https://community.cisco.com/t5/network-security/asa-5520-stateful-feature-failed-on-lan-based-active-standby/m-p/1489059#M733575 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Try with "failover lan enable" on primary and secondary.</P><P>Best regards.</P><P>Massimiliano.</P></BODY></HTML> Tue, 18 May 2010 07:52:39 GMT massimiliano.serafino 2010-05-18T07:52:39Z https://community.cisco.com/t5/network-security/asa-5520-stateful-feature-failed-on-lan-based-active-standby/m-p/1489058#M733561 <P><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tableau Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} </style> <![endif]--></P><P class="MsoNormal">Dear all,</P><P class="MsoNormal"></P><P class="MsoNormal">I encoured stateful issue in a ASA 5520 architecture displayed on the drawing attached.</P><P class="MsoNormal"></P><P class="MsoNormal">This is a LAN based active/standby failover link between a pair of <STRONG>ASA5520 (version 8(0)4)</STRONG>. Stateful and failover use the same ethernet link (dedeicated VLAN).</P><P class="MsoNormal"></P><P class="MsoNormal">To test this architecture, I have lanch a FTP tansfert between trust and untruct zone. During the trnasfer I shutdown the Unit Primary.</P><P class="MsoNormal" style="margin-left: 36pt; text-indent: -18pt;"><!--[if !supportLists]--><SPAN style="font-family: Wingdings;"><SPAN>è<SPAN style="font-family: &amp;quot;Times New Roman&amp;quot;; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal; -x-system-font: none;">&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><!--[endif]-->The failover seems to work properly</P><P class="MsoNormal" style="margin-left: 18pt;"><!--[if !supportLists]--><SPAN style="font-family: Wingdings;"><SPAN>è<SPAN style="font-family: &amp;quot;Times New Roman&amp;quot;; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal; -x-system-font: none;">&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><!--[endif]-->The stateful doesn’t work properly becaise my FTP transfert is closed (see attachment)</P><P class="MsoNormal"></P><P class="MsoNormal">Find below my configuration :</P><P class="MsoNormal"></P><P class="MsoNormal">interface GigabitEthernet0/0</P><P class="MsoNormal"><SPAN> </SPAN>description LAN Interface</P><P class="MsoNormal"><SPAN> </SPAN>speed 1000</P><P class="MsoNormal"><SPAN> </SPAN>duplex full</P><P class="MsoNormal"><SPAN> </SPAN>nameif outside</P><P class="MsoNormal"><SPAN> </SPAN>security-level 0</P><P class="MsoNormal"><SPAN> </SPAN>ip address 10.192.154.126 255.255.255.248 standby 10.192.154.125</P><P class="MsoNormal">!</P><P class="MsoNormal">interface GigabitEthernet0/1</P><P class="MsoNormal"><SPAN> </SPAN>description ToIP Server Interface</P><P class="MsoNormal"><SPAN> </SPAN>speed 1000</P><P class="MsoNormal"><SPAN> </SPAN>duplex full</P><P class="MsoNormal"><SPAN> </SPAN>nameif inside</P><P class="MsoNormal"><SPAN> </SPAN>security-level 100</P><P class="MsoNormal"><SPAN> </SPAN>ip address 10.192.154.30 255.255.255.224 standby 10.192.154.29</P><P class="MsoNormal">!</P><P class="MsoNormal">interface GigabitEthernet0/2</P><P class="MsoNormal"><SPAN> </SPAN>shutdown</P><P class="MsoNormal"><SPAN> </SPAN>no nameif</P><P class="MsoNormal"><SPAN> </SPAN>no security-level</P><P class="MsoNormal"><SPAN> </SPAN>no ip address</P><P class="MsoNormal">!</P><P class="MsoNormal">interface GigabitEthernet0/3</P><P class="MsoNormal"><SPAN> </SPAN>description LAN/STATE Failover Interface</P><P class="MsoNormal">!</P><P class="MsoNormal">interface Management0/0</P><P class="MsoNormal"><SPAN> </SPAN>shutdown</P><P class="MsoNormal"><SPAN> </SPAN>no nameif</P><P class="MsoNormal"><SPAN> </SPAN>no security-level</P><P class="MsoNormal"><SPAN> </SPAN>no ip address</P><P class="MsoNormal">!</P><P class="MsoNormal"></P><P class="MsoNormal"><STRONG>Unit Primary :</STRONG></P><P class="MsoNormal"></P><P class="MsoNormal">failover</P><P class="MsoNormal">failover lan unit primary</P><P class="MsoNormal">failover lan interface ASA_Failover GigabitEthernet0/3</P><P class="MsoNormal">failover key *****</P><P class="MsoNormal">failover link ASA_Failover GigabitEthernet0/3</P><P class="MsoNormal">failover interface ip ASA_Failover 10.192.154.110 255.255.255.252 standby 10.192.154.109</P><P class="MsoNormal"></P><P class="MsoNormal"> <STRONG>Unit Secondary</STRONG></P><P class="MsoNormal"></P><P class="MsoNormal">failover</P><P class="MsoNormal">failover lan unit secondary</P><P class="MsoNormal">failover lan interface ASA_Failover GigabitEthernet0/3</P><P class="MsoNormal">failover key *****</P><P class="MsoNormal">failover link ASA_Failover GigabitEthernet0/3</P><P class="MsoNormal">failover interface ip ASA_Failover 10.192.154.110 255.255.255.252 standby 10.192.154.109</P><P class="MsoNormal"></P><P class="MsoNormal">Find also in attachment the result displayed by « sh failover »</P><P class="MsoNormal"></P><P class="MsoNormal">Anyone have an ideao of what is wrong in my configuration. My goal is to have no impact oin the current TCP/UDP session when the primary unit failed.</P><P class="MsoNormal"></P><P class="MsoNormal">Thanks for your help</P><P class="MsoNormal"></P><P class="MsoNormal">Regards,</P><P class="MsoNormal"></P><P class="MsoNormal">Hervé</P><P></P> Mon, 11 Mar 2019 17:46:58 GMT https://community.cisco.com/t5/network-security/asa-5520-stateful-feature-failed-on-lan-based-active-standby/m-p/1489058#M733561 h-etchepare 2019-03-11T17:46:58Z https://community.cisco.com/t5/network-security/asa-5520-stateful-feature-failed-on-lan-based-active-standby/m-p/1489059#M733575 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Try with "failover lan enable" on primary and secondary.</P><P>Best regards.</P><P>Massimiliano.</P></BODY></HTML> Tue, 18 May 2010 07:52:39 GMT https://community.cisco.com/t5/network-security/asa-5520-stateful-feature-failed-on-lan-based-active-standby/m-p/1489059#M733575 massimiliano.serafino 2010-05-18T07:52:39Z https://community.cisco.com/t5/network-security/asa-5520-stateful-feature-failed-on-lan-based-active-standby/m-p/1489060#M733591 <HTML><HEAD></HEAD><BODY><P>In addition You've to define an interface</P><P>"state"...</P><P><SPAN>Look at </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef</A></P><P></P><P>I hope this helps.</P><P>Best regards.</P><P>Massimiliano.</P></BODY></HTML> Tue, 18 May 2010 09:17:11 GMT https://community.cisco.com/t5/network-security/asa-5520-stateful-feature-failed-on-lan-based-active-standby/m-p/1489060#M733591 massimiliano.serafino 2010-05-18T09:17:11Z https://community.cisco.com/t5/network-security/asa-5520-stateful-feature-failed-on-lan-based-active-standby/m-p/1489061#M733603 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks for your help.</P><P>The issue is solved.</P><P>It was only a problem with DOS ftp client.</P><P>With filezilla the stateful works properly.</P><P></P><P>Regards</P></BODY></HTML> Wed, 19 May 2010 07:29:51 GMT https://community.cisco.com/t5/network-security/asa-5520-stateful-feature-failed-on-lan-based-active-standby/m-p/1489061#M733603 h-etchepare 2010-05-19T07:29:51Z