Solved: ASA not failing over

ethan12345 · ‎10-22-2012

good morning

we have a pair of 5510's set up as Primary/Secondary failover pair. I have gone through the high availability wizard via ASDM, and everything seemed to complete ok with out any issues. A "show failover" show that the inside interface of the standby unit is "failed" [see paste below]

SG-ASA-1# sho failover

Failover On

Failover unit Primary

Failover LAN Interface: failover Ethernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 110 maximum

Version: Ours 8.4(3), Mate 8.4(3)

Last Failover at: 22:53:08 PDT Oct 20 2012

This host: Primary - Active

Active time: 125682 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(3)) status (Up Sys)

Interface outside (xxx.xxx.38.147): Normal (Waiting)

Interface inside (192.168.100.241): Normal (Waiting)

slot 1: empty

Other host: Secondary - Failed

Active time: 0 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(3)) status (Up Sys)

Interface outside (xxx.xxx.38.148): Normal (Waiting)

Interface inside (192.168.100.242): Failed (Waiting)

slot 1: empty

Stateful Failover Logical Update Statistics

Link : failover Ethernet0/3 (up)

Stateful Obj xmit xerr rcv rerr

General 1072898 0 16735 0

sys cmd 16736 0 16735 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 290986 0 0 0

UDP conn 74491 0 0 0

ARP tbl 690603 0 0 0

Xlate_Timeout 0 0 0 0

IPv6 ND tbl 0 0 0 0

VPN IKEv1 SA 0 0 0 0

VPN IKEv1 P2 0 0 0 0

VPN IKEv2 SA 0 0 0 0

VPN IKEv2 P2 0 0 0 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

SIP Session 82 0 0 0

Route Session 0 0 0 0

User-Identity 6 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 4 16735

Xmit Q: 0 32 1219523

SG-ASA-1#

and here is show failover from the standby unit

SG-ASA-1# sho failover

Failover On

Failover unit Secondary

Failover LAN Interface: failover Ethernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 110 maximum

Version: Ours 8.4(3), Mate 8.4(3)

Last Failover at: 23:01:25 PDT Oct 20 2012

This host: Secondary - Failed

Active time: 0 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(3)) status (Up Sys)

Interface outside (xxx.xxx.38.148): Normal (Waiting)

Interface inside (192.168.100.242): Failed (Waiting)

slot 1: empty

Other host: Primary - Active

Active time: 125017 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(3)) status (Up Sys)

Interface outside (xxx.xxx.38.147): Normal (Waiting)

Interface inside (192.168.100.241): Normal (Waiting)

slot 1: empty

Stateful Failover Logical Update Statistics

Link : failover Ethernet0/3 (up)

Stateful Obj xmit xerr rcv rerr

General 16549 0 1058099 0

sys cmd 16553 0 16553 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 0 0 286588 0

UDP conn 0 0 73140 0

ARP tbl 0 0 681946 0

Xlate_Timeout 0 0 0 0

IPv6 ND tbl 0 0 0 0

VPN IKEv1 SA 0 0 0 0

VPN IKEv1 P2 0 0 0 0

VPN IKEv2 SA 0 0 0 0

VPN IKEv2 P2 0 0 0 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

SIP Session 0 0 74 0

Route Session 0 0 0 0

User-Identity 0 0 5 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 25 1203226

Xmit Q: 0 1 16553

SG-ASA-1# sho failover

whats interesting, is I just did another show failover minutes later and its not showing failed, nothing has changed that I am aware of.

