CISCO ASA-5510 FAILOVER ISSUE

Sunil Patil · ‎09-02-2011

I Upgraded Same IOS(asa804-k8.bin) on both the ASA and configure Failover its working fine.But when we checked vpn client authentication its working on Primary ASA but for secendory ASA its giving Authentication error.

When I down primary ASA its switching to Secendory ASA its giving the below error on Secendory ASA-

ASA(config)# Failover LAN Failed

ERROR: The specified SSL VPN Client image does not exist.

WARNING: No 'svc image' commands have been issued

Switching to Active

I also attaced Config file of Primary and Secondry ASA

Anu M Chacko · ‎09-02-2011

Hi Sunil,

From the "sh run", the Primary ASA is running version 8.0(2) and the secondary is at 8.0(4). Also, the secondary ASA is missing the svc image file. Please upgrade the version on the primary ASA and do a "wr mem" followed by a "wr standby" and then test.

Let me know.

Regards,

Anu

P.S. Please mark this question as resolved if it has been answered. Do rate helpful posts.

Sunil Patil · ‎09-02-2011

Hi Anu

I also upgrade with the 8.0(4). on primary asa and also done commeand "wr mem" followed by a "wr standby" and then test its giving the same error

Regards

Sunil

Anu M Chacko · ‎09-02-2011

Hi Sunil,

Can you attach the updated "sh run" from both the ASAs?

Regards,

Anu

Sunil Patil · ‎09-02-2011

fiatasA# show run

: Saved

:

ASA Version 8.0(4)

!

hostname fiatasA

domain-name FTPINRJCS01

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.16.177.71 255.255.255.192 standby 10.16.177.72

!

interface Ethernet0/1

nameif DMZ1

security-level 90

ip address 10.10.10.1 255.0.0.0

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

<--- More --->

interface Ethernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

nameif manage

security-level 99

ip address 192.168.0.1 255.255.255.0

management-only

!

boot system disk0:/asa804-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name FTPINRJCS01

same-security-traffic permit intra-interface

pager lines 24

mtu outside 1500

mtu DMZ1 1500

mtu manage 1500

ip local pool vpn_employee 10.16.191.65-10.16.191.94 mask 255.255.255.224

ip local pool vpn_suppliers 10.16.191.97-10.16.191.126 mask 255.255.255.224

failover

failover lan unit primary

failover lan interface asa-lf0-sf0 Ethernet0/3

failover polltime unit 3 holdtime 9

<--- More --->

failover link asa-lf0-sf0 Ethernet0/3

failover interface ip asa-lf0-sf0 192.168.1.1 255.255.255.0 standby 192.168.1.2

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 10.16.177.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server FIAT_RADIUS protocol radius

aaa-server FIAT_RADIUS (outside) host 10.16.178.29

key c1sc0123

http server enable

http 192.168.0.2 255.255.255.255 manage

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

<--- More --->

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc enable

tunnel-group-list enable

group-policy SUPPLIERS internal

group-policy SUPPLIERS attributes

vpn-tunnel-protocol svc

split-tunnel-policy tunnelall

address-pools value vpn_suppliers

webvpn

svc keep-installer installed

svc rekey time 30

svc rekey method ssl

svc ask none default svc

group-policy EMPLOYEE internal

group-policy EMPLOYEE attributes

vpn-tunnel-protocol svc

<--- More --->

split-tunnel-policy tunnelall

address-pools value vpn_employee

webvpn

svc keep-installer installed

svc rekey time 30

svc rekey method ssl

svc ask none default svc

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

tunnel-group fiat_webvpn type remote-access

tunnel-group fiat_webvpn general-attributes

authentication-server-group FIAT_RADIUS

tunnel-group fiat_webvpn webvpn-attributes

group-alias fiat_webvpn enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

<--- More --->

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:a55d5b2036478778d0ad886b356984a0

: end

fiatasA#

Hi I find one command is not there on secondry after saying wr stanby that is

svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1

Anu M Chacko · ‎09-02-2011

Hi Sunil,

This is from the Primary ASA right? Please post the "sh run" from the secondary ASA as well. Are you able to use vpn now on both ASAs?

Regards,

Anu

Sunil Patil · ‎09-02-2011

Primary ASA Show Run

: Saved

:

ASA Version 8.0(4)

!

hostname fiatasA

domain-name FTPINRJCS01

enable password

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.16.177.71 255.255.255.192 standby 10.16.177.72

<--- More --->

!

interface Ethernet0/1

nameif DMZ1

security-level 90

ip address 10.10.10.1 255.0.0.0

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

interface Ethernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

nameif manage

security-level 99

ip address 192.168.0.1 255.255.255.0

management-only

!

boot system disk0:/asa804-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name FTPINRJCS01

<--- More --->

same-security-traffic permit intra-interface

pager lines 24

mtu outside 1500

mtu DMZ1 1500

mtu manage 1500

ip local pool vpn_employee 10.16.191.65-10.16.191.94 mask 255.255.255.224

ip local pool vpn_suppliers 10.16.191.97-10.16.191.126 mask 255.255.255.224

failover

failover lan unit primary

failover lan interface asa-lf0-sf0 Ethernet0/3

failover polltime unit 3 holdtime 9

failover link asa-lf0-sf0 Ethernet0/3

failover interface ip asa-lf0-sf0 192.168.1.1 255.255.255.0 standby 192.168.1.2

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 10.16.177.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

<--- More --->

aaa-server FIAT_RADIUS protocol radius

aaa-server FIAT_RADIUS (outside) host 10.16.178.29

key c1sc0123

http server enable

http 192.168.0.2 255.255.255.255 manage

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

<--- More --->

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

webvpn

enable outside

svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy SUPPLIERS internal

group-policy SUPPLIERS attributes

<--- More --->

vpn-tunnel-protocol svc

split-tunnel-policy tunnelall

address-pools value vpn_suppliers

webvpn

svc keep-installer installed

svc rekey time 30

svc rekey method ssl

svc ask none default svc

group-policy EMPLOYEE internal

group-policy EMPLOYEE attributes

vpn-tunnel-protocol svc

split-tunnel-policy tunnelall

address-pools value vpn_employee

webvpn

svc keep-installer installed

svc rekey time 30

svc rekey method ssl

svc ask none default svc

username cisco password privilege 15

tunnel-group fiat_webvpn type remote-access

tunnel-group fiat_webvpn general-attributes

authentication-server-group FIAT_RADIUS

tunnel-group fiat_webvpn webvpn-attributes

group-alias fiat_webvpn enable

<--- More --->

prompt hostname context

Cryptochecksum:6c5746384ab93f5360e813c8eb08cad6

: end

Secondry ASA

sho

fiatasA# show run

: Saved

:

ASA Version 8.0(4)

!

hostname fiatasA

domain-name FTPINRJCS01

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.16.177.71 255.255.255.192 standby 10.16.177.72

!

interface Ethernet0/1

nameif DMZ1

security-level 90

ip address 10.10.10.1 255.0.0.0

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

<--- More --->

interface Ethernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

nameif manage

security-level 99

ip address 192.168.0.1 255.255.255.0

management-only

!

boot system disk0:/asa804-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name FTPINRJCS01

same-security-traffic permit intra-interface

pager lines 24

mtu outside 1500

mtu DMZ1 1500

mtu manage 1500

ip local pool vpn_employee 10.16.191.65-10.16.191.94 mask 255.255.255.224

ip local pool vpn_suppliers 10.16.191.97-10.16.191.126 mask 255.255.255.224

failover

failover lan unit secondry

failover lan interface asa-lf0-sf0 Ethernet0/3

failover polltime unit 3 holdtime 9

<--- More --->

failover link asa-lf0-sf0 Ethernet0/3

failover interface ip asa-lf0-sf0 192.168.1.1 255.255.255.0 standby 192.168.1.2

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 10.16.177.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server FIAT_RADIUS protocol radius

aaa-server FIAT_RADIUS (outside) host 10.16.178.29

key c1sc0123

http server enable

http 192.168.0.2 255.255.255.255 manage

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

<--- More --->

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc enable

tunnel-group-list enable

group-policy SUPPLIERS internal

group-policy SUPPLIERS attributes

vpn-tunnel-protocol svc

split-tunnel-policy tunnelall

address-pools value vpn_suppliers

webvpn

svc keep-installer installed

svc rekey time 30

svc rekey method ssl

svc ask none default svc

group-policy EMPLOYEE internal

group-policy EMPLOYEE attributes

vpn-tunnel-protocol svc

<--- More --->

split-tunnel-policy tunnelall

address-pools value vpn_employee

webvpn

svc keep-installer installed

svc rekey time 30

svc rekey method ssl

svc ask none default svc

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

tunnel-group fiat_webvpn type remote-access

tunnel-group fiat_webvpn general-attributes

authentication-server-group FIAT_RADIUS

tunnel-group fiat_webvpn webvpn-attributes

group-alias fiat_webvpn enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

<--- More --->

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:a55d5b2036478778d0ad886b356984a0

: end

fiatasA#

Hi should i have to upload any file on secondry except IOS image or it will autometically upload on secondry ASA from primary ASA

Anu M Chacko · ‎09-02-2011

Hi Sunil,

Anyconnect images are not replicated to standby ASA, if you've upgraded its version. Here is very useful document:

https://supportforums.cisco.com/docs/DOC-1291

also, verify if the licenses are same on both the devices("sh ver" on the ASA).

Hope this helps!

Regards,

Anu

Sunil Patil · ‎09-02-2011

I attached the show version please verify its the licence is valid or not.

Anu M Chacko · ‎09-02-2011

Hi Sunil,

Are you looking at implementing webvpn or anyconnect? You have 50 peers licensed for webvpn. However, if you're looking at implementing anyconnect, you need to get the licenses for it, for which i suggest you get in touch with TAC.

Hope this helps!

Regards,

Anu