07-05-2006 09:35 AM - edited 02-21-2020 01:01 AM
Hi. I am replacing a pix with a pair of ASA 5520's. I have the new config into one of the 5520's and it seems to be working just fine.
Now i need to put the second one into the mess by having it active/active Failover. Does anyone have a sample config on how to do this?
I understand the theory of how it works, with the standby address etc, but the exact config for basic FO would be insanely helpful.
Thanks in advance.
Bob
07-05-2006 10:00 AM
The link below should help. Remember you must be in multipl-context mode for A/A FO.
Thanks,
Chad
07-07-2006 06:39 AM
Thanks Chad. I downloaded it and printed it out. It seems Like I went through everything required, but failover still isnt quite getting there. I think Im really close though. On the primary unit, I get:
VSASA# sho fail state
====My State===
Primary | Active |
====Other State===
Secondary | Standby |
====Configuration State===
====Communication State===
=========Failed Reason==============
My Fail Reason:
Other Fail Reason:
Comm Failure
ciscoasa# sho fail
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 1 of 250 maximum
failover replication http
Version: Ours 7.0(5), Mate Unknown
Last Failover at: 10:51:43 UTC Jul 6 2006
This host: Secondary - Active
Active time: 74713 (sec)
slot 0: ASA5520 hw/sw rev (1.1/7.0(5)) status (Up Sys)
slot 1: ASA-SSM-10 hw/sw rev (1.0/5.0(2)S152.0) status (Up)
Interface management (192.168.1.80): Normal (Waiting)
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: empty
slot 1: empty
Interface management (0.0.0.0): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : failover GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
ciscoasa#
It appears that the failover isnt quite working, no traffic is being passed over the ethernet cable. Right now I just have a cable, not a switch or hub. I tried crossover and straight through to no avail. I am getting link status however but the orange light is on as well, and Im not sure thats correct.
Bob
07-07-2006 09:03 AM
The cable doesn't matter. The interfaces on the ASA are MDI/MDX so they can auto x-over.
If the SHOW Failover output is supposed to be from the primary then it is not configure correctly.
'Failover unit Secondary' indicats that it is not the primary.
This host: Secondary - Active = It is the secondary firewall and is currently active.
Thanks,
Chad
07-07-2006 09:33 AM
OK Yup, got it. I had the primary/failover addresses backward on the failover interfaces. they need to be the same, not flipped. As soon as I did that all was well, thanks for narrowing it down for me.
The other 'mystery' to me is now that it fails over correctly, I notice that all the interfaces (inside/outside) have the same IP address. This makes sense of course but then how does active/active work? Im pretty sure I have it setup for active/active, but how can there be two interfaces on the network with the same IP Address?
07-07-2006 09:43 AM
Active/Active only works if you running multiple context mode. Based on the output of the show failover you are not running multiple context mode.
You are setup in a Active/Passive failover.
Link for multiple context mode.
Please rate posts if they helped!
Thanks,
Chad
07-08-2006 04:42 AM
hi buddy pls take care before going for active/active setup with multiple context cause u cannot terminate vpns and run dynmic routing protocols on the asa once u enter into multiple context mode. it' sounds sad but yes it is. see ya
regards
sebastan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide