif outside-backup</P><P>security-level 0</P><P>ip address 192.168.3.1 255.255.255.0</P><P>!</P><P>ftp mode passive</P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>object-group icmp-type AllowedICMP</P><P>icmp-object echo</P><P>icmp-object echo-reply</P><P>icmp-object traceroute</P><P>icmp-object unreachable</P><P>icmp-object time-exceeded</P><P>access-list EXEMPT extended permit ip 192.168.4.0 255.255.255.0 any</P><P>access-list EXEMPT extended permit ip 10.1.0.0 255.255.0.0 any</P><P>access-list EXEMPT extended permit ip 192.168.5.0 255.255.255.0 any</P><P>access-list no-nat extended permit ip 10.1.0.0 255.255.0.0 host 0.0.0.0</P><P>access-list outside_access_in extended permit icmp any any object-group AllowedICMP</P><P>access-list outside_access_in extended permit ip host 192.168.2.253 any</P><P>access-list outside_access_in extended permit ip 192.168.2.0 255.255.255.0 any</P><P>…</P><P>failover</P><P>failover lan unit secondary</P><P>failover lan interface fobasic Management0/0</P><P>failover key *****</P><P>failover link fostate GigabitEthernet0/3</P><P>failover interface ip fobasic 192.168.200.1 255.255.255.0 standby 192.168.200.2</P><P>failover interface ip fostate 192.168.201.1 255.255.255.0 standby 192.168.201.2</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp permit any echo-reply outside</P><P>icmp permit any unreachable outside</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>global (outside-backup) 1 interface</P><P>nat (inside) 0 access-list no-nat</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>access-group outside_access_in in interface outside</P><P>access-group outside_access_in out interface outside</P><P>access-group EXEMPT in interface inside</P><P>access-group EXEMPT out interface inside</P><P>!</P><P>router eigrp 10</P><P>no auto-summary</P><P>network 192.168.2.0 255.255.255.0</P><P>network 192.168.3.0 255.255.255.0</P><P>network 192.168.4.0 255.255.255.0</P><P>network 192.168.5.0 255.255.255.0</P><P>redistribute static</P><P>!</P><P>route outside 0.0.0.0 0.0.0.0 192.168.2.254 1</P><P>……</P><P>http 10.1.0.0 255.255.0.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>!</P><P>track 1 rtr 123 reachability</P><P>……..</P><P>management-access inside</P><P>dhcpd dns x.x.x.x</P><P>!</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>webvpn</P><P>!</P><P>class-map inspection_default</P><P>match default-inspection-traffic</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P>parameters</P><P>message-length maximum client auto</P><P>message-length maximum 512</P><P>policy-map global_policy</P><P>class inspection_default</P><P>inspect dns preset_dns_map</P><P>inspect ftp</P><P>inspect h323 h225</P><P>inspect h323 ras</P><P>inspect rsh</P><P>inspect rtsp</P><P>inspect esmtp</P><P>inspect sqlnet</P><P>inspect skinny</P><P>inspect sunrpc</P><P>inspect xdmcp</P><P>inspect sip</P><P>inspect netbios</P><P>inspect tftp</P><P>inspect ip-options</P><P>inspect icmp</P><P>inspect icmp error</P><P>!</P><P>service-policy global_policy global</P><P>…..</P> Tue, 12 Mar 2019 01:16:28 GMT https://community.cisco.com/t5/network-security/interface-failover-issue/m-p/2191741#M359850 wasahongNYC 2019-03-12T01:16:28Z https://community.cisco.com/t5/network-security/interface-failover-issue/m-p/2191742#M359851 <HTML><HEAD></HEAD><BODY><P>It's normal behavior))). When you do shutdown of gi1/1 on active ASA, you automatically shutdownn the same interface on the standby appliance. So the normal command syncronization is happenning and no failover occurs.</P><P>But when you shutdown interface of a switch, interface of active ASA gets marked as <EM>failed, </EM>and failover happens. </P></BODY></HTML> Tue, 19 Mar 2013 16:47:33 GMT https://community.cisco.com/t5/network-security/interface-failover-issue/m-p/2191742#M359851 Andrew Phirsov 2013-03-19T16:47:33Z https://community.cisco.com/t5/network-security/interface-failover-issue/m-p/2191743#M359852 <HTML><HEAD></HEAD><BODY><P>Hi Andrew,</P><P></P><P>Thank you so much for your instant reply.</P><P>It do help me a lot.</P><P></P><P>Actually, my goal is to test the firewall failover situation.</P><P>since I hope the left ASA( either device itself or any interface ) goes down,</P><P>then the right ASA can take over very well.</P><P></P><P>in this case, on top of 1) unplug the cable between Core 1 switch and the left ASA</P><P>2) unplug the left ASA power</P><P></P><P>is there any way that I can test Gi 1/1 of left ASA failover ?</P><P></P><P>Thanks again,</P></BODY></HTML> Tue, 19 Mar 2013 17:20:23 GMT https://community.cisco.com/t5/network-security/interface-failover-issue/m-p/2191743#M359852 wasahongNYC 2013-03-19T17:20:23Z https://community.cisco.com/t5/network-security/interface-failover-issue/m-p/2191744#M359853 <HTML><HEAD></HEAD><BODY><P>If you unplug the cable between core 1 and left ASA&nbsp; the failover will occur, as long as monitoring of gi1/1 enabled on ASA (wich it is by default).&nbsp; And unplugging that caple - you're testing gi1/1, as u asked on the last sentence. If you unplug left ASA power, failover also will happen.</P></BODY></HTML> Wed, 20 Mar 2013 07:53:44 GMT https://community.cisco.com/t5/network-security/interface-failover-issue/m-p/2191744#M359853 Andrew Phirsov 2013-03-20T07:53:44Z https://community.cisco.com/t5/network-security/interface-failover-issue/m-p/2191745#M359854 <HTML><HEAD></HEAD><BODY><P>hi Andrew,</P><P></P><P>Thank you again for your reply.</P><P>May I have one more question ?</P><P></P><P>I am configuring the failover for the two interfaces between router and left switch.</P><P>what I want is when the left switch's outside interface( connecting to router ) shut down,</P><P>then the inbound traffice should go this way, router -&gt; right switch -&gt; left ASA</P><P>outbound as well</P><P>and after I shut down the switch's interface (connecting to router),</P><P>connectivity situation,</P><P>host can ping router's backup interface(192.168.3.253) and 192.168.3.253 can ping 4.2.2.2,</P><P>while host can NOT ping 4.2.2.2</P><P>also, 192.168.3.253 can ping left firewall's 1/3 interface (192.168.3.1)</P><P></P><P>I think there is something wrong with my firewall configuration or router static route configuration.</P><P>so please help me when you are available.</P><P>This is my first time to configure IP SLA for backup static route. </P><P>correct me if I am wrong</P><P></P><P>Thanks in advance.</P><P></P><P></P><P>Router config :</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">…………..