12-03-2013 12:44 AM - edited 03-11-2019 08:11 PM
Hello
i have 2 ASA5510-SEC-BUN-K9
i configured them into H/A Active Standby every thing Works Fine Replication is Succcess
the Problem is the users defined on the Active Units they work fine but if convert the 2nd unit to be active its work but i can not use the Same users that is work fine on the Active (Primary).
so the Secondary Unit Functioally is fine but its give invalid Loggin (Loggin Error) on ASDM.
they should be the Same and replacated over the replication function.
Any help
i am using the ASA 9.1(3)
ASDM 7.1(4)
Solved! Go to Solution.
12-03-2013 01:33 AM
I might be overlooking it, but you have not aaa statements defining what database is to be used for authentication. Add the following command and test please.
aaa authentication http console LOCAL
--
Please rememeber to rate and select a correct answer
12-03-2013 01:55 AM
the path is:
Configuration > Device Management > AAA Access
Thank you for the rating
--
Please remember to rate and select a correct answer
12-03-2013 02:48 AM
The redundant interfaces are only locally significant so having both failover ASAs and redundant interfaces should not be done...if you ask me. By default the ASA failover will be initiated if one interface failes, so unless you change that setting (which i would not recommend) the redundant interface configuration is not used.
To show which ASA is the Active and Standby you can issue the command show failover state. The command show failover will show you more. If you are uncertain which ASA is the Active, then it will be just about impossible to figure out which one is active and which is standby. You would need to check the LED status on the physical ASA. If the Active LED is green then this ASA is the Active ASA, if it is amber / orange then it is the standby. You could also connect to it with a serial cable and issue the show failover state command.
--
Please remember to rate and select a correct answer
12-03-2013 02:55 AM
ah ok, sorry my bad.
By default the first redundant interface that appears in the configuration is the active one. However, you can issue the following command to see which interface is currently the active interface.
show interface redundant1 detail
show interface redundant 1 detail | grep Member
--
Please remember to rate and select a correct answer
12-03-2013 03:29 AM
You don't have the ASA configure for SSH:
crypto key generate rsa modulus 2048
ssh 172.16.2.0 255.255.255.0 PI-DMZ ssh 172.16.4.0 255.255.255.0 PI-INT ssh 100.100.100.0 255.255.255.0 MNG ssh 0.0.0.0 0.0.0.0 PI-DMZ ssh 0.0.0.0 0.0.0.0 SEC
--
Please remember to rate and select a correct answer
12-03-2013 03:44 AM
Also I noticed this:
Interface MNG (100.100.100.1): Normal (Not-Monitored)
Interface EPRIS (0.0.0.0): Unknown (Waiting)
Interface SYS-INFO (172.16.1.1): Normal (Not-Monitored)
Interface PI-DMZ (172.16.2.1): Normal (Not-Monitored)
Interface AF-DMZ (172.16.3.1): Normal (Not-Monitored)
Interface PI-INT (172.16.4.1): Normal (Not-Monitored)
Interface SEC (10.78.0.46): Normal (Not-Monitored)
Interface GEPDH (192.168.201.137): Normal (Not-Monitored)
Your interfaces are not being monitored so if one of these goes down a failover will not happen.
You need to add the following command to the interfaces that you want to be monitored and initiate a failover if they go down.
monitor-interface SYS-INFO
Add this command for each interface you want to monitor just change the interface name at the end of the statement.
--
Please remember to rate and select a correct answer
12-03-2013 04:51 AM
sorry I forgot to inclued:
aaa authentication ssh console LOCAL
add that and it should work
--
Please remember to rate and select a correct answer
12-03-2013 05:17 AM
Do you see anything in the logs?
try flapping the interfaces (shut, no shut). shut down the interfaces in question, wait a few seconds, and then bring them back up. Do the interfaces show as monitored now?
Remove the IP configuration from the interfaces in question and then add them back. do the interfaces show as monitored now?
if none of these work, issue the command show failover history and post the output here.
--
Please remember to rate and select a correct answer
12-03-2013 05:36 AM
Sorry I am not sure what we are talking about now. We were talking about the ASA firewall interface monitor status?
If there is an issue with the connectivity between MS servers and the AD, please post a new question as this post is quite long now. It is also good to start a new question for this, not so much that it is a new topic but the answer might help someone else in the future and it will be easier for them to find.
--
Please remember to rate and select a correct answer
12-03-2013 12:55 AM
Are you 100% sure that the configuration has been replicated to the Standby ASA?
Could you take a screen shot of the error you are receiving and post it here.
Could you post a full sanitized configuration also.
--
Please remember to rate and select a correct answer
12-03-2013 01:03 AM
Failover On
Failover unit Primary
Failover LAN Interface: Fail Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 110 maximum
failover replication http
Version: Ours 9.1(3), Mate 9.1(3)
Last Failover at: 20:56:38 AST Dec 2 2013
This host: Primary - Active
Active time: 54348 (sec)
slot 0: ASA5510 hw/sw rev (2.0/9.1(3)) status (Up Sys)
Interface MNG (100.100.100.1): Normal (Not-Monitored)
Interface EPRIS (0.0.0.0): Unknown (Waiting)
Interface SYS-INFO (172.16.1.1): Normal (Not-Monitored)
Interface PI-DMZ (172.16.2.1): Normal (Not-Monitored)
Interface AF-DMZ (172.16.3.1): Normal (Not-Monitored)
Interface PI-INT (172.16.4.1): Normal (Not-Monitored)
Interface SEC (10.78.0.46): Normal (Not-Monitored)
Interface GEPDH (192.168.201.137): Normal (Not-Monitored)
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (2.0/9.1(3)) status (Up Sys)
Interface MNG (100.100.100.2): Normal (Not-Monitored)
Interface EPRIS (0.0.0.0): Unknown (Waiting)
Interface SYS-INFO (172.16.1.2): Normal (Not-Monitored)
Interface PI-DMZ (172.16.2.2): Normal (Not-Monitored)
Interface AF-DMZ (172.16.3.2): Normal (Not-Monitored)
Interface PI-INT (172.16.4.2): Normal (Not-Monitored)
Interface SEC (10.78.0.47): Normal (Not-Monitored)
Interface GEPDH (192.168.201.136): Normal (Not-Monitored)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : State Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 18554 0 735 0
sys cmd 735 0 735 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 7848 0 0 0
UDP conn 2101 0 0 0
ARP tbl 7869 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 1 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 6252
Xmit Q: 0 29 21621
: Saved : ASA Version 9.1(3) ! hostname C-PP9-EPRISFW enable password EoUpTSBftt4Y1RlD encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd EoUpTSBftt4Y1RlD encrypted names ! interface Ethernet0/0 speed 1000 no nameif no security-level no ip address ! interface Ethernet0/1 speed 1000 no nameif no security-level no ip address ! interface Ethernet0/2 description LAN Failover Interface ! interface Ethernet0/3 description STATE Failover Interface ! interface Management0/0 description Local Management Interfaces management-only nameif MNG security-level 100 ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2 ! interface Redundant1 description EPRIS Redundant Interfaces member-interface Ethernet0/0 member-interface Ethernet0/1 nameif EPRIS security-level 0 no ip address ! interface Redundant1.1 description Interface for UPS,Switches vlan 901 nameif SYS-INFO security-level 40 ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2 ! interface Redundant1.2 description PI System Archiving Servers vlan 902 nameif PI-DMZ security-level 50 ip address 172.16.2.1 255.255.255.0 standby 172.16.2.2 ! interface Redundant1.3 description PI System Asset Freamwork vlan 903 nameif AF-DMZ security-level 45 ip address 172.16.3.1 255.255.255.0 standby 172.16.3.2 ! interface Redundant1.4 description PI System Interfaces vlan 904 nameif PI-INT security-level 85 ip address 172.16.4.1 255.255.255.0 standby 172.16.4.2 ! interface Redundant1.9 description SEC WAN IP Address vlan 9 nameif SEC security-level 0 ip address 10.78.0.46 255.0.0.0 standby 10.78.0.47 ! interface Redundant1.11 description GE PDH Historian Network vlan 921 nameif GEPDH security-level 99 ip address 192.168.201.137 255.255.255.0 standby 