08-19-2020 10:32 AM
Hi All,
I have 2 new ASAs as HA on my network currently i have problem with the setup.
I can not ping to ip standby, for example
interface Redundant2.300
description INSIDE-TEST
vlan 300
nameif inside
security-level 100
ip address 10.50.1.1 255.255.255.0 standby 10.50.1.2
when i try to ping to 10.50.1.2 from 10.50.1.1 it will be like this .
ASA# ping 10.50.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.1.2, timeout is 2 seconds:
????
ASA#
Can you guys help me with this problem?
Thank you so much
08-19-2020 10:38 AM
08-19-2020 10:44 AM
Hi Rob,
this is config outside interface
interface Redundant1
description To WAN/Outside
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 116.213.58.2 255.255.255.0 standby 116.213.58.3
I can not share show failover due to i still can not remote the ASA
can you give me some light for this issue? what kind i must check ?
Thank you so much
08-19-2020 10:46 AM
Hi Rob,
My outside ASA connected through Switch nexus
Thank you
08-19-2020 10:52 AM - edited 08-19-2020 10:55 AM
but you can the ping from an ASA, can you not access it any longer? The "show failover" command will show if the interfaces are up.
Are the interfaces up on the nexus switch? - EDIT: and in the correct vlan?
08-19-2020 10:58 AM
Hi Rob,
The ASAs still new and i'm not give it any access to it.
I will check it later on friday but the interface in nexus already up.
What i must supposed to do if the interface in "show failover" is Down ?
Thank you so much
08-19-2020 11:10 AM
Are the interfaces on the nexus in the correct vlans?
If you are not permitted to access the ASA then there isn't much you can do. Though if you do get access, you should check the basics. Confirm the interfaces are configure with a primary and standby IP address, the failover/state interface is configured and the failover is configured and enabled. Refer to these guides to validate your configuration and troubleshoot.
https://www.networkstraining.com/cisco-asa-active-standby-configuration/
08-19-2020 11:28 AM
Hi Rob,
Thank you for your reply, i will inform you later
Thank you
08-20-2020 07:50 PM
Hi Rob,
Here is i share you "show failover" command
ASA# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FOLINK GigabitEthernet0/7 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 216 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.8(2), Mate 9.8(2)
Serial Number: Ours FCH2151J1LB, Mate Unknown
Last Failover at: 05:41:04 UTC Aug 19 2020
This host: Primary - Active
Active time: 133116 (sec)
slot 0: ASA5525 hw/sw rev (3.1/9.8(2)) status (Up Sys)
Interface management (192.168.1.1): No Link (Waiting)
Interface outside (116.213.58.2): Normal (Waiting)
Interface inside (10.50.1.1): Normal (Not-Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
Other host: Secondary - Failed
Active time: 56 (sec)
slot 0: ASA5525 hw/sw rev (3.1/9.8(2)) status (Up Sys)
Interface management (0.0.0.0): No Link (Waiting)
Interface outside (116.213.58.3): No Link (Waiting)
Interface inside (10.50.1.2): Normal (Not-Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
Stateful Failover Logical Update Statistics
Link : FOLINK GigabitEthernet0/7 (up)
Stateful Obj xmit xerr rcv rerr
General 112248 0 112196 4
sys cmd 112194 0 112194 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 53 0 2 4
Router ID 0 0 0 0
User-Identity 1 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 13 112347
Xmit Q: 0 30 568019
08-21-2020 12:02 AM
You need to check the outside link on the secondary ASA. Check it's plugged in, check the interface is up, check that it's configured in the correct VLAN on th switch it's plugged into.
This host: Primary - Active
Active time: 133116 (sec)
slot 0: ASA5525 hw/sw rev (3.1/9.8(2)) status (Up Sys)
Interface management (192.168.1.1): No Link (Waiting)
Interface outside (116.213.58.2): Normal (Waiting)
Interface inside (10.50.1.1): Normal (Not-Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
Other host: Secondary - Failed
Active time: 56 (sec)
slot 0: ASA5525 hw/sw rev (3.1/9.8(2)) status (Up Sys)
Interface management (0.0.0.0): No Link (Waiting)
Interface outside (116.213.58.3): No Link (Waiting)
Interface inside (10.50.1.2): Normal (Not-Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
slot 1: SFR5525 hw/sw rev (N/A/6.2.2-81) status (Up/Up)
ASA FirePOWER, 6.2.2-81, Up, (Monitored)
08-21-2020 02:06 AM
Hi Rob
Currently i already fix that issue and asa secondary is standby ready now. but it still can't ping to the ip standby to 10.50.1.2
What can i shared you to fix this issue?
08-21-2020 01:35 AM
08-21-2020 02:07 AM
Hi Baqari,
What kind of permit i should open?
I already put this to ASA :
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE_ACCESS extended permit icmp any object TESTING
icmp permit host 10.50.1.30 inside
Is it right?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide