Hello,

Thank you for your response.

I first configure the management interface of each ASA.

Then I configure the "failover" on ASA1 and then on ASA2.

But as soon as I activate the "failover" on ASA1 and ASA2.

As soon as I activate the failover on ASA2 I lose control of ASA2 via SSH. Because the configuration of ASA2 is overwritten by that of ASA1. But me, I need to access by SSH to ASA2 too.

Yours sincerely,

Bcr.

Hi,

    The config is being synchronised. After the Active Standby roles are established, as long as you configured standby IP's and have RSA keys (the default ones or cerated by yourself on both ASA's), you'll be able to SSH to both back again. Primary IP takes  you the the Active ASA, standby IP takes you the the Standby ASA.

Regards,

Cristian Matei.

Hello,

Thank you for your response.

When the synchronization ends, the IP address of the primary overwrites the IP address of the secondary.
After synchronization, do I have to reconfigure the IP of the secondary. But after each synchronization, the IP of the secondary is overwritten.

Yours sincerely,
Bashir.

Hi,

    Have you even looked at the document I've mentioned above? The standby/secondary IP address, you don't configure it directly on the standby machine, pf course it gets overwritten. You configure it on your primary machine via the "standby" option, for each interface:

"ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2"

Regards,

Cristian Matei.

prior to doing a manual failover I believe your configuration are in this manner.

ASA1
!
interface gig0/7
 no shut
!
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/7
failover replication http
failover link FAILOVER GigabitEthernet0/7
failover interface ip FAILOVER 172.19.1.1 255.255.255.248 standby 172.19.1.2
failover
!
interface man0/0
 nameif mgmt
 security-level 100
 managment-only
 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
 no shut
!
interface gig0/1
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2
 no shut
!
interface gig0/2
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2
 no shut
!

=-=-=-=-
ASA2
!
interface gig0/7
 no shut
!
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/7
failover replication http
failover link FAILOVER GigabitEthernet0/7
failover interface ip FAILOVER 172.19.1.1 255.255.255.248 standby 172.19.1.2
failover

now when you do a manual failover from SSH your SSH connection discounted it a normal behavior as behind the sense what happening is as below.

In Active/standby failover the active device uses the primary unit MAC addresses. In the event of failover the secondary appliance becomes active and takes over the primary unit MAC addreses. whereas the active device now standby takes over the standby unit MAC addresses. After the standby appliance become active, it sends out a gratuitous ARP on ther network. A gratuitous ARP is an ARP request that the appliance sends out on the Ethernet networks with the source and destination IP Addresses of the active ip addresses. The destination MAC address is the Ethernet broadcast address. all devices on the Ethernet segment process this broadcast frame and update the their ARP table with this information. using gratuitous ARP the layer 2 devices including switches also updates the content CAM table with the mac address and updated switch port information.

Is it possible to keep the Giga 0/0 management interface of the secondary ASA unchanged during synchronization. I want to access the ASA2 via its management interface using SSH.

let say you running ASA1 active and ASA2 standby. now you ssh to a ASA1 ip address. from the ssh session of ASA1 you manually do a failover (command "no failover active") this will flip the ASA1 to standby and ASA2 become active. in this time you lost the ssh session. prior to this if you were using a putty now if you do a restart putty session you will automatically go into a ASA2 active session. the reason i have explained earlier. hope you understand this. 

Hello,

Thank you for your explanations and interventions

I had respected the configuration.

Int manag 0/0

management-only

ip address 10.192.168.1.110 255.255.255.128 standby 192.168.1.111

I lost ssh control after forcing a failover.

Again I added a second command:

Int manag 0/0

management-only

ip address 10.192.168.1.110 255.255.255.128 standby 192.168.1.111

no monitor-interface

Same problem. IP addresses are exchanged. 10.192.168.1.111 becomes the address of the primary on standby. 10.192.168.1.110 becomes the address of the secondary / active.

I lost ssh control for 2 ASA.


Cordially,
bcr.

Hello,

Thank you all for your responsiveness.

Thanks to @Cristian Matei for the link.

Thanks to @Sheraz.Salim for the explanations.

I respected the configurations. My configuration is similar to the one quoted above by @Sheraz.Salim.

Int manag 0/0

management-only

ip address 10.192.168.1.110 255.255.255.128 standby 192.168.1.111

I lost ssh control after forcing a failover.

Again I added a second command:

Int manag 0/0

management-only

ip address 10.192.168.1.110 255.255.255.128 standby 192.168.1.111

no monitor-interface

Same problem. IP addresses are exchanged. 10.192.168.1.111 becomes the address of the primary on standby. 10.192.168.1.110 becomes the address of the secondary / active.

I lost ssh control for 2 ASA.

Cordially,

bcr.

Hi,

   Can you confirm that once the Active/Standby roles are assigned, you can connect to both ASA's? This is what's important. Whenever you force a failover to the other device, the primary/secondary IP's are swapped, so it's normal to loose access.

Regards,

Cristian Matei.

Hello,

I confirm that after activating the failover, I have access to both ASAs (ASA-1 and ASA-2).

I try to simulate that in case of failure of ASA-1, I can have access to both ASA-1 and ASA-2.

For example, if one interface fails on ASA-1 and there is a failover. I need access via ssh to see the problem.

I'd like to run a simulation that's very close to the real thing.

Thank you.

My regards,
bcr.

Hi,

   The primary configured IP is owned by the Active ASA, while the standby configured IP is owned by the Standby ASA. When you change the roles manually (failover triggering), or whenever the Active/Standby roles are swapped, you 'll loose connection and you need to reconnect. There is no workaround for this, as the IP address you were connecting to no longer belongs to that device. 

  What matters, is that you an always get access to both ASA's, just no in the exact time the roles are changed, for obvious reasons.

Regards,

Cristian Matei.

Hello,

It is very obvious that after the forced baculement, I reconnect again because the addresses are changed.

The problem, when I try to reconnect to zero, the ASA does not respond, so no connection.

I used traceroute to see if I'm stuck in the local network, but no. I'm not. It's the ASA not responding.

Yours sincerely,
bcr.

Hi,

   What do you mean by "The problem, when I try to reconnect to zero, the ASA does not respond, so no connection."?

Regards,

Cristian Matei.

Hello,

I would like to say: When I reconnect after failover (change of IP address between ASA-1 and ASA-2), I can't connect. I can't even ping on ASA-1 or ASA-2.

Yours sincerely,
bcr.