Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
760
Views
0
Helpful
7
Replies

DMZ and Web Server

Go to solution
Navaz Wattoo
Level 1
Level 1

‎08-26-2013 10:17 PM - edited ‎03-11-2019 07:31 PM

     i have two cisco ASA 5510 failover firewalls and configured web server in DMZ and the the sh failover is

ACTIVE(config)# sh failover

Failover On

Failover unit Primary

Failover LAN Interface: FAILOVER Management0/0 (Failed - No Switchover)

Unit Poll frequency 1 seconds, holdtime 3 seconds

Interface Poll frequency 3 seconds, holdtime 15 seconds

Interface Policy 1

Monitored Interfaces 3 of 110 maximum

Version: Ours 8.2(5), Mate 8.2(5)

Last Failover at: 09:43:30 PKT Aug 11 2013

        This host: Primary - Active

                Active time: 1357606 (sec)

                slot 0: ASA5510 hw/sw rev (2.0/8.2(5)) status (Up Sys)

                  Interface DMZ (10.1.1.1): Normal (Waiting)

                  Interface Outside (125.209.70.90): Normal (Waiting)

                  Interface inside (192.168.11.249): Normal (Waiting)

                slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E4) status (Up/Up)

                  IPS, 6.0(6)E4, Up

Other host: Secondary - Failed

                Active time: 0 (sec)

                slot 0: ASA5510 hw/sw rev (2.0/8.2(5)) status (Unknown/Unknown)

                  Interface DMZ (10.1.1.2): No Link (Waiting)

                  Interface Outside (125.209.70.91): Normal

                  Interface inside (192.168.11.250): Normal

                slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E4) status (Unknown/Unkn

own)

                  IPS, 6.0(6)E4, Unknown

Stateful Failover Logical Update Statistics

        Link : FAILOVER Management0/0 (Failed)

        Stateful Obj    xmit       xerr       rcv        rerr

        General         191867     0          180372     0

        sys cmd         180372     0          180372     0

        up time         0          0          0          0

        RPC services    0          0          0          0

        TCP conn        737        0          0          0

        UDP conn        603        0          0          0

        ARP tbl         10139      0          0          0

        Xlate_Timeout   0          0          0          0

        IPv6 ND tbl     0          0          0          0

VPN IKE upd     8          0          0          0

        VPN IPSEC upd   8          0          0          0

        VPN CTCP upd    0          0          0          0

        VPN SDI upd     0          0          0          0

        VPN DHCP upd    0          0          0          0

        SIP Session     0          0          0          0

        Logical Update Queue Information

                        Cur     Max     Total

        Recv Q:         0       17      180372

        Xmit Q:         0       1486    1553340

ACTIVE(config)#

and when at web server i have installed linux operating system and at web server there are two LAN cards and i bond these LAN card and one path chord is in active firewall and other firewall is passive.

the problems is that when i i put these two cables are in ASA its will not working and when i un plug one cable its working

Navaz       

Navaz
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to garyprice

‎08-29-2013 01:03 AM

Hi,

In the original ASA5500 Series it was possible. You could also remove the "management-only" setting.

I have not yet tried on the ASA5500-X Series but to my understanding it cant be used in Failover. Also the "management-only" cant be removed.

- Jouni

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-26-2013 11:34 PM

Hi,

Can't say I have seen a situation where someone would have directly attached an server into an ASA Failover pair. And that is probably where the problem lies.

I would have to guess that the Failover polling messages are not getting through from one ASA to the other ASA since the only link goes through the PC. I have not tried similiar setup every myself and probably wont

- Jouni

0 Helpful

Go to solution
Navaz Wattoo
Level 1
Level 1
In response to Jouni Forss

‎08-27-2013 12:04 AM

can u chekc my failover configuration is it right?