192.168.201.136 ! banner exec ***************************************************************************** banner exec WARNING TO UNAUTHORIZED USERS: banner exec This Production System Do Not Trun Off the Firewalls or Try to Access banner exec This system is for use by authorized users only. Any individual using this system, by such use, banner exec acknowledges and consents to the right of the company to monitor, access, use, and disclose any banner exec information generated, received, or stored on the systems........... banner exec for any Information or Support Call NAZCO Crop. +966 138311078 , +966 138332785 , +966138332817 banner exec ***************************************************************************** banner login ***************************************************************************** banner login WARNING TO UNAUTHORIZED USERS: banner login This Production System Do Not Trun Off the Firewalls or Try to Access banner login This system is for use by authorized users only. Any individual using this system, by such use, banner login acknowledges and consents to the right of the company to monitor, access, use, and disclose any banner login information generated, received, or stored on the systems........... banner login for any Information or Support Call NAZCO Crop. +966 138311078 , +966 138332785 , +966138332817 banner login ***************************************************************************** banner motd ***************************************************************************** banner motd WARNING TO UNAUTHORIZED USERS: banner motd This Production System Do Not Trun Off the Firewalls or Try to Access banner motd This system is for use by authorized users only. Any individual using this system, by such use, banner motd acknowledges and consents to the right of the company to monitor, access, use, and disclose any banner motd information generated, received, or stored on the systems........... banner motd for any Information or Support Call NAZCO Crop. +966 138311078 , +966 138332785 , +966138332817 banner motd ***************************************************************************** banner asdm ***************************************************************************** banner asdm WARNING TO UNAUTHORIZED USERS: banner asdm This Production System Do Not Trun Off the Firewalls or Try to Access banner asdm This system is for use by authorized users only. Any individual using this system, by such use, banner asdm acknowledges and consents to the right of the company to monitor, access, use, and disclose any banner asdm information generated, received, or stored on the systems........... banner asdm for any Information or Support Call NAZCO Crop. +966 138311078 , +966 138332785 , +966138332817 banner asdm ***************************************************************************** boot system disk0:/asa913-k8.bin ftp mode passive clock timezone AST 3 dns domain-lookup SEC same-security-traffic permit intra-interface object network PIDMZ100_SEC100 host 172.16.2.100 description Primary PI 172.16.2.100 PP9 to SEC 10.78.0.100 object network PIDMZ101_SEC101 host 172.16.2.101 description Secondary PI 172.16.2.101 PP9 to SEC 10.78.0.101 object network AFDMZ102_SEC102 host 172.16.3.102 description Primary PI AF 172.16.3.102 PP9 to SEC 10.78.0.102 object network AFDMZ103_SEC103 host 172.16.3.103 description Secondary PI AF 172.16.3.103 PP9 to SEC 10.78.0.103 object service PI_PORT service tcp destination eq 5450 description PI communication object service Remote service tcp destination eq 3389 description Remote Desktop Port object service SQL service tcp destination eq 1433 description SQL Port AF-DMZ object service SymaDB service tcp destination eq 2638 description Symantic Embedded database communication object service SymaRC service tcp destination eq 9090 description Symantic Browser-based remote console via Apache object service RawSD service tcp destination eq 3002 description Raw Serial Data object service SRConsole service tcp