03-05-2012 03:09 AM - edited 03-10-2019 06:52 PM
Guys,
Bit of a strange problem here that just started last week - basically I tried to logon to our ASA and I was denied access, thought that's strange but tried a few times and got some other people to do the same - on doing so they also failed. I tried to login through our local admin account and that worked straight away - I cannot however SSH to console with either the radius info or the local information. The weird thing is I can gain access to our secondary ASA with no issue using radius authentication, this is being ran in a active/standby failover configuration.
I have checked the configs under the ASA part of ASDM on both priamry and standby but neither deviate at all.
Can anyone shed some light on this or has it happened to anyone before?
Many thanks for your time and looking at this.
Thomas.
03-05-2012 03:13 AM
I'm clutching at straws but could this have anything to do with it? I doubt it
Failover On
Failover unit Primary
Failover LAN Interface: failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 110 maximum
failover replication http
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 17:33:51 GMT/BST Jan 11 2012
This host: Primary - Active
Active time: 4376017 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (xxx.xxx.xxx.xxx): Normal (Waiting)
Interface management (7.7.7.7): No Link (Not-Monitored)
Interface Hosting_DMZ_Internal (xxx.xxx.xxx.xxx): Normal
Interface Hosting_DMZ_External (xxx.xxx.xxx.xxx): Normal
Interface Services_DMZ (172.25.4.1): Normal (Not-Monitored)
Interface Virtual_Services_DMZ (xxx.xxx.xxx.xxx): Normal (Not-Monitored)
Interface Auth_DMZ (xxx.xxx.xxx.xxx): Normal
Interface inside (xxx.xxx.xxx.xxx): Normal
slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (xxx.xxx.xxx.xxx): Failed (Waiting)
Interface management (0.0.0.0): Normal (Not-Monitored)
Interface Hosting_DMZ_Internal (xxx.xxx.xxx.xxx): Normal
Interface Hosting_DMZ_External (xxx.xxx.xxx.xxx): Normal
Interface Services_DMZ (xxx.xxx.xxx.xxx): Normal (Not-Monitored)
Interface Virtual_Services_DMZ (172.25.10.2): Normal (Not-Monitored)
Interface Auth_DMZ (xxx.xxx.xxx.xxx): Normal
Interface inside (xxx.xxx.xxx.xxx): Normal
slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
03-05-2012 11:36 AM
It says "Other host: Secondary - Failed". It should say "Standby" instead of "failed". It also says "Interface oustide : Failed". You should look that
It would be good to know the ip addressing and know what IPs are you ssh'ing into.
03-05-2012 11:47 AM
Thomas
I agree with Eduardo that it is significant that the output shows the other failover participant is failed. When I put this together with your statement that you can log in to the backup without any problem then I believe that this is your problem:
- there has been some problem that causes the ASAs to not communicate with each other.
- each ASA believes that its mate has failed and that it should be the active ASA.
- so both ASAs are trying to be active, and both ASAs are attempting to use the same IP address (and probably the same MAC address). The duplication of IP address (and possibly duplication of MAC address) means that only one of the ASAs is reachable.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide