Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12328
Views
0
Helpful
20
Replies

cannot ping/telnet the standby asa

kokhong.chew
Level 1
Level 1

‎12-09-2009 12:04 AM - edited ‎03-11-2019 09:46 AM

I got 2 x 5520 ASAs configured in active/standby mode and they are connected to 2 x 4500 switches in which too configured for failover.

Telnet to ASAs is allowed only via subnet 172.18.0.0./24

I can only ping and telnet to the active ASA from subnet 172.18.0.0./24 but not the standby

But i can ping and telnet to both the active and standby ASAs within the 4500 switches.

Please advise ? Thanks

Labels:
0 Helpful
20 Replies 20

kokhong.chew
Level 1
Level 1
In response to Kureli Sankar

‎12-18-2009 06:21 PM

anyway thanks.

i already confused . . . Raj's to add to L3 switch ! not ASA ?

0 Helpful

sachinraja
Level 9
Level 9
In response to kokhong.chew

‎12-18-2009 06:43 PM

Hi Hong

Yep.. it should be added on the firewall.. I was referring to the forward routes which should be added on L3, and not the reverse routing from the FW...

you should not add the route on standby fw, since the configs will not be synchronised with the primary... add a static route on your active firewall only to the management subnet pointing to the next hop L3 interface. then do a wr mem to synchronize the configs with the secondary... check connectivity after that.. in our setup here, we have close to 20 static routes in primary, (including the management subnet) which is replicated to failover firewall.. both the primay and secondry firewalls are reachable on telnet, ssh & ping ...

Try this and let us know..

Raj

0 Helpful

sachinraja
Level 9
Level 9
In response to kokhong.chew

‎12-18-2009 06:46 PM

route inside  172.18.0.0 255.255.255.0 172.18.5.3 on the primary and then synchronize the configs to failover unit

Raj

0 Helpful

sachinraja
Level 9
Level 9
In response to kokhong.chew

‎12-18-2009 05:41 PM

I really dont think this is a design issue... i think thats the way the firewall works.. Since it works active/passive, and since it works only on primary ip address (which is active),the routing updates should originate from the active IP address. Passive IP / Failover IP is only used for keepalives etc !

and the failver IP address is only used for management... so, reachability to failover IP should be only through static ! which should be added on your L3 switch !

Hope this helps.. All the best

Raj

0 Helpful

kokhong.chew
Level 1
Level 1
In response to sachinraja

‎12-18-2009 06:07 PM

Raj

Shouldn't a static route be added in the standby instead of the L3 switch since the active is reachable

0 Helpful

J A M A L
Level 1
Level 1

‎10-11-2012 09:09 AM

Hi Kok Hong Chew,

Can you please let me know if you have resolved this issue as we are experiencing the same after upgrading to 8.4. This was working fine on 8.2

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card