destination eq 9300 description Shared Remote Console object service VMedia service tcp destination eq 17988 description Virtual Media object service PIAF service tcp destination eq 5457 description primary port that PI AF SDK uses to communicate with PI AF object service PIOLEDB service tcp destination eq 5459 description some client products, such as PI OLEDB Enterprise and PI WebParts to communicate with PI AF server object network GEPDH32_PIDMZ32 host 192.168.201.32 description EPRIS GEPDH 192.168.201.32 Primary Interface to PI object network GEPDH34_PIDMZ34 host 192.168.201.34 description EPRIS GEPDH 192.168.201.34 Secondary Interface to PI object network GEPDHNTP250_PIDMZ250 host 192.168.201.250 description GE LANTIME NTP Server to PI Servers object network GEUDHNTP250_PIDMZ250 host 192.168.101.250 description GE UDH LAN Time Server to PI Server object network PIDMZ100 host 172.16.2.100 description PI Server 1 object network PIDMZ101 host 172.16.2.101 description PI Server 2 object network AFDMZ102 host 172.16.3.102 description AF Server 1 object network AFDMZ103 host 172.16.3.103 description AF Server 2 object network EPRIS_SW1 host 172.16.1.134 description EPRIS SW1 to SEC 10.78.225.134 object network EPRIS_SW2 host 172.16.1.135 description EPRIS SW 2 to SEC 10.78.225.135 object network PIINT104 host 172.16.4.104 description PI Interface 1 object network PIINT105 host 172.16.4.105 description PI Interface 2 object network GEHST1_EPRIS119 host 192.168.201.119 object network GEHST2_EPRIS131 host 192.168.201.131 object network GEHST3_EPRIS132 host 192.168.201.132 object network GEPDHNTP250_PIINT250 host 192.168.201.250 description GE LANTIME NTP Server to PI Interfaces object network PIINT104_GEPDH138 host 172.16.4.104 description NAT PI Interfaces 1 to GEPDH 192.168.201.138 object network PIINT105_GEPDH141 host 172.16.4.105 description NAT PI Interfaces 2 to GEPDH 192.168.201.141 object network AK host 172.16.2.79 object network RPPUPS host 172.16.4.48 description RPP-UPS SNMP object service ldapU service udp destination eq 389 object service ldapUDP service tcp destination eq ldap object service Kerberos88 service tcp destination eq 88 object service OM service tcp destination eq 5723 object service REP service tcp destination eq 135 object service Kerberos88U service udp destination eq 88 object service LDAP_GC service tcp destination eq 3268 object service LDAP_GC_SSL service tcp destination eq 3269 object-group network DM_INLINE_NETWORK_1 network-object object AFDMZ102 network-object object AFDMZ103 object-group network DM_INLINE_NETWORK_2 network-object object PIDMZ100 network-object object PIDMZ101 object-group service DM_INLINE_SERVICE_1 service-object icmp service-object object PI_PORT object-group network DM_INLINE_NETWORK_3 network-object object PIDMZ100 network-object object PIDMZ101 object-group service PI description OSI Soft PI Ports communication service-object object PIAF service-object object PIOLEDB service-object object PI_PORT object-group service DM_INLINE_SERVICE_3 service-object object Remote group-object PI object-group service DM_INLINE_SERVICE_2 service-object icmp service-object object PI_PORT service-object object Remote object-group network DM_INLINE_NETWORK_4 network-object object PIINT104_GEPDH138 network-object object PIINT105_GEPDH141 object-group network DM_INLINE_NETWORK_5 network-object object GEHST1_EPRIS119 network-object object GEHST2_EPRIS131 network-object object GEHST3_EPRIS132 object-group network DM_INLINE_NETWORK_7 network-object object AFDMZ102 network-object object AFDMZ103 network-object 172.16.50.0 255.255.255.0 object-group service DM_INLINE_SERVICE_6 service-object icmp group-object PI object-group service DM_INLINE_SERVICE_4 service-object icmp service-object object Remote object-group network DM_INLINE_NETWORK_6 network-object object PIINT104_GEPDH138 network-object object PIINT105_GEPDH141 object-group service Domain_AD description Directory, Replication, User and Computer Authentication, Group Policy, Trusts service-object tcp-udp destination eq 445 service-object tcp-udp destination eq kerberos service-object tcp destination eq ldap service-object tcp destination eq ldaps service-object tcp destination eq netbios-ssn service-object udp destination eq netbios-ns service-object tcp-udp destination eq domain service-object tcp destination eq domain service-object udp destination eq domain service-object object ldapU service-object object Kerberos88 service-object object OM service-object object REP service-object object Kerberos88U service-object object LDAP_GC service-object object LDAP_GC_SSL service-object tcp-udp destination eq 464 object-group service Symantec description Symantec Update service-object tcp destination eq ftp service-object tcp destination eq www service-object tcp destination eq https service-object object SymaDB service-object object SymaRC object-group service DM_INLINE_SERVICE_10 service-object icmp service-object object PI_PORT object-group network DM_INLINE_NETWORK_9 network-object object AFDMZ102_SEC102 network-object object AFDMZ103_SEC103 object-group network DM_INLINE_NETWORK_35 network-object object PIDMZ100 network-object object PIDMZ101 object-group service DM_INLINE_SERVICE_12 service-object icmp service-object udp destination eq ntp object-group service iLO description iLO HP Servers Remote Terminal service-object object RawSD service-object object SRConsole service-object object VMedia service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq ssh service-object tcp destination eq telnet service-object object Remote object-group service NTP description Network Time Server service-object udp destination eq ntp object-group network DM_INLINE_NETWORK_11 network-object object EPRIS_SW1 network-object object EPRIS_SW2 object-group network DM_INLINE_NETWORK_13 network-object object PIDMZ100_SEC100 network-object object PIDMZ101_SEC101 network-object object AFDMZ102_SEC102 network-object object AFDMZ103_SEC103 object-group network DM_INLINE_NETWORK_12 network-object object EPRIS_SW1 network-object object EPRIS_SW2 object-group network DM_INLINE_NETWORK_15 network-object object AFDMZ102 network-object object AFDMZ103 object-group network DM_INLINE_NETWORK_17 network-object object PIDMZ100 network-object object PIDMZ101 object-group network DM_INLINE_NETWORK_14 network-object object AFDMZ102_SEC102 network-object object AFDMZ103_SEC103 object-group network DM_INLINE_NETWORK_18 network-object object GEHST1_EPRIS119 network-object object GEHST2_EPRIS131 network-object object GEHST3_EPRIS132 object-group network DM_INLINE_NETWORK_20 network-object object PIDMZ100 network-object object PIDMZ101 object-group network DM_INLINE_NETWORK_21 network-object object GEPDHNTP250_PIDMZ250 network-object object GEPDHNTP250_PIINT250 object-group network DM_INLINE_NETWORK_22 network-object object PIDMZ100 network-object object PIDMZ101 object-group network DM_INLINE_NETWORK_23 network-object object PIINT104 network-object object PIINT105 object-group network DM_INLINE_NETWORK_24 network-object object PIDMZ100 network-object object PIDMZ101 object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq https port-object eq telnet object-group service DM_INLINE_SERVICE_5 service-object icmp service-object object PI_PORT service-object object Remote service-object tcp destination eq 445 service-object tcp destination eq netbios-ssn object-group service DM_INLINE_TCP_2 tcp port-object eq www port-object eq https port-object eq telnet object-group network DM_INLINE_NETWORK_19 network-object object PIINT104_GEPDH138 network-object object PIINT105_GEPDH141 object-group network DM_INLINE_NETWORK_16 network-object object PIINT104 network-object object PIINT105 object-group network DM_INLINE_NETWORK_25 network-object object PIDMZ100 network-object object PIDMZ101 object-group service DM_INLINE_SERVICE_8 service-object icmp service-object object PI_PORT object-group service DM_INLINE_SERVICE_9 service-object icmp service-object udp destination eq ntp object-group