</P><P></P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">interface GigabitEthernet0/0</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">description ISP circuit order 1-111111111111</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ip address X.X.X.X 255.255.255.248</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ip accounting output-packets </P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ip nat outside</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ip nat enable</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">no ip virtual-reassembly</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">duplex full</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">speed 1000</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">media-type sfp</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">no negotiation auto</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">interface GigabitEthernet0/1</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">description uplink to main-1 interface g 1/0/12</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ip address 192.168.2.253 255.255.255.0</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ip accounting output-packets</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ip nat inside</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ip nat enable</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">no ip virtual-reassembly</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">duplex full</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">speed 1000</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">media-type sfp</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">no negotiation auto</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">standby 2 ip 192.168.2.254</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">standby 2 priority 110</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">standby 2 preempt</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">interface GigabitEthernet0/2</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ip address 192.168.3.253 255.255.255.0</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">no ip redirects</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">duplex full</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">speed 1000</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">negotiation auto</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">standby 3 ip 192.168.3.254</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">standby 3 priority 110</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">standby 3 preempt</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">router eigrp 10</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">redistribute static</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">passive-interface GigabitEthernet0/0</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">network 192.168.2.0</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">network 192.168.3.0</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">no auto-summary</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">!</P><P></P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ip forward-protocol nd</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ip route 0.0.0.0 0.0.0.0 X.X.X.X</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ip route 10.1.0.0 255.255.0.0 192.168.2.1</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ip route 10.1.20.0 255.255.255.0 192.168.2.13</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">no ip http server</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ip dns server view-group aaaaaaa</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ip dns server</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ip nat pool mypool X.X.X.X X.X.X.X netmask 255.255.255.252</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ip nat inside source list 1 pool mypool overload</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">logging alarm informational</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">access-list 1 permit 192.168.2.0 0.0.0.255</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">access-list 1 permit 192.168.3.0 0.0.0.255</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">access-list 1 permit 10.1.33.0 0.0.0.255</P><P></P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">control-plane</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">gatekeeper</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">shutdown</P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">!</P><P></P><P style="margin: 0in; font-family: Calibri; font-size: 11pt;">ASA config :</P><P></P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">.....</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">interface GigabitEthernet0/3</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">description STATE Failover Interface</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">interface Management0/0</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">description LAN Failover Interface</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">management-only</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">interface GigabitEthernet1/0</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">media-type sfp</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">nameif outside</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">security-level 0</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">ip address 192.168.2.1 255.255.255.0</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">interface GigabitEthernet1/1</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">media-type sfp</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">nameif inside</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">security-level 100</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">ip address 192.168.4.1 255.255.255.0</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">interface GigabitEthernet1/2</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">media-type sfp</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">nameif inside-backup</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">security-level 100</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">ip address 192.168.5.1 255.255.255.0</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">interface GigabitEthernet1/3</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">media-type sfp</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">nameif outside-backup</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">security-level 0</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">ip address 192.168.3.1 255.255.255.0</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">ftp mode passive</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">same-security-traffic permit inter-interface</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">same-security-traffic permit intra-interface</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">object-group icmp-type AllowedICMP</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">icmp-object echo</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">icmp-object echo-reply</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">icmp-object traceroute</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">icmp-object unreachable</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">icmp-object time-exceeded</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">access-list EXEMPT extended permit ip 192.168.4.0 255.255.255.0 any</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">access-list EXEMPT extended permit ip 10.1.0.0 255.255.0.0 any</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">access-list EXEMPT extended permit ip 192.168.5.0 