Solved: Re: FPR 1010 ASA HA / Failover issue

peat · ‎01-24-2024

A customer removed one of what I was led to believe (install was by a previous company who did no documentation) was a standby FPR1010 that was in a HA pair and sent it back to us due to a fault.

It turned out there wasn't any issues with the 1010 and I could log on to it fine. My problem is we will be needed to reinstall the FPR back into the supposed HA pair but I cant seem to fine a good guide on how to do this.

Before we install it though i have been through the configuration to see if it makes sense with the online guides ive found that touch on the subject and it doesn't match up.

For a start off the licence is a smart licence and mentions security plus but if I do a show ver it shows failover as disabled. Is this because i dont have the FPR currently connected to the internet so it cant read the licences?

On the interfaces I can see standby IPs setup for the 2 internal LANs and WAN (on vlans) but on the failover interface (e1/8) it shows no ip address or standby ip or switchport.

interface Vlan1
description Inside Interface
nameif inside
security-level 100
ip address 192.168.2.100 255.255.255.0 standby 192.168.2.101
!
interface Vlan2
description Outside
nameif outside
security-level 0
ip address xxxxxxx 255.255.255.248 standby xxxxxxxxx
!
interface Vlan3
description LAN
nameif dmz
security-level 50
ip address 172.16.200.254 255.255.255.0 standby 172.16.200.253
!
interface Ethernet1/1
description Outside
switchport
switchport access vlan 2
!
interface Ethernet1/2
description LAN
switchport
switchport access vlan 3
!
interface Ethernet1/3
description Inside Interface
switchport
!
interface Ethernet1/4
switchport
shutdown
!
interface Ethernet1/5
no switchport
no nameif
no security-level
no ip address
!
interface Ethernet1/6
switchport
!
interface Ethernet1/7
description temp network
switchport
switchport access vlan 3
power inline auto
!
interface Ethernet1/8
description LAN/STATE Failover Interface
no switchport
power inline auto
!
interface Management1/1
management-only
shutdown
nameif management
security-level 100
ip address 192.168.45.1 255.255.255.0
!

I have been right through the config and cant find any mention of Failover bar in the desc of int e1/8 which is "LAN/STATE Failover interface".

Does this sound like a working config of a standby device from a HA pair?

If it does when we go to reinstall it am i right in thinking all physical connections need to be connected up before powering on to ensure the standby device sees the primary and then the primary config will just copy across?

Cheers

MHM Cisco World · ‎01-25-2024

No friend from what you share he dont config failover in this unit.

He need to enable failover and config failover unit primary or secondary and etc.

All this command is missing the only think relate to failover is he add standby IP to interface.

MHM

View solution in original post

Marius Gunnerud · ‎01-25-2024

To be able to configure the FP1010 to be part of and Active / Standby failover setup, both units must have an active security plus license to be able to configure failover. I suspect that when this license expired it continued to be part of the HA setup as no configuration was done directly to the device as it was in standby. However, when you removed the device from the network (I assume it was powered off and not just disconnected) and powered it back on, there was no license for the failover and therefore it was unable to load the failover configuration, thus removing the failover configuration.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

tvotna · ‎01-24-2024

Most likely this unit is not registered with CSSM. From 1010 documentation:

Smart Software Manager Regular and On-Prem

Both Firepower 1010 units must be registered with the Smart Software Manager or Smart Software Manager On-Prem server. Both units require you to enable the Standard license and the Security Plus license before you can configure failover.

Verify with

show license all

peat · ‎01-25-2024

This is show licence all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
Status: UNREGISTERED
Export-Controlled Functionality: ALLOWED

License Authorization:
Status: EVAL EXPIRED on Jul 08 2022 13:17:34 UTC

Export Authorization Key:
Features Authorized:
<none>

Utility:
Status: DISABLED

Data Privacy:
Sending Hostname: yes
Callhome hostname privacy: DISABLED
Smart Licensing hostname privacy: DISABLED
Version privacy: DISABLED

Transport:
Type: Callhome

License Usage
==============

(FIREPOWER_1000_ASA_STANDARD):
Description:
Count: 1
Version: 1.0
Status: EVAL EXPIRED
Export status: NOT RESTRICTED

(FIREPOWER_1010_SEC_PLUS):
Description:
Count: 1
Version: 1.0
Status: EVAL EXPIRED
Export status: NOT RESTRICTED

Product Information
===================
UDI: PID:FPR-1010,SN:xxxxxxxxx

Agent Version
=============
Smart Agent for Licensing: 4.9.3_rel/34

Reservation Info
================
License reservation: DISABLED

Marius Gunnerud · ‎01-24-2024

You will not see the configuration on the interface. You should see the IP if you issue the command "show int ip brief" and / or show run failover

Does this sound like a working config of a standby device from a HA pair?

Yes as mentioned check the running configuration "show run failover" to see the full HA failover configuration.

If it does when we go to reinstall it am i right in thinking all physical connections need to be connected up before powering on to ensure the standby device sees the primary and then the primary config will just copy across?

Yes, it is best to connect all interfaces before powering on. But the ASA will look for an already active firewall and if it finds one it will assume the other firewall is the active firewall and become standby. Also, if you do not connect all the interfaces before powering on the secondary ASA will show as failed until the interfaces are connected and active.

--
Please remember to select a correct answer and rate helpful posts

peat · ‎01-25-2024

Thanks

Show run failover returns nothing

MHM Cisco World · ‎01-25-2024

Are you sure you config failover?

What I see are only config of interface not failover config

Can you share the all config of active fw

MHM

peat · ‎01-25-2024

This is what i was wondering in my OP. We never configured this FPR, it was a previous company who did no documentation. So i am trying to figure out did they actually configure failover, does this config confirm they didn't. Or would the action of the device being disconnected have removed the failover configuration?

This is the config

ASA Version 9.13(1)2
!

enable password ***** encrypted
passwd ***** encrypted
!
license smart
feature tier standard
feature security-plus
names
no mac-address auto
ip local pool test-pool 192.168.99.10-192.168.99.20 mask 255.255.255.0
ip local pool xxxxxxxx 172.16.254.1

!
interface Vlan1
description Inside Interface
nameif inside
security-level 100
ip address 192.168.2.100 255.255.255.0 standby 192.168.2.101
!
interface Vlan2
description Outside
nameif outside
security-level 0
ip address xxxxxxx 255.255.255.248 standby xxxxxxx
!
interface Vlan3
description LAN
nameif dmz
security-level 50
ip address 172.16.200.254 255.255.255.0 standby 172.16.200.253
!
interface Ethernet1/1
description Outside
switchport
switchport access vlan 2
!
interface Ethernet1/2
description LAN
switchport
switchport access vlan 3
!
interface Ethernet1/3
description Inside Interface
switchport
!
interface Ethernet1/4
switchport
shutdown
!
interface Ethernet1/5
no switchport
no nameif
no security-level
no ip address
!
interface Ethernet1/6
switchport
!
interface Ethernet1/7
description temp network
switchport
switchport access vlan 3
power inline auto
!
interface Ethernet1/8
description LAN/STATE Failover Interface
no switchport
power inline auto
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
nameif management
security-level 100
ip address 192.168.45.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxxx
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network OBJ-192.168.2.0-24
subnet 192.168.2.0 255.255.255.0
object network OBJ-172.16.200.0-24
subnet 172.16.200.0 255.255.255.0
object network OBJ-172.16.254.1
subnet 172.16.254.1 255.255.255.255
object network NETWORK_OBJ_192.168.99.0_27
subnet 192.168.99.0 255.255.255.224
object network H-192.168.99.50
host 192.168.99.50
object network H-172.16.200.50
host 172.16.200.50
object network NETWORK_OBJ_172.16.254.1
host 172.16.254.1
object network NETWORK_OBJ_172.16.200.0_24
subnet 172.16.200.0 255.255.255.0
object network H-172.16.200.252
host 172.16.200.252
object-group network xxxxxxxx
network-object host xxxxxxx
network-object host xxxxxxx
network-object host xxxxxxx
network-object host xxxxxxx
object-group service xxxxxxx
service-object tcp destination eq www
service-object udp destination eq ntp
object-group service xxxxxxx
service-object tcp destination eq 500
service-object udp destination eq isakmp
object-group network xxxxxxx
network-object object H-172.16.200.252
network-object object H-172.16.200.50
access-list acl_in remark xxxxxxx
access-list acl_in extended permit tcp 192.168.2.0 255.255.255.0 172.16.200.0 255.255.255.0 eq 81
access-list acl_in remark For Testing
access-list acl_in extended permit icmp 192.168.2.0 255.255.255.0 172.16.200.0 255.255.255.0
access-list acl_in extended permit ip host 192.168.2.50 any
access-list acl_in remark **DISABLE**
access-list acl_in extended permit icmp any any
access-list acl_in remark xxxxxxx
access-list acl_in remark For Testing
access-list acl_dmz remark Onsite Engineers Laptop
access-list acl_dmz extended permit ip host 172.16.200.253 any
access-list acl_dmz remark xxxxxxx
access-list acl_dmz extended permit tcp 172.16.200.0 255.255.255.0 192.186.2.0 255.255.255.0 eq 81
access-list acl_dmz remark For testing
access-list acl_dmz remark Local Access Out
access-list acl_dmz remark Onsite Engineers Laptop
access-list acl_dmz remark xxxxxxx
access-list acl_dmz remark For testing
access-list acl_dmz extended permit icmp 172.16.200.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list acl_dmz remark **DISABLE**
access-list acl_dmz extended permit ip object-group xxxxxxx any
access-list acl_dmz remark Local Access Out
access-list acl_dmz remark Onsite Engineers Laptop
access-list acl_dmz remark xxxxxxx
access-list acl_dmz remark For testing
access-list acl_dmz remark Local Access Out
access-list acl_dmz remark Onsite Engineers Laptop
access-list acl_dmz remark xxxxxxx
access-list acl_dmz remark For testing
access-list acl_dmz remark Local Access Out
access-list acl_out remark IPSEC VPN - Router ACL Configured to on allow access from xxxxxxx subnet only
access-list acl_out remark IPSEC VPN
access-list acl_out extended deny object-group xxxxxxx any host xxxxxxx
access-list acl_out extended permit icmp any host xxxxxxx