network DM_INLINE_NETWORK_8 network-object object PIDMZ100_SEC100 network-object object PIDMZ101_SEC101 network-object object AFDMZ102_SEC102 network-object object AFDMZ103_SEC103 object-group network DM_INLINE_NETWORK_27 network-object object AFDMZ102_SEC102 network-object object AFDMZ103_SEC103 network-object object PIDMZ100_SEC100 network-object object PIDMZ101_SEC101 object-group network DM_INLINE_NETWORK_28 network-object object PIINT104_GEPDH138 network-object object PIINT105_GEPDH141 object-group network DM_INLINE_NETWORK_29 network-object object AFDMZ102 network-object object AFDMZ103 object-group network DM_INLINE_NETWORK_30 network-object object PIDMZ100 network-object object PIDMZ101 object-group network DM_INLINE_NETWORK_10 network-object object PIDMZ100 network-object object PIDMZ101 object-group network DM_INLINE_NETWORK_26 network-object object PIINT104 network-object object PIINT105 object-group network DM_INLINE_NETWORK_32 network-object object PIDMZ100 network-object object PIDMZ101 object-group service DM_INLINE_SERVICE_11 service-object icmp group-object PI service-object object Remote object-group network DM_INLINE_NETWORK_33 network-object object AFDMZ102_SEC102 network-object object AFDMZ103_SEC103 object-group network DM_INLINE_NETWORK_34 network-object object PIDMZ100 network-object object PIDMZ101 object-group network DM_INLINE_NETWORK_36 network-object object AFDMZ102 network-object object AFDMZ103 object-group service DM_INLINE_SERVICE_13 service-object icmp group-object PI object-group network DM_INLINE_NETWORK_31 network-object object AFDMZ102_SEC102 network-object object AFDMZ103_SEC103 access-list AF_DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 access-list AF_DMZ_access_in extended permit object Remote object-group DM_INLINE_NETWORK_15 object-group DM_INLINE_NETWORK_17 access-list AF_DMZ_access_in extended deny ip any any access-list PI_DMZ_access_in extended permit object-group DM_INLINE_SERVICE_5 object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_23 access-list PI_DMZ_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_24 object-group DM_INLINE_NETWORK_7 access-list PI_DMZ_access_in extended permit object PI_PORT object-group DM_INLINE_NETWORK_3 10.78.0.0 255.255.248.0 access-list PI_DMZ_access_in extended permit object-group NTP object-group DM_INLINE_NETWORK_20 object-group DM_INLINE_NETWORK_21 access-list PI_DMZ_access_in extended deny ip any any access-list SEC_access_in extended permit ip 10.0.0.0 255.0.0.0 object-group DM_INLINE_NETWORK_8 access-list SEC_access_in extended permit object-group DM_INLINE_SERVICE_3 10.0.0.0 255.0.0.0 object-group DM_INLINE_NETWORK_13 access-list SEC_access_in extended permit tcp 10.0.0.0 255.0.0.0 object-group DM_INLINE_NETWORK_9 eq www access-list SEC_access_in extended permit icmp 10.0.0.0 255.0.0.0 object-group DM_INLINE_NETWORK_27 access-list SEC_access_in extended permit object-group Domain_AD 10.0.0.0 255.0.0.0 object-group DM_INLINE_NETWORK_31 access-list PI-INT_access_in extended permit object-group DM_INLINE_SERVICE_10 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_5 access-list PI-INT_access_in extended permit object PI_PORT object-group DM_INLINE_NETWORK_16 object-group DM_INLINE_NETWORK_25 access-list PI-INT_access_in extended permit object-group DM_INLINE_SERVICE_12 object-group DM_INLINE_NETWORK_6 object GEPDHNTP250_PIINT250 access-list SYS_INFO_access_in extended permit tcp object-group DM_INLINE_NETWORK_11 10.78.0.0 255.255.248.0 object-group DM_INLINE_TCP_1 access-list SYS_INFO_access_in extended deny ip any any access-list GEPDH_access_in extended permit object-group DM_INLINE_SERVICE_8 object-group DM_INLINE_NETWORK_18 object-group DM_INLINE_NETWORK_19 access-list GEPDH_access_in extended permit object-group DM_INLINE_SERVICE_9 object GEPDHNTP250_PIINT250 object-group DM_INLINE_NETWORK_28 access-list GEPDH_access_in extended permit udp object GEPDHNTP250_PIDMZ250 object-group DM_INLINE_NETWORK_35 eq ntp access-list PI-DMZ_access_in extended permit object-group DM_INLINE_SERVICE_11 object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_NETWORK_26 access-list PI-DMZ_access_in extended permit object-group DM_INLINE_SERVICE_13 object-group DM_INLINE_NETWORK_34 object-group DM_INLINE_NETWORK_36 access-list PI-DMZ_access_in extended permit ip object-group DM_INLINE_NETWORK_32 10.0.0.0 255.0.0.0 access-list SYS-INFO_access_in extended deny ip any any access-list AF-DMZ_access_in extended permit object-group DM_INLINE_SERVICE_6 object-group DM_INLINE_NETWORK_29 object-group DM_INLINE_NETWORK_30 access-list AF-DMZ_access_in extended permit ip object-group DM_INLINE_NETWORK_33 10.0.0.0 255.0.0.0 access-list AF-DMZ_access_in extended permit object-group Domain_AD object-group DM_INLINE_NETWORK_14 10.0.0.0 255.0.0.0 pager lines 24 logging enable logging timestamp logging standby logging asdm-buffer-size 512 logging asdm informational mtu MNG 1500 mtu EPRIS 1500 mtu SYS-INFO 1500 mtu PI-DMZ 1500 mtu AF-DMZ 1500 mtu PI-INT 1500 mtu SEC 1500 mtu GEPDH 1500 failover failover lan unit primary failover lan interface Fail Ethernet0/2 failover key ***** failover replication http failover link State Ethernet0/3 failover interface ip Fail 30.30.30.1 255.255.255.252 standby 30.30.30.2 failover interface ip State 40.40.40.1 255.255.255.252 standby 40.40.40.2 no monitor-interface MNG icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-714.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network PIDMZ100_SEC100 nat (PI-DMZ,SEC) static 10.78.0.100 object network PIDMZ101_SEC101 nat (PI-DMZ,SEC) static 10.78.0.101 object network AFDMZ102_SEC102 nat (AF-DMZ,SEC) static 10.78.0.102 object network AFDMZ103_SEC103 nat (AF-DMZ,SEC) static 10.78.0.103 object network GEPDHNTP250_PIDMZ250 nat (GEPDH,PI-DMZ) static 172.16.2.250 object network GEHST1_EPRIS119 nat (GEPDH,PI-INT) static 172.16.4.119 object network GEHST2_EPRIS131 nat (GEPDH,PI-INT) static 172.16.4.131 object network GEHST3_EPRIS132 nat (GEPDH,PI-INT) static 172.16.4.132 object network GEPDHNTP250_PIINT250 nat (GEPDH,PI-INT) static 172.16.4.250 object network PIINT104_GEPDH138 nat (PI-INT,GEPDH) static 192.168.201.138 object network PIINT105_GEPDH141 nat (PI-INT,GEPDH) static 192.168.201.141 access-group SYS-INFO_access_in in interface SYS-INFO access-group PI-DMZ_access_in in interface PI-DMZ access-group AF-DMZ_access_in in interface AF-DMZ access-group PI-INT_access_in in interface PI-INT access-group SEC_access_in in interface SEC access-group GEPDH_access_in in interface GEPDH route SEC 0.0.0.0 0.0.0.0 10.78.0.40 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 172.16.2.0 255.255.255.0 PI-DMZ http 172.16.4.0 255.255.255.0 PI-INT http 100.100.100.0 255.255.255.0 MNG http 0.0.0.0 0.0.0.0 PI-DMZ http 0.0.0.0 0.0.0.0 SEC snmp-server host PI-DMZ 172.16.2.100 community ***** snmp-server location SEC Rabigh Power Plant snmp-server contact NAZCO Corp. +966541308105 snmp-server community ***** snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet 10.0.0.0 255.0.0.0 SEC telnet 0.0.0.0 0.0.0.0 SEC telnet timeout 5 ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 2 threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 192.168.201.250 source GEPDH prefer username admin password hOo2ZNjnaK6h3EGM encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname priority state no call-home reporting anonymous hpm topN enable Cryptochecksum:f8345826fedf2e45de6ad1d7300a1c97 : end asdm image disk0:/asdm-714.bin no asdm history enable
Message was edited by: Ahmad Khalifa
12-03-2013 01:33 AM
I might be overlooking it, but you have not aaa statements defining what database is to be used for authentication. Add the following command and test please.
aaa authentication http console LOCAL
--
Please rememeber to rate and select a correct answer
12-03-2013 01:52 AM
thank you
what i did is issue the Comand and reload the 2nd unit
and its use the Same user that uesd on P Unit
thank you for that
if i want to know where is this command effect on ASDM can you tell me ?
12-03-2013 01:55 AM
the path is:
Configuration > Device Management > AAA Access
Thank you for the rating
--
Please remember to rate and select a correct answer
12-03-2013 02:32 AM
i have ASA5510
i configured Redundant Interfaces
is there is a way to know which one is Active and the Other one is Standby
sorry for asking alot
Telnet is enabled on SEC interface i try to use it "connection time out " you can review the Configuration on the previous scenario
Message was edited by: Ahmad Khalifa
12-03-2013 02:48 AM
The redundant interfaces are only locally significant so having both failover ASAs and redundant interfaces should not be done...if you ask me. By default the ASA failover will be initiated if one interface failes, so unless you change that setting (which i would not recommend) the redundant interface configuration is not used.
To show which ASA is the Active and Standby you can issue the command show failover state. The command show failover will show you more. If you are uncertain which ASA is the Active, then it will be just about impossible to figure out which one is active and which is standby. You would need to check the LED status on the physical ASA. If the Active LED is green then this ASA is the Active ASA, if it is amber / orange then it is the standby. You could also connect to it with a serial cable and issue the show failover state command.
--
Please remember to rate and select a correct answer
12-03-2013 02:51 AM
yes my frined i know that
what iam talking about is the Redundant Interfaces per units not on the Failover it self
12-03-2013 02:55 AM
ah ok, sorry my bad.
By default the first redundant interface that appears in the configuration is the active one. However, you can issue the following command to see which interface is currently the active interface.
show interface redundant1 detail
show interface redundant 1 detail | grep Member
--
Please remember to rate and select a correct answer
12-03-2013 02:58 AM
what about the Telnet
Telnet is enabled on SEC 10.78.0.0 interface i try to use it "connection time out " you can review the Configuration on the previous scenario
12-03-2013 03:09 AM
Telnet is not supported on the interface that is configured with the lowest security level on an ASA
interface Redundant1.9 description SEC WAN IP Address vlan 9 nameif SEC security-level 0 ip address 10.78.0.46 255.0.0.0 standby 10.78.0.47
You would need to change the security level on the interface or switch to using SSH. It is not recommended to use Telnet as it is a security risk as it sends traffic unencrypted.
--
Please remember to rate and select a correct answer
12-03-2013 03:23 AM
SSH also Dosent Work ??
any Idias
12-03-2013 03:29 AM
You don't have the ASA configure for SSH:
crypto key generate rsa modulus 2048
ssh 172.16.2.0 255.255.255.0 PI-DMZ ssh 172.16.4.0 255.255.255.0 PI-INT ssh 100.100.100.0 255.255.255.0 MNG ssh 0.0.0.0 0.0.0.0 PI-DMZ ssh 0.0.0.0 0.0.0.0 SEC
--
Please remember to rate and select a correct answer
12-03-2013 03:44 AM
Also I noticed this:
Interface MNG (100.100.100.1): Normal (Not-Monitored)
Interface EPRIS (0.0.0.0): Unknown (Waiting)
Interface SYS-INFO (172.16.1.1): Normal (Not-Monitored)
Interface PI-DMZ (172.16.2.1): Normal (Not-Monitored)
Interface AF-DMZ (172.16.3.1): Normal (Not-Monitored)
Interface PI-INT (172.16.4.1): Normal (Not-Monitored)
Interface SEC (10.78.0.46): Normal (Not-Monitored)
Interface GEPDH (192.168.201.137): Normal (Not-Monitored)
Your interfaces are not being monitored so if one of these goes down a failover will not happen.
You need to add the following command to the interfaces that you want to be monitored and initiate a failover if they go down.
monitor-interface SYS-INFO
Add this command for each interface you want to monitor just change the interface name at the end of the statement.
--
Please remember to rate and select a correct answer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide