svc-asa-sm1 configuration problems

blackjack · ‎01-24-2014

Hello Everyone:

Two 6506 switches, the configuration of the VSS. Configure a SVC-ASA-SM, and now need to configure failover on each switch.

Then the following problems: two ASA-SM can be mounted to the switch, but can not detect each other, are active. Attach specific configuration

There are potential problems, please point out that I would be grateful !

============================================================================================================

ciscoasa(config)# sho run

: Saved

:

ASA Version 8.5(1)

!

hostname ciscoasa

!

interface Vlan201

nameif outside

security-level 0

ip address 172.17.4.6 255.255.255.252

!

interface Vlan202

nameif DB

security-level 100

ip address 172.16.1.254 255.255.255.0

!

interface Vlan203

nameif YeWu

security-level 100

ip address 172.16.2.254 255.255.255.0

!

interface Vlan208

nameif Management

security-level 100

ip address 172.31.2.2 255.255.255.0 standby 172.31.2.1

management-only

!

interface Vlan209

description LAN Failover Interface

!

interface Vlan210

description STATE Failover Interface

!

failover

failover lan unit primary

failover lan interface folink Vlan209

failover link statlink Vlan210

failover interface ip folink 172.31.0.2 255.255.255.0 standby 172.31.0.1

failover interface ip statlink 172.31.1.2 255.255.255.0 standby 172.31.1.1

monitor-interface Management

----------------------------------------------------------------------------------------------------------------------------------------

ciscoasa(config)# show ver

Cisco Adaptive Security Appliance Software Version 8.5(1)

Device Manager Version 6.5(1)

Hardware: WS-SVC-ASA-SM1, 23552 MB RAM, CPU Xeon 5600 series 2000 MHz

2 CPUs, 24 cores

Licensed features for this platform:

Maximum Interfaces : 1024 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

DES : Enabled perpetual

3DES-AES : Disabled perpetual

Security Contexts : 2 perpetual

GTP/GPRS : Disabled perpetual

Botnet Traffic Filter : Disabled perpetual

----------------------------------------------------------------------------------------------------------------------------------------------------

ciscoasa(config)# sho fail int

interface folink Vlan209

System IP Address: 172.31.0.2 255.255.255.0

My IP Address : 172.31.0.2

Other IP Address : 172.31.0.1

interface statlink Vlan210

System IP Address: 172.31.1.2 255.255.255.0

My IP Address : 172.31.1.2

Other IP Address : 172.31.1.1

----------------------------------------------------------------------------------------------------------------------------------------------------------

ciscoasa(config)# sho fail

Failover On

Failover unit Primary

Failover LAN Interface: folink Vlan209 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 1025 maximum

Version: Ours 8.5(1), Mate Unknown

Service Module Backplane Connection: Up

Last Failover at: 15:20:17 beijing Jan 24 2014

This host: Primary - Active

Active time: 4571 (sec)

slot 6: WS-SVC-ASASM-1 hw/sw rev (0.1/8.5(1)) status (Up Sys)

Interface Management (172.31.2.2): Normal (Waiting)

Interface outside (172.17.4.6): Normal (Not-Monitored)

Interface DB (172.16.1.254): Normal (Not-Monitored)

Interface YeWu (172.16.2.254): Normal (Not-Monitored)

Other host: Secondary - Failed

Active time: 0 (sec)

slot 0: empty

Interface Management (172.31.2.1): Unknown (Waiting)

Interface outside (0.0.0.0): Unknown (Not-Monitored)

Interface DB (0.0.0.0): Unknown (Not-Monitored)

Interface YeWu (0.0.0.0): Unknown (Not-Monitored)

===========================================================================================================

SVC-ASA(config)# sh run

: Saved

:

ASA Version 8.5(1)

!

interface Vlan208

nameif Management

security-level 100

ip address 172.31.2.1 255.255.255.0 standby 172.31.2.2

management-only

!

interface Vlan209

description LAN Failover Interface

!

interface Vlan210

description STATE Failover Interface

!

same-security-traffic permit inter-interface

failover

failover lan unit secondary

failover lan interface folink Vlan209

failover link statlink Vlan210

failover interface ip folink 172.31.0.1 255.255.255.0 standby 172.31.0.2

failover interface ip statlink 172.31.1.1 255.255.255.0 standby 172.31.1.2

monitor-interface Management

-----------------------------------------------------------------------------------------------------------------------------------------------

SVC-ASA(config)# sh ver

Cisco Adaptive Security Appliance Software Version 8.5(1)

Device Manager Version 6.5(1)

Compiled on Tue 03-May-11 14:21 MDT by builders

System image file is "disk0:/asa851-smp-k8.bin"

Config file at boot was "startup-config"

SVC-ASA up 90 days 6 hours

failover cluster up 90 days 6 hours

Hardware: WS-SVC-ASA-SM1, 23552 MB RAM, CPU Xeon 5600 series 2000 MHz

2 CPUs, 24 cores

Licensed features for this platform:

Maximum Interfaces : 1024 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

DES : Enabled perpetual

3DES-AES : Disabled perpetual

Security Contexts : 2 perpetual

GTP/GPRS : Disabled perpetual

Botnet Traffic Filter : Disabled perpetual

This platform has an WS-SVC-ASA-SM1 No Payload Encryption license.