access-list acl_out remark **DISABLE**
access-list acl_out extended permit icmp any any
access-list acl_out remark IPSEC VPN - Router ACL Configured to on allow access from xxxxxxx subnet only
access-list acl_out remark IPSEC VPN
access-list test_access_in extended permit ip any any
access-list IPSec-client-TUNNEL_splitTunnelAcl standard permit 172.16.200.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1300
mtu dmz 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any dmz
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (dmz,any) source static OBJ-172.16.200.0-24 OBJ-172.16.200.0-24 destination static OBJ-172.16.254.1 OBJ-172.16.254.1 no-proxy-arp description NONAT
nat (inside,any) source static OBJ-192.168.2.0-24 OBJ-192.168.2.0-24 destination static OBJ-172.16.200.0-24 OBJ-172.16.200.0-24 no-proxy-arp description NONAT
nat (dmz,outside) source static NETWORK_OBJ_172.16.200.0_24 NETWORK_OBJ_172.16.200.0_24 destination static NETWORK_OBJ_172.16.254.1 NETWORK_OBJ_172.16.254.1 no-proxy-arp route-lookup
!
object network H-172.16.200.50
nat (dmz,outside) dynamic interface
!
nat (dmz,outside) after-auto source dynamic OBJ-172.16.200.0-24 interface description PAT
access-group acl_in in interface inside
access-group acl_out in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 xxxxxxx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server xxxxxxx protocol radius
aaa-server xxxxxxx (outside) host xxxxxxx
retry-interval 6
timeout 6
key *****
radius-common-pw *****
aaa-server xxxxxxx (outside) host 194.168.90.7
retry-interval 6
timeout 6
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication login-history
http server enable xxxxxxx
http 192.168.45.0 255.255.255.0 management
http 172.16.200.50 255.255.255.255 dmz
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http 172.16.200.0 255.255.255.0 dmz
http xxxxxxx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 0509
xxxxxx
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime none
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ssl-clientless
group-policy GroupPolicy_xxxxxxx internal
group-policy GroupPolicy_xxxxxxx attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ssl-client
default-domain value xxxxxxx
group-policy GroupPolicy_xxxxxxx internal
group-policy GroupPolicy_xxxxxxx attributes
wins-server none
dns-server value xxxxxxx xxxxxxx
vpn-tunnel-protocol ssl-client
default-domain value xxxxxxx
group-policy IPSec-client-TUNNEL internal
group-policy IPSec-client-TUNNEL attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1 ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IPSec-client-TUNNEL_splitTunnelAcl
default-domain value xxxxxxx
dynamic-access-policy-record DfltAccessPolicy
username test password xxxxxxx
username SystalAdmin password xxxxxxx
username neil password xxxxxxx
tunnel-group xxxxxxx type remote-access
tunnel-group xxxxxxx general-attributes
address-pool xxxxxxx
authentication-server-group xxxxxxx
tunnel-group xxxxxxx ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group xxxxxxx type remote-access
tunnel-group xxxxxxx general-attributes
address-pool xxxxxxx
authentication-server-group xxxxxxx
default-group-policy GroupPolicy_xxxxxxx
tunnel-group xxxxxxx webvpn-attributes
group-alias xxxxxxx enable
tunnel-group xxxxxxx type remote-access
tunnel-group xxxxxxx general-attributes
address-pool test-pool
default-group-policy GroupPolicy_xxxxxxx
tunnel-group xxxxxxx webvpn-attributes
group-alias xxxxxxx enable
tunnel-group IPSec-client-TUNNEL type remote-access
tunnel-group IPSec-client-TUNNEL general-attributes
address-pool xxxxxxx
authentication-server-group xxxxxxx
default-group-policy IPSec-client-TUNNEL
tunnel-group IPSec-client-TUNNEL ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr xxxxxxx
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
app-agent heartbeat interval 1000 retry-count 3

: end

MHM Cisco World · ‎01-25-2024

No friend from what you share he dont config failover in this unit.

He need to enable failover and config failover unit primary or secondary and etc.

All this command is missing the only think relate to failover is he add standby IP to interface.

MHM

peat · ‎01-25-2024

Thanks that confirms what I suspected. Could all of the failover config have been auto removed if the security plus licence was used as a trial and then expired? Looking at the show licence it says security plus trial expired.

Also what will happen if I plug this device back in as it was connected before? I am just conscious of not taking the network out that is currently working on the other FPR1010.

Marius Gunnerud · ‎01-25-2024

To be able to configure the FP1010 to be part of and Active / Standby failover setup, both units must have an active security plus license to be able to configure failover. I suspect that when this license expired it continued to be part of the HA setup as no configuration was done directly to the device as it was in standby. However, when you removed the device from the network (I assume it was powered off and not just disconnected) and powered it back on, there was no license for the failover and therefore it was unable to load the failover configuration, thus removing the failover configuration.

--
Please remember to select a correct answer and rate helpful posts