ACTIVE(config)# sh failover

Failover On

Failover unit Primary

Failover LAN Interface: FAILOVER Management0/0 (Failed - No Switchover)

Unit Poll frequency 1 seconds, holdtime 3 seconds

Interface Poll frequency 3 seconds, holdtime 15 seconds

Interface Policy 1

Monitored Interfaces 3 of 110 maximum

Version: Ours 8.2(5), Mate 8.2(5)

Last Failover at: 09:43:30 PKT Aug 11 2013

        This host: Primary - Active

                Active time: 1357606 (sec)

                slot 0: ASA5510 hw/sw rev (2.0/8.2(5)) status (Up Sys)

                  Interface DMZ (10.1.1.1): Normal (Waiting)

                  Interface Outside (125.209.70.90): Normal (Waiting)

                  Interface inside (192.168.11.249): Normal (Waiting)

                slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E4) status (Up/Up)

                  IPS, 6.0(6)E4, Up

Other host: Secondary - Failed

                Active time: 0 (sec)

                slot 0: ASA5510 hw/sw rev (2.0/8.2(5)) status (Unknown/Unknown)

                  Interface DMZ (10.1.1.2): No Link (Waiting)

                  Interface Outside (125.209.70.91): Normal

                  Interface inside (192.168.11.250): Normal

                slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E4) status (Unknown/Unkn

own)

                  IPS, 6.0(6)E4, Unknown

Stateful Failover Logical Update Statistics

        Link : FAILOVER Management0/0 (Failed)

        Stateful Obj    xmit       xerr       rcv        rerr

        General         191867     0          180372     0

        sys cmd         180372     0          180372     0

        up time         0          0          0          0

        RPC services    0          0          0          0

        TCP conn        737        0          0          0

        UDP conn        603        0          0          0

        ARP tbl         10139      0          0          0

        Xlate_Timeout   0          0          0          0

        IPv6 ND tbl     0          0          0          0

VPN IKE upd     8          0          0          0

        VPN IPSEC upd   8          0          0          0

        VPN CTCP upd    0          0          0          0

        VPN SDI upd     0          0          0          0

        VPN DHCP upd    0          0          0          0

        SIP Session     0          0          0          0

        Logical Update Queue Information

                        Cur     Max     Total

        Recv Q:         0       17      180372

        Xmit Q:         0       1486    1553340

ACTIVE(config)#

ACTIVE#   sh failover  state ?

  |  Output modifiers

 

ACTIVE#   sh failover  state

               State          Last Failure Reason      Date/Time

This host  -   Primary

               Active         None

Other host -   Secondary

               Failed         Ifc Failure              02:44:31 PKT Aug 27 2013

                              DMZ: No Link

====Configuration State===

        Sync Done

====Communication State===

ACTIVE#

Navaz

Navaz
0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Navaz Wattoo

‎08-27-2013 12:55 AM

Hi,

Actually I was a bit blind.

It seems to me that the actual Failover link between the devices is not UP either.

Failover LAN Interface: FAILOVER Management0/0 (Failed - No Switchover)

You can check the actual Failover configuration with the command

show run failover

I would also check the actual physical connections as at the moment it seens there are clearly problems with the connectivity between the hosts on certain interfaces.

- Jouni

0 Helpful

Go to solution
Navaz Wattoo
Level 1
Level 1
In response to Jouni Forss

‎08-27-2013 04:22 AM

i connected the failover connection through cross cable

and here i paste the configuration of sh run failover

ACTIVE# sh run failover

failover

failover lan unit primary

failover lan interface FAILOVER Management0/0

failover polltime unit 1 holdtime 3

failover polltime interface 3 holdtime 15

failover key *****

failover link FAILOVER Management0/0

failover interface ip FAILOVER 1.1.1.1 255.0.0.0 standby 1.1.1.2

ACTIVE#

Navaz

Navaz
0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Navaz Wattoo

‎08-27-2013 04:43 AM

Hi,

So is the interface Management0/0 up/up? Has it been enabled on both ASAs with the "no shutdown" command?

You can use the command "show run interface Management0/0" on both ASA units.

The configurations seems ok.

- Jouni

0 Helpful

Go to solution
garyprice
Level 1
Level 1

‎08-28-2013 09:31 PM

How is it possible to use management interface as failover link?

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to garyprice

‎08-29-2013 01:03 AM

Hi,

In the original ASA5500 Series it was possible. You could also remove the "management-only" setting.

I have not yet tried on the ASA5500-X Series but to my understanding it cant be used in Failover. Also the "management-only" cant be removed.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card