255.255.255.0 any</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">access-list no-nat extended permit ip 10.1.0.0 255.255.0.0 host 0.0.0.0</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">access-list outside_access_in extended permit icmp any any object-group AllowedICMP</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">access-list outside_access_in extended permit ip host 192.168.2.253 any</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">access-list outside_access_in extended permit ip 192.168.2.0 255.255.255.0 any</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">access-list outside_access_in extended permit ip host 192.168.3.253 any</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">access-list outside_access_in extended permit ip 192.168.3.0 255.255.255.0 any</P><P></P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">…</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">failover</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">failover lan unit secondary</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">failover lan interface fobasic Management0/0</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">failover key *****</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">failover link fostate GigabitEthernet0/3</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">failover interface ip fobasic 192.168.200.1 255.255.255.0 standby 192.168.200.2</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">failover interface ip fostate 192.168.201.1 255.255.255.0 standby 192.168.201.2</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">icmp unreachable rate-limit 1 burst-size 1</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">icmp permit any echo-reply outside</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">icmp permit any unreachable outside</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">icmp permit any echo-reply outside-backup</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">icmp permit any unreachable outside-backup</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">no asdm history enable</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">arp timeout 14400</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">global (outside) 1 interface</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">global (outside-backup) 1 interface</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">nat (inside) 0 access-list no-nat</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">nat (inside) 1 0.0.0.0 0.0.0.0</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">access-group outside_access_in in interface outside</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">access-group outside_access_in out interface outside</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">access-group outside_access_in in interface outside-backup</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">access-group outside_access_in out interface outside-backup</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">access-group EXEMPT in interface inside</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">access-group EXEMPT out interface inside</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">router eigrp 10</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">no auto-summary</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">network 192.168.2.0 255.255.255.0</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">network 192.168.3.0 255.255.255.0</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">network 192.168.4.0 255.255.255.0</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">network 192.168.5.0 255.255.255.0</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">redistribute static</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">route outside 0.0.0.0 0.0.0.0 192.168.2.253 1 track 20</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">route outside 0.0.0.0 0.0.0.0 192.168.3.253 22</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">……</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">http 10.1.0.0 255.255.0.0 inside</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">no snmp-server location</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">no snmp-server contact</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">crypto ipsec security-association lifetime seconds 28800</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">crypto ipsec security-association lifetime kilobytes 4608000</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">track 1 rtr 123 reachability</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">……..</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">sla monitor 2</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">type echo protocol ipIcmpEcho 192.168.2.253 interface outside</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">sla monitor schedule 2 life forever start-time now</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">track 20 rtr 2 reachability</P><P></P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">management-access inside</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">dhcpd dns x.x.x.x</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">threat-detection basic-threat</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">threat-detection statistics access-list</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">no threat-detection statistics tcp-intercept</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">webvpn</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">class-map inspection_default</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">match default-inspection-traffic</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">!</P><P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">…..</P></BODY></HTML> Fri, 22 Mar 2013 00:55:27 GMT https://community.cisco.com/t5/network-security/interface-failover-issue/m-p/2191745#M359854 wasahongNYC 2013-03-22T00:55:27Z https://community.cisco.com/t5/network-security/interface-failover-issue/m-p/2191746#M359855 <HTML><HEAD></HEAD><BODY><P>I don't understand you you're trying to use HSRP between your router and switces. If you have l3 reachability (i.e. routing enabled between your asa/switches/router) just let eighp take care of redundancy. just don't see why you should use HSRP here, or maybe i'm missing something)). Maybe someone else can comment on this.</P></BODY></HTML> Fri, 22 Mar 2013 07:07:12 GMT https://community.cisco.com/t5/network-security/interface-failover-issue/m-p/2191746#M359855 Andrew Phirsov 2013-03-22T07:07:12Z https://community.cisco.com/t5/network-security/interface-failover-issue/m-p/2191747#M359856 <HTML><HEAD></HEAD><BODY><P>okay, I see.</P><P>I think at this moment I do NOT need the HSRP configuration.</P><P>do you have any idea about the ASA routing configuration ?</P><P>since now the backup interface of router is not able to ping inside host.</P><P></P><P>Thanks for your time,</P></BODY></HTML> Fri, 22 Mar 2013 12:44:16 GMT https://community.cisco.com/t5/network-security/interface-failover-issue/m-p/2191747#M359856 wasahongNYC 2013-03-22T12:44:16Z