Thanks for your support.I

Mohamed Kabeer S · ‎06-30-2014

Hi team,

I have active and passive asa 5540 devices.It preconfigured active passive through ASDM.I have some issue with configuration for port forwarding so I just restore the previous configuration file.Now I check with the device through console it will show both the devices are active active.how to configure secondary devices as passive and how to upload the configuration file to passive.So anyone kindly response my tight situation.

Marius Gunnerud · ‎06-30-2014

The following is an example of how the failover configuration would look like.

failover lan unit primary

failover lan interface folink gigabitethernet0/3

failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2

failover link statelink gigabitethernet0/4
failover interface ip statelink 172.27.49.1 255.255.255.0 standby 172.27.49.2failover ipsec pre-shared-key a3rynsun

failover

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Mohamed Kabeer S · ‎06-30-2014

Thanks for your kind reply.In my scenario,Both the devices are already configured.I restore the configuration file in active unit.After that I will check passive but I cannot able to login secondary IP ,its also taking same IP (Primary IP).Both the devices are using the same IP 192.168.1.10.Previously they configured 192.168.1.10 for active and 192.168.1.11 for passive.If I ping passive IP,I can't able to ping.Its also taking the same IP.I have connected with console and I check,getting the same reply.Kindly provide me the solution for this.

Note:Can you please advise,in standby unit what I can do?

If I restore the same config file to Standby it will work or not?

Mohamed Kabeer S · ‎07-05-2014

Thanks for your support.I have configured by using this cmd failover lan unit secondary.Its working fine.

I am new to security level kindly suggest any book to update my security knowledge.

nkarthikeyan · ‎06-30-2014

Hi Kabeer,

On the primary/active ASA you should have the below mentioned configs. If you want state ful as well as LAN failover.

interface GigabitEthernet0/2
description STATE Failover Interface
!
interface GigabitEthernet0/3
description LAN Failover Interface
!

failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover key *****
failover link stateful GigabitEthernet0/2

failover interface ip failover 10.10.10.1 255.255.255.0 standby 10.10.10.2

!

All the other configurations you need to have it configured in active device alone. then if you just configure the below mentioned configurations alone in passive/secondary device and connect the cables.... all the configurations from active will get sync with secondary......

interface GigabitEthernet0/2
description STATE Failover Interface
!
interface GigabitEthernet0/3
description LAN Failover Interface
!

failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/3
failover key *****
failover link stateful GigabitEthernet0/2

failover interface ip failover 10.10.10.1 255.255.255.0 standby 10.10.10.2

!

Regards

Karthik

Mohamed Kabeer S · ‎06-30-2014

Thanks for your kind reply.In my scenario,Both the devices are already configured.I restore the configuration file in active unit.After that I will check passive but I cannot able to login secondary IP ,its also taking same IP (Primary IP).Both the devices are using the same IP 192.168.1.10.Previously they configured 192.168.1.10 for active and 192.168.1.11 for passive.If I ping passive IP,I can't able to ping.Its also taking the same IP.I have connected with console and I check,getting the same reply.Kindly provide me the solution for this.

Note:Can you please advise,in standby unit what I can do?

If I restore the same config file to Standby it will work or not?

Marius Gunnerud · ‎06-30-2014

Can you please advise,in standby unit what I can do?

You mention that you are not able to log in to the secondary/standby unit? Are you able to console in? If you check the LED status on both the firewalls is the Active Failover LED green?

This almost sounds like there is a communication problem between the ASAs.

If the secondary is also active I suggest logging in via console to the secondary and erase the configuration on the unit. Add a static IP to the failover interface and then try to ping the active unit to check communication between the two. Once communication between the firewalls over the failover link is established add the failover configuration to the standby unit and wait for them to synchronize the configuration from the active unit.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

nkarthikeyan · ‎07-01-2014

Hi Kabeer,

Always you can force the failover to make active unit as standby and standby unit as active.... but to get the root cause for this issue. for that we need the below mentioned info,.

could you please post the show failover status from both the firewalls?

Also if possible post the configuration of both the firewalls?

Regards

Karthik

Mohamed Kabeer S · ‎07-05-2014

Thanks for your support.I have configured by using this cmd failover lan unit secondary.Its working fine.

I am new to security level kindly suggest any book to update my security knowledge.

Marius Gunnerud · ‎07-06-2014

Read through ASA All in one 3rd edition. This book will have most if not all you need to know about that ASA.

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎07-08-2014

Also there are a lot of free Cisco documentations you can read through when you get the time.

http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/tsd-products-support-configure.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Active passive configuration needed