SG-ASA-1# sho failover

Failover On

Failover unit Secondary

Failover LAN Interface: failover Ethernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 110 maximum

Version: Ours 8.4(3), Mate 8.4(3)

Last Failover at: 23:01:25 PDT Oct 20 2012

This host: Secondary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(3)) status (Up Sys)

Interface outside (xxx.xxx.38.148): Normal (Waiting)

Interface inside (192.168.100.242): Normal (Waiting)

slot 1: empty

Other host: Primary - Active

Active time: 125894 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(3)) status (Up Sys)

Interface outside (xxx.xxx.38.147): Normal (Waiting)

Interface inside (192.168.100.241): Normal (Waiting)

slot 1: empty

Stateful Failover Logical Update Statistics

Link : failover Ethernet0/3 (up)

Stateful Obj xmit xerr rcv rerr

General 16666 0 1071269 0

sys cmd 16666 0 16666 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 0 0 291647 0

UDP conn 0 0 74266 0

ARP tbl 0 0 688630 0

Xlate_Timeout 0 0 0 0

IPv6 ND tbl 0 0 0 0

VPN IKEv1 SA 0 0 0 0

VPN IKEv1 P2 0 0 0 0

VPN IKEv2 SA 0 0 0 0

VPN IKEv2 P2 0 0 0 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

SIP Session 0 0 74 0

Route Session 0 0 0 0

User-Identity 0 0 5 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 25 1217202

Xmit Q: 0 1 16666

When I pull the power of the primary the amber active light on the standby unit turns green but no connectivity is restored, meaning I cannot get internet, etc. After high availability failover wizard I cannot ping the standby units inside interface of 192.168.100.242 which I am assuming is normal. And then During a failover test I have console cable plugged in to the standby, the active light goes green but I am unable to ping anywhere beyond the device itself. Thanks in advance for any assistance

Julio Carvajal · ‎10-24-2012

Hello Ethan,

It should not be failed, that means that the hello packets being exchanged between each other are not being received.

Please check the switch port assisgnemt, check the interface speeds and duplex and make sure they are on the same vlan ( switch cables,)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-22-2012

Hello Ethan,

Can you share the configuration on both units?

Also when you perfom the test what is the state of the standby unit? Is it failed again?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ethan12345 · ‎10-22-2012

Ok here is the cleaned up config of the Standby 5510, I will post the primary 5510 later. Thanks!

standby firewall current config:

SG-ASA-1# sho running-config

: Saved

:

ASA Version 8.4(3)

!

hostname SG-ASA-1

domain-name xxxxxx.com

enable password xxxxxx encrypted

passwd xxxxx encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address xxx.xxx.38.147 255.255.255.240 standby xxx.xxx.38.148

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.100.241 255.255.255.0 standby 192.168.100.242

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name xxxxxxx.com

dns server-group defaultdns

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network Exchange

host 192.168.100.19

description mail server

object network xxxxxxx

host 192.168.100.34

object network xxxxxx

host 192.168.100.50

object network xxxxxxx

host 192.168.100.14

object network NETWORK_OBJ_192.168.22.96_27

subnet 192.168.22.96 255.255.255.224

object network exchange

host 192.168.100.19

access-list ISP-INBOUND extended permit icmp any any echo-reply

access-list ISP-INBOUND extended permit icmp any any unreachable

access-list ISP-INBOUND extended permit icmp any any echo

access-list ISP-INBOUND extended permit icmp any any time-exceeded

access-list ISP-INBOUND extended permit tcp host xxx.xxx.38.151 eq www any

access-list ISP-INBOUND extended permit tcp host xxx.xxx.38.151 eq 6338 any

access-list ISP-INBOUND extended permit udp host xxx.xxx.38.151 eq 6338 any

access-list ISP-INBOUND extended permit tcp host xxxx.6xx.38.149 eq smtp any

access-list ISP-INBOUND extended permit tcp host xxx.xxx.38.149 eq www any

access-list ISP-INBOUND extended permit tcp host xxx.xxx.38.149 eq https any

access-list ISP-INBOUND extended deny tcp any host xxx.xxx.38.149 eq 3389

access-list ISP-INBOUND extended deny tcp any host xxx.xxx.38.151 eq 3389

access-list ISP-INBOUND extended permit udp any eq domain any

access-list ISP-INBOUND extended permit tcp any host xxxx.xxx.38.151 eq 1433

access-list ISP-INBOUND extended permit tcp any host xxxx.xxx.38.151 eq 8080

access-list ISP-INBOUND extended permit tcp any host xxx.xxx.38.151 eq 6400

access-list ISP-INBOUND extended permit tcp any host xxx.xxx.38.150 eq www

access-list ISP-INBOUND extended permit tcp any host xxx.xxx.38.150 eq 6338

access-list ISP-INBOUND extended permit udp any host xxx.xxx.38.150 eq 6338

access-list ISP-INBOUND extended permit tcp any host xxx.xxx.38.150 eq 1433

access-list ISP-INBOUND extended permit tcp any host xxx.xx.38.150 eq 8080

access-list ISP-INBOUND extended permit tcp any host xxx.xxxx.38.150 eq 6400

access-list ISP-INBOUND extended deny ip any host xxx.xxx.38.151 log

access-list ISP-INBOUND extended deny ip any host xxx.xxx.38.150 log

access-list ISP-INBOUND extended permit ip any any

access-list ISP-INBOUND extended permit tcp host xxx.xxx.38.153 eq 2427 any

access-list ISP-INBOUND extended permit udp host xxx.xxx.38.153 eq 2427 any

access-list ISP-INBOUND extended permit udp host xxxxxxx.38.153 range 16400 16990 any

access-list ISP-INBOUND extended permit ip host xxx.xxxx.32.59 any

access-list ISP-INBOUND extended permit ip host xxxx.xxxx.71.186 host xxx.xxx.38.151

access-list ISP-INBOUND extended permit ip host xxxxxx.229.50 host xxxx.xxx.38.150

access-list ISP-INBOUND extended permit ip host xxx.xxx.229.50 host xxxx.xxxx.38.151

access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.180.0 255.255.255.0

access-list NO-NAT extended permit ip 192.168.180.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.180.0 255.255.255.0

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxxxx

access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.150.0 255.255.255.0

access-list NO-NAT remark - Do not NAT traffic from any site to xxxx LAN

access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.160.0 255.255.255.0

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxxx LAN

access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.140.0 255.255.255.0

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxxx LAN

access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.110.0 255.255.255.0

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxx LAN

access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.170.0 255.255.255.0

access-list NO-NAT remark - Don't NAT Sxxxxxx LAN to remote sites' PIX/ASA networks

access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.110.0 255.255.255.0

access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.130.0 255.255.255.0

access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.140.0 255.255.255.0

access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.150.0 255.255.255.0

access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.160.0 255.255.255.0

access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.170.0 255.255.255.0

access-list NO-NAT remark - Don't NAT office LANs to VPN clients

access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list NO-NAT extended permit ip 192.168.105.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list NO-NAT extended permit ip 192.168.110.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list NO-NAT extended permit ip 192.168.120.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list NO-NAT extended permit ip 192.168.130.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list NO-NAT extended permit ip 192.168.140.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list NO-NAT extended permit ip 192.168.150.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list NO-NAT extended permit ip 192.168.160.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list NO-NAT extended permit ip 192.168.170.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list NO-NAT remark - Rules to remove after all sites are migrated

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxx Center LAN

access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.105.0 255.255.255.0

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxx LAN

access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.120.0 255.255.255.0

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxx LAN

access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.130.0 255.255.255.0

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxCenter LAN

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxLAN

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxxxxxLAN

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxxLAN

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxxxLAN

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxxLAN

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxLAN

access-list NO-NAT remark - Do not NAT traffic from any site to xxxLAN

access-list NO-NAT remark - Do not NAT traffic from any site to xLxxxxxAN

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxxLAN

access-list NO-NAT remark - Don't NAT xxxxxLAN to remote sites' PIX/ASA networks

access-list NO-NAT remark - Don't NAT office LANs to VPN clients

access-list NO-NAT remark - Rules to remove after all sites are migrated

access-list NO-NAT remark - Do not NAT traffic from any site to xxxLAN

access-list NO-NAT remark - Do not NAT traffic from any site to xxLAN

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxxxxxLAN

access-list NO-NAT remark - Do not NAT traffic from any site to xxxLAN

access-list NO-NAT remark - Do not NAT traffic from any site to xxLAN

access-list NO-NAT remark - Do not NAT traffic from any site to xxxLAN

access-list NO-NAT remark - Do not NAT traffic from any site to xxLAN

access-list NO-NAT remark - Do not NAT traffic from any site to Saxxxxxxn xxLAN

access-list ALLOW-ALL extended permit ip any any

access-list SPLIT-TUNNEL extended permit ip 192.168.100.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list SPLIT-TUNNEL extended permit ip 192.168.105.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list SPLIT-TUNNEL extended permit ip 192.168.110.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list SPLIT-TUNNEL extended permit ip 192.168.120.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list SPLIT-TUNNEL extended permit ip 192.168.130.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list SPLIT-TUNNEL extended permit ip 192.168.140.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list SPLIT-TUNNEL extended permit ip 192.168.150.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list SPLIT-TUNNEL extended permit ip 192.168.160.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list SPLIT-TUNNEL extended permit ip 192.168.170.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list SPLIT-TUNNEL extended permit ip 192.168.180.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list standard-split-tunnel-test remark testing split tunnel

access-list sqqtandard-split-tunnel-test standard permit 192.168.0.0 255.255.0.0

access-list standard-split-tunnel-test remark testing split tunnel

pager lines 24

logging enable

logging timestamp

logging monitor debugging

logging buffered debugging

logging trap informational

logging asdm informational

logging device-id hostname

no logging message 313005

no logging message 305012

no logging message 305011

no logging message 710005

no logging message 715075

no logging message 733100

no logging message 715047

no logging message 715046

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 304001

no logging message 715036

no logging message 111005

no logging message 713236

no logging message 609002

no logging message 609001

no logging message 302016

no logging message 302021

no logging message 302020

mtu outside 1500

mtu inside 1500

ip local pool vpn-pool 192.168.22.96-192.168.22.127 mask 255.255.255.224

failover

failover lan unit secondary

failover lan interface failover Ethernet0/3

failover link failover Ethernet0/3

failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply outside

icmp permit any unreachable outside

icmp permit any echo outside

icmp permit any inside

no asdm history enable

arp timeout 14400

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.22.96_27 NETWORK_OBJ_192.168.22.96_27 no-proxy-arp route-lookup

!

object network xxxxxx

nat (inside,outside) static xxxx.xxxxx.38.152

object network xxxxx

nat (inside,outside) static xxx.xxx.38.151

object network xxxxxxxx

nat (inside,outside) static xxx.xxxx.38.150

object network xxxxxx

nat (inside,outside) static xxx.xxxx.38.149

!

nat (inside,outside) after-auto source dynamic any interface

access-group ISP-INBOUND in interface outside

access-group ALLOW-ALL in interface inside

route outside 0.0.0.0 0.0.0.0 xxxx.xxxx.38.145 1

route inside xxxxxx 255.255.255.252 192.168.100.254 1

route inside 192.168.100.0 255.255.255.0 192.168.100.254 1

route inside 192.168.105.0 255.255.255.0 192.168.100.254 1

route inside 192.168.110.0 255.255.255.0 192.168.100.254 1

route inside 192.168.120.0 255.255.255.0 192.168.100.254 1

route inside 192.168.130.0 255.255.255.0 192.168.100.254 1

route inside 192.168.140.0 255.255.255.0 192.168.100.254 1

route inside 192.168.150.0 255.255.255.0 192.168.100.254 1

route inside 192.168.160.0 255.255.255.0 192.168.100.254 1

route inside 192.168.170.0 255.255.255.0 192.168.100.254 1

route inside 192.168.180.0 255.255.255.0 192.168.100.254 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server LDAP protocol ldap

