cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2341
Views
0
Helpful
12
Replies

First Cisco ASA setup

Hi All,

 

I have 2 new ASAs as HA on my network currently i have problem with the setup.

I can not ping to ip standby, for example

 

interface Redundant2.300
description INSIDE-TEST
vlan 300
nameif inside
security-level 100
ip address 10.50.1.1 255.255.255.0 standby 10.50.1.2

 

when i try to ping to 10.50.1.2 from 10.50.1.1 it will be like this .

 

ASA# ping 10.50.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.1.2, timeout is 2 seconds:
????
ASA#

 

Can you guys help me with this problem?

 

Thank you so much

12 Replies 12

Hi,
Are both ASA's outside interfaces connected (either via a switch or directly)?
Can you provide the output of "show failover"

Hi Rob,

 

this is config outside interface

 

interface Redundant1
description To WAN/Outside
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 116.213.58.2 255.255.255.0 standby 116.213.58.3

 

I can not share show failover due to i still can not remote the ASA

can you give me some light for this issue? what kind i must check ?

 

Thank you so much

Hi Rob,

 

My outside ASA connected through Switch nexus

 

Thank you

but you can the ping from an ASA, can you not access it any longer? The "show failover" command will show if the interfaces are up.
Are the interfaces up on the nexus switch? - EDIT: and in the correct vlan?

Hi Rob,

 

The ASAs still new and i'm not give it any access to it.
I will check it later on friday but the interface in nexus already up.
What i must supposed to do if the interface in "show failover" is Down ?

 

Thank you so much

Are the interfaces on the nexus in the correct vlans?

If you are not permitted to access the ASA then there isn't much you can do. Though if you do get access, you should check the basics. Confirm the interfaces are configure with a primary and standby IP address, the failover/state interface is configured and the failover is configured and enabled. Refer to these guides to validate your configuration and troubleshoot.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_active_standby.pdf

https://www.networkstraining.com/cisco-asa-active-standby-configuration/

Hi Rob,

 

Thank you for your reply, i will inform you later

 

Thank you

Hi Rob,

 

Here is i share you "show failover" command 

 

ASA# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FOLINK GigabitEthernet0/7 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 216 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.8(2), Mate 9.8(2)
Serial Number: Ours FCH2151J1LB, Mate Unknown
Last Failover at: 05:41:04 UTC Aug 19 2020
This host: Primary - Active
Active time: 133116 (sec)
slot 0: ASA5525 hw/sw rev (3.1/9.8(2)) status (Up Sys)
Interface management (192.168.1.1): No Link (Waiting)
Interface outside (116.213.58.2): Normal (Waiting)
Interface inside (10.50.1.1): Normal (Not-Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
Other host: Secondary - Failed
Active time: 56 (sec)
slot 0: ASA5525 hw/sw rev (3.1/9.8(2)) status (Up Sys)
Interface management (0.0.0.0): No Link (Waiting)
Interface outside (116.213.58.3): No Link (Waiting)
Interface inside (10.50.1.2): Normal (Not-Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)

Stateful Failover Logical Update Statistics
Link : FOLINK GigabitEthernet0/7 (up)
Stateful Obj xmit xerr rcv rerr
General 112248 0 112196 4
sys cmd 112194 0 112194 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 53 0 2 4
Router ID 0 0 0 0
User-Identity 1 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 13 112347
Xmit Q: 0 30 568019

You need to check the outside link on the secondary ASA. Check it's plugged in, check the interface is up, check that it's configured in the correct VLAN on th switch it's plugged into.

 

This host: Primary - Active
Active time: 133116 (sec)
slot 0: ASA5525 hw/sw rev (3.1/9.8(2)) status (Up Sys)
Interface management (192.168.1.1): No Link (Waiting)
Interface outside (116.213.58.2): Normal (Waiting)
Interface inside (10.50.1.1): Normal (Not-Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
Other host: Secondary - Failed
Active time: 56 (sec)
slot 0: ASA5525 hw/sw rev (3.1/9.8(2)) status (Up Sys)
Interface management (0.0.0.0): No Link (Waiting)
Interface outside (116.213.58.3): No Link (Waiting)
Interface inside (10.50.1.2): Normal (Not-Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)

Hi Rob

Currently i already fix that issue and asa secondary is standby ready now. but it still can't ping to the ip standby to 10.50.1.2

 

What can i shared you to fix this issue?

Hi, do you have icmp permit command configured. Also, make sure correct
vlan is present.

Hi Baqari,

 

What kind of permit i should open?

I already put this to ASA : 

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE_ACCESS extended permit icmp any object TESTING
icmp permit host 10.50.1.30 inside

 

Is it right?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: