So I've got a customer on an ASA5510 everything is working great (VPN site to site, AnyConnect Essentials).
They want to have another 5510 in standby mode so if the primary fails it takes over.
I look over the documents and at the HA/Failover setup in ASDM and it looks like a piece of cake.
On the standby I connect Port 0 to the Wan VLAN, Identical to the Active.
Port 1 to the LAN VLAN, then port 2 and port 3 directly to the port 2 and port 3 on the Active.
I have both ASDM pages open and first configure the standby failover with preference as the secondary.
Then go to the active ASDM and enter that info with preference as the primary.
As soon as I hit apply I loose connetivity with the primary I loose connectivity on the Active box through the managerment interface.
The worst scenario that could have happened. My active ASA has synced up with the backup ASA and now has the default ASA configs loaded.
I have someone power off the standby ASA that has now become active.
I then copy and paste the last running config that luckily I have saved through the console port and customer seems to be back up.
My question is what did I do wrong?
The only thing I can figure out is there is a box on the failover where you enter the number of interfaces that must fail before it takes control and that was set to 1. I had the Wan and LAN interfaces disabled when I applied so maybe it saw that and defaulted.
Should I copy the current running config on the active to the standy box before I try to enable Active / Standby and then just change the Wan and LAN interface IPs?
The problem is most likely that you were monitoring the interfaces that were disabled.
You could configure the Active ASA first. then once it is configured issue the show failover command and see if the interfaces are monitored. Then remove monitoring from the interfaces that are disabled:
Then when you add the standby ASA to the failover pair, it should remain in standby. When the WAN and LAN links become active, then you can add the monitor-interface command again.
-- Please remember to select a correct answer and rate helpful posts
Do we have any document around ISE 3.0 agentless posture. Techzone type document with steps.
Besides, where can we download agentless posture module? Is it only available to download from ISE admin GUI, or is it available at CCO?
Hi, We are getting below Alarm on ISE frequently. we verified COA enabled on WLC and there is no impact on users as we didnt receive any complain from users. Dynamic Authorization Failed for Device : Server=ISE-1; Network Device Name=WLC WLC Firmware = 8....
the Cisco CPN Client for a long time to connect to a VPN Server. Now I've got a new machine with a Windows 7 64 bit. The Cisco VPN Client isn't avaiable in a 64 bit version. Cisco suggests to use Cisco AnyConnect instead because there'a 64 bit version ava...
May 2016Splunk is a powerful tool for analyzing information in your organization by collecting, storing, alerting, reporting, and analyzing machine data. With Cisco platform Exchange Grid (pxGrid) Splunk is able to proactively act on received network secu...
Happy to announce that we have an updated version of our Enabling AMP on Content Security Products - Best Practices (v3.0). Please feel free to review if you have questions regarding deployment of AMP (File Reputation and File Analysis).