11-05-2014 11:18 AM - edited 03-11-2019 10:02 PM
I have 2 ASA 5510 with image 8.21. When I have to switch from main ASA to BKP ASA, I boot my BKP ASA and then unplug the cables manually from main ASA and plug them into BKP ASA.
But the problem is that I become unable to access the internet for a very long time. When I see logs via ASDM (since its easy to handle through GUI) then it gives a lot of logs of deny connection inbound. when I plug the cables back into main ASA the internet connectivity resumes and outside clients also resume to access inbound services.
Do I need to give any extra command on the BKP ASA when I put it into line ?
Plz help :(
Solved! Go to Solution.
11-06-2014 02:27 PM
I don't know why it would take 10 to 15 minutes for TCP applications to recover. Do new connections pass through the firewall? Maybe you have some ARP caching or possibly switch port security is causing delays learning the new MAC address of the secondary firewall.
You can still configure HA assuming you have available upstream switch ports. Here is what you can do:
1. Configure HA on the primary firewall and configure the secondary firewall's failover link per the link I previously sent. You'll need stateful failover to maintain connections during a failover.
2. Connect the secondary firewall's failover interface to the primary firewall's failover interface.
3. The primary should begin to push the config over to the secondary.
4. Run "show failover state" and confirm the secondary is listed as standby.
5. Connect the remaining interfaces on the secondary to your upstream switch.
6. Run "show failover state" again and confirm the secondary is listed as Standby Ready.
7. You can now gracefully failover by running "failover active" on your secondary firewall.
For future failovers you can just plug in your secondary firewall and repeat steps 6 and 7.
11-05-2014 12:45 PM
The ASA is a stateful firewall so it tracks all the connections. When you boot up the backup ASA there is nothing in its connection table. It will drop all the traffic from those previous connections because it did not see the initial TCP handshake. Eventually, TCP applications would reinitialize and start a new connection. Additionally, you probably have a period of time for your ARP cache to update with the MAC address of the new firewall.
Any reason why you don't configure them as an actual HA pair? You'll need the Security Plus license for Active/Standby (run "show version" to find out). This would solve your problem. See the following link for details: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html
11-06-2014 04:50 AM
Thanks rsjordan00!
Actually there is some electricity fluctuation problem in my area. That's why I can't put both firewalls at risk.
I have security plus license on both firewalls.
I want to know is there any way to make the BKP ASA doing its work fast and letting the connections work. Because BKP ASA takes 10 to 15 minutes to become functional.
Regards,
Tahir
11-06-2014 02:27 PM
I don't know why it would take 10 to 15 minutes for TCP applications to recover. Do new connections pass through the firewall? Maybe you have some ARP caching or possibly switch port security is causing delays learning the new MAC address of the secondary firewall.
You can still configure HA assuming you have available upstream switch ports. Here is what you can do:
1. Configure HA on the primary firewall and configure the secondary firewall's failover link per the link I previously sent. You'll need stateful failover to maintain connections during a failover.
2. Connect the secondary firewall's failover interface to the primary firewall's failover interface.
3. The primary should begin to push the config over to the secondary.
4. Run "show failover state" and confirm the secondary is listed as standby.
5. Connect the remaining interfaces on the secondary to your upstream switch.
6. Run "show failover state" again and confirm the secondary is listed as Standby Ready.
7. You can now gracefully failover by running "failover active" on your secondary firewall.
For future failovers you can just plug in your secondary firewall and repeat steps 6 and 7.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide