Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
506
Views
0
Helpful
2
Replies

SNMP problem to a passive failover ASA5520 over VPN

hardware
Level 1
Level 1

‎09-28-2009 05:35 AM - edited ‎03-11-2019 09:20 AM

I have a pair of ASA5520 units at the remote end of a site to site VPN tunnel.

I have an NMS package managing/monitoring all of my devices at the remote end, including the ASA units themselves. However, although I can get access to and reports from the active unit, I get nothing from the passive unit.

On the active unit I can get SNMP, run ASDM, ping, etc from my end of the tunnel. On the passive I get none of these.

Can anyone give me any suggestions as to the cause ?

TIA

Labels:
0 Helpful
2 Replies 2

tprendergast
Level 3
Level 3

‎09-28-2009 01:07 PM

The two units are running in active/passive, meaning the secondary unit is *only* listening to the heartbeat traffic and taking config replication.

You will not be able to access the secondary unit at all unless it fails over and becomes the primary, at which point it assumes the same IP's, MACs, etc. That means no SNMP, no ICMP, no ssh... If you use the OIDs from the ASA MIBs, you can actually collect statistics from the secondary unit off the primary (at a minimum -- is it up, is it actively behaving as secondary, etc).

Even though you put a secondary IP and such on the passive unit, it won't actually take any traffic on those layer 3 interfaces as it is not really active.

When failover occurs (ie, the primary fails to respond to 3 heartbeats on the failover link), the secondary will ARP the virtual MAC addresses that were active on the primary unit before it failed. You then have some ARP convergence required on the network for traffic to flow effectively. Something neat to know -- if the secondary unit comes up before your first unit, it will use the burned-in local MAC addresses on the interfaces for the virtual MACs, and will replace them once it learns the virtuals from the primary when it comes back up.

0 Helpful

hardware
Level 1
Level 1
In response to tprendergast

‎09-30-2009 03:39 AM

Thanks for the reply, but I have a query on it.

Although you say that I cannot access the secondary unit at all, I am able to telnet to it with no issues. Are some traffic types allowed access to the secondary but not others ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card