Failover cluster licensed features for this platform:

Maximum Interfaces : 1024 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

DES : Enabled perpetual

3DES-AES : Disabled perpetual

Security Contexts : 2 perpetual

GTP/GPRS : Disabled perpetual

Botnet Traffic Filter : Disabled perpetual

----------------------------------------------------------------------------------------------------------------------------

SVC-ASA(config)# sho fai int

interface folink Vlan209

System IP Address: 172.31.0.1 255.255.255.0

My IP Address : 172.31.0.2

Other IP Address : 172.31.0.1

interface statlink Vlan210

System IP Address: 172.31.1.1 255.255.255.0

My IP Address : 172.31.1.2

Other IP Address : 172.31.1.1

------------------------------------------------------------------------------------------------------------------------------

SVC-ASA(config)# sho fai

Failover On

Failover unit Secondary

Failover LAN Interface: folink Vlan209 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 1025 maximum

Version: Ours 8.5(1), Mate Unknown

Service Module Backplane Connection: Up

Last Failover at: 16:03:13 beijing Jan 24 2014

This host: Secondary - Active

Active time: 7799564 (sec)

slot 6: WS-SVC-ASASM-1 hw/sw rev (0.1/8.5(1)) status (Up Sys)

Interface Management (172.31.2.1): Normal (Waiting)

Other host: Primary - Failed

Active time: 0 (sec)

slot 0: empty

Interface Management (172.31.2.2): Unknown (Waiting)

====================================================================================================

Core-switch# sh run | inc fir

firewall autostate

firewall multiple-vlan-interfaces

firewall switch 1 module 6 vlan-group 1

firewall switch 2 module 6 vlan-group 1

firewall vlan-group 1 201-210

----------------------------------------------------------------------------------------------------------------------------------------------------------------------

Core-switch#sho module switch 1 sl 6

Switch Number: 1 Role: Virtual Switch Active

---------------------- -----------------------------

Mod Ports Card Type Model Serial No.

--- ----- -------------------------------------- ------------------ -----------

6 3 ASA Service Module WS-SVC-ASA-SM1 SAL17110U0S

Mod MAC addresses Hw Fw Sw Status

--- ---------------------------------- ------ ------------ ------------ -------

6 70ca.9b8f.3920 to 70ca.9b8f.392f 1.1 12.2(50r)SYL 15.1(1)SY Ok

Mod Sub-Module Model Serial Hw Status

---- --------------------------- ------------------ ----------- ------- -------

6/0 ASA Application Processor SVC-APP-PROC-1 SAL17152MT0 1.0 Ok

Base PID:

Mod Model Serial No.

---- ----------- ----------

6 WS-SVC-APP-HW-1 SAL17110U0S

Mod Online Diag Status

---- -------------------

6 Pass

6/0 Pass

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Core-switch#sho module switch 2 sl 6

Switch Number: 2 Role: Virtual Switch Standby

---------------------- -----------------------------

Mod Ports Card Type Model Serial No.

--- ----- -------------------------------------- ------------------ -----------

6 3 ASA Service Module WS-SVC-ASA-SM1 SAL17110U17

Mod MAC addresses Hw Fw Sw Status

--- ---------------------------------- ------ ------------ ------------ -------

6 70ca.9b8f.37c0 to 70ca.9b8f.37cf 1.1 12.2(50r)SYL 15.1(1)SY Ok

Mod Sub-Module Model Serial Hw Status

---- --------------------------- ------------------ ----------- ------- -------

6/0 ASA Application Processor SVC-APP-PROC-1 SAL171631QN 1.0 Ok

Base PID:

Mod Model Serial No.

---- ----------- ----------

6 WS-SVC-APP-HW-1 SAL17110U17

Mod Online Diag Status

---- -------------------

6 Pass

6/0 Pass

--------------------------------------------------------------------------------------------------------------------------------------------------------------

Core-switch#ping 172.31.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.31.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Core-switch#ping 172.31.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.31.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Core-switch#sh arp | inc 172.31.2.

Internet 172.31.2.1 35 70ca.9b8f.392c ARPA Vlan208

Internet 172.31.2.2 40 70ca.9b8f.37cc ARPA Vlan208

Internet 172.31.2.254 - 7cad.7443.ae00 ARPA Vlan208

Core-switch#

================================================================================================