aaa-server LDAP (inside) host 192.168.100.13

server-port 636

ldap-base-dn ou=users,dc=xxxxxxx,dc=com

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn xxxxxx\administrator

ldap-over-ssl enable

server-type microsoft

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.100.10 255.255.255.255 inside

http 192.168.100.135 255.255.255.255 inside

http 192.168.100.13 255.255.255.255 inside

http redirect outside 80

snmp-server host inside 192.168.100.96 community ***** version 2c

snmp-server location xxxx

snmp-server contact xxxxxx

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

fqdn xxxxx

email xxxxxx

subject-name CN=vpn.xxxxxx.com,OU=IT dept,O=xxxxxxp,C=US,St=xxxx,L=xxxxxxx,EA=xxxxxx

ip-address xxx.xxxx.38.147

keypair xxxxx.key

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint2

enrollment terminal

fqdn vpn.xxxxx.com

email xxxxxx

subject-name CN=vpn.xxxxxx.com,OU=IT,O=xxxx,C=US,St=CA,L=xxxxxxxx,EA=xxxxn@xxxxxx.com

ip-address xxxx.xxxx.38.147

keypair xxxxxx

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca xxxxx

308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130

0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117

30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b

13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504

0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420

68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329

3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365

63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7

0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597

xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a

1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406

03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973

69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973

69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30

1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603

551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0

5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8

6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28

6c2527b9 deb78458 c61f381e a4c4cb66

quit

crypto ca certificate chain ASDM_TrustPoint1

certificate ca xxxxxxx

308204de 308203c6 a0030201 02020203 01300d06 092a8648 86f70d01 01050500

3063310b 30090603 55040613 02555331 21301f06 0355040a 13185468 6520476f

xxxxxxxxxxxxxxxxxxxxxx

66696361 7465732e 676f6461 6464792e 636f6d2f 7265706f 7369746f 7279300e

0603551d 0f0101ff 04040302 0106300d 06092a86 4886f70d 01010505 00038201

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

776eebf2 8550985e ab0353ad 9123631f 169ccdb9 b205633a e1f4681b 17053595 53ee

quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh xxx.xxxx.33.7 255.255.255.0 outside

ssh 192.168.100.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 132.249.20.88 source outside prefer

ssl trust-point ASDM_TrustPoint0 outside

ssl trust-point ASDM_TrustPoint0 inside

webvpn

enable outside

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

anyconnect enable

tunnel-group-list enable

group-policy "GroupPolicy_anyconnect vpn" internal

group-policy "GroupPolicy_anyconnect vpn" attributes

wins-server value 192.168.100.13

dns-server value 192.168.100.6

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value standard-split-tunnel-test

default-domain value xxxxxx

address-pools value vpn-pool

webvpn

anyconnect keep-installer installed

anyconnect ask none default anyconnect

username xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class class-default

user-statistics accounting

!

service-policy global_policy global

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command vpn-sessiondb

privilege cmd level 3 mode exec command packet-tracer

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command service-policy

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:91b52acf20eaba00a12fda3d293fd632

ethan12345 · ‎10-22-2012

ok now here is a cleaned up config of the Primary ASA

: Call-home enabled from prompt by enable_15 at 18:19:21 UTC Sep 30 2012

!

ASA Version 8.4(3)

!

hostname SG-ASA-1

domain-name xxxxxx.com

enable password xxxxxxx encrypted

passwd xxxxx.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address xxx.xxx.38.147 255.255.255.240 standby xxx.xxx.38.148

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.100.241 255.255.255.0 standby 192.168.100.242

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

xxxxx

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name xxxxxx.com

dns server-group defaultdns

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network Exchange

host 192.168.100.19

description mail server

object network xxxxx

host 192.168.100.34

object network xxxx

host 192.168.100.50

object network xxxxx

host 192.168.100.14

object network NETWORK_OBJ_192.168.22.96_27

subnet 192.168.22.96 255.255.255.224

object network xxxxxx

host 192.168.100.19

access-list ISP-INBOUND extended permit icmp any any echo-reply

access-list ISP-INBOUND extended permit icmp any any unreachable

access-list ISP-INBOUND extended permit icmp any any echo

access-list ISP-INBOUND extended permit icmp any any time-exceeded

access-list ISP-INBOUND extended permit tcp host xxx.xxx.38.151 eq www any

access-list ISP-INBOUND extended permit tcp host xxx.xxx.38.151 eq 6338 any

access-list ISP-INBOUND extended permit udp host xxx.xxx.38.151 eq 6338 any

access-list ISP-INBOUND extended permit tcp host xxx.xxx.38.149 eq smtp any

access-list ISP-INBOUND extended permit tcp host xxx.xxx.38.149 eq www any

access-list ISP-INBOUND extended permit tcp host xxx.xxx.38.149 eq https any

access-list ISP-INBOUND extended deny tcp any host xxx.xxx.38.149 eq 3389

access-list ISP-INBOUND extended deny tcp any host xxx.xxx.38.151 eq 3389

access-list ISP-INBOUND extended permit udp any eq domain any

access-list ISP-INBOUND extended permit tcp any host xxx.xxx.38.151 eq 1433

access-list ISP-INBOUND extended permit tcp any host xxx.xxx.38.151 eq 8080

access-list ISP-INBOUND extended permit tcp any host xxx.xxx.38.151 eq 6400

access-list ISP-INBOUND extended permit tcp any host xxx.xxx.38.150 eq www

access-list ISP-INBOUND extended permit tcp any host xxx.xxx.38.150 eq 6338

access-list ISP-INBOUND extended permit udp any host xxx.xxx.38.150 eq 6338

access-list ISP-INBOUND extended permit tcp any host xxx.xxx.38.150 eq 1433

access-list ISP-INBOUND extended permit tcp any host xxx.xxx.38.150 eq 8080

access-list ISP-INBOUND extended permit tcp any host xxx.xxx.38.150 eq 6400

access-list ISP-INBOUND extended deny ip any host xxx.xxx.38.151 log

access-list ISP-INBOUND extended deny ip any host xxx.xxx.38.150 log

access-list ISP-INBOUND extended permit ip any any

access-list ISP-INBOUND extended permit tcp host xxx.xxx.38.153 eq 2427 any

access-list ISP-INBOUND extended permit udp host xxx.xxx.38.153 eq 2427 any

access-list ISP-INBOUND extended permit udp host xxx.xxx.38.153 range 16400 16990 any

access-list ISP-INBOUND extended permit ip host xxxx.xxxx.32.59 any

access-list ISP-INBOUND extended permit ip host xxxx.250.71.186 host xxx.xxx.38.151

access-list ISP-INBOUND extended permit ip host xxxxx.7.xxx.xxxx host xxx.xxx.38.150

access-list ISP-INBOUND extended permit ip host xxx.7.xxxxx.50 host xxx.xxx.38.151

access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.180.0 255.255.255.0

access-list NO-NAT extended permit ip 192.168.180.0 255.255.255.0 192.168.22.96 255.255.255.224

access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.180.0 255.255.255.0

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxxx xxxxx LAN

access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.150.0 255.255.255.0

access-list NO-NAT remark - Do not NAT traffic from any site to xxxx LAN

access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.160.0 255.255.255.0

access-list NO-NAT remark - Do not NAT traffic from any site to xxx xxx LAN

access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.140.0 255.255.255.0

access-list NO-NAT remark - Do not NAT traffic from any site to xxxxx LAN

access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.110.0 255.255.255.0

access-list NO-NAT remark - Do not NAT traffic from any site xxxx LAN

access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.170.0 255.255.255.0

access-list NO-NAT remark - Don't NAT xxx xxxxx LAN to remote sites' PIX/ASA networks