cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1807
Views
1
Helpful
11
Replies

unable to ping or access secondary one firewall

Tarun cisco
Cisco Employee
Cisco Employee

Hi All, i am getting issue to access the secondary FW and also not able to ping ISE server from my secondary FW but i am able to do same things from primary one.

How to check and troubleshoot to resolve this issue.

any reference link any ?

11 Replies 11

dhr.tech1
Spotlight
Spotlight

Hi Tarun,

Your firewalls are in High Availability or Cluster, share cluster or HA status here ? Can you paste your aaa-server output here ?, just curious to understand from which interface of the ASA you want to connect to ISE.

 

 

Hi

Any update about the eigrp issue?

MHM

Hi, 

glad you remember, I think this could be the OS bug with the firewall. I checked it on a different fw and it worked.

 

We are unable to login ASA firewall. We are able to ping from primary device.

ds-inh-fv01/act# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover-lan GigabitEthernet0/7 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 566 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.12(4)67, Mate 9.12(4)67
Serial Number: Ours FCH17517YDB, Mate FCH17517YA8
Last Failover at: 12:33:12 GMT May 22 2024
This host: Secondary - Active
Active time: 143316 (sec)
slot 0: ASA5545 hw/sw rev (1.0/9.12(4)67) status (Up Sys)
Interface outside (61.246.231.138): Normal (Monitored)
Interface inside (139.126.81.242): Normal (Monitored)
Other host: Primary - Standby Ready
Active time: 2173797 (sec)
slot 0: ASA5545 hw/sw rev (1.0/9.12(4)67) status (Up Sys)
Interface outside (61.246.231.137): Normal (Monitored)
Interface inside (139.126.81.241): Normal (Monitored)

Stateful Failover Logical Update Statistics
Link : failover-lan GigabitEthernet0/7 (up)
Stateful Obj xmit xerr rcv rerr
General 58544708 0 678881423 2972
sys cmd 309019 0 309018 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 12164650 0 132072817 1213
UDP conn 45906576 0 544429850 664
ARP tbl 150387 0 1861045 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 7832 0 118348 0
SIP Tx 5701 0 87447 0
SIP Pinhole 543 0 2898 1095
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Umbrella Device-ID 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 90 1005262969
Xmit Q: 0 4096 84039184

If it is ASA' then try use 

Ping 

And select interface in ping same as interface you use to connect to ISE

MHM

Tarun cisco
Cisco Employee
Cisco Employee

We are unable to login ASA firewall. We are able to ping from primary device.

ds-inh-fv01/act# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover-lan GigabitEthernet0/7 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 566 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.12(4)67, Mate 9.12(4)67
Serial Number: Ours FCH17517YDB, Mate FCH17517YA8
Last Failover at: 12:33:12 GMT May 22 2024
This host: Secondary - Active
Active time: 143316 (sec)
slot 0: ASA5545 hw/sw rev (1.0/9.12(4)67) status (Up Sys)
Interface outside (61.246.231.138): Normal (Monitored)
Interface inside (139.126.81.242): Normal (Monitored)
Other host: Primary - Standby Ready
Active time: 2173797 (sec)
slot 0: ASA5545 hw/sw rev (1.0/9.12(4)67) status (Up Sys)
Interface outside (61.246.231.137): Normal (Monitored)
Interface inside (139.126.81.241): Normal (Monitored)

Stateful Failover Logical Update Statistics
Link : failover-lan GigabitEthernet0/7 (up)
Stateful Obj xmit xerr rcv rerr
General 58544708 0 678881423 2972
sys cmd 309019 0 309018 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 12164650 0 132072817 1213
UDP conn 45906576 0 544429850 664
ARP tbl 150387 0 1861045 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 7832 0 118348 0
SIP Tx 5701 0 87447 0
SIP Pinhole 543 0 2898 1095
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Umbrella Device-ID 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 90 1005262969
Xmit Q: 0 4096 84039184


Hi Tarun, 

To confirm my understanding:

- You're not able to connect to Primary Firewall, which is standby ready currently
- you can ping ISE from your Standby Active device.

From the output above, it is clear you're not monitoring the management interface. I assume you cannot ping the management interface IP of the primary unit. Can you check if the switch which connects to the management interface is setup correctly i.e. VLAN etc ?

#########################################

interface Management0/0
nameif mgmt
security-level 100
ip address XXXXX 255.255.255.0 standby YYYYY

###############################################

 

As per my understanding i am unable to access from Secondary - Active.

Hi,

From your output it looks like your secondary unit is active  and your primary is not active. To verify if the management interface isn't working you can also setup monitoring in HA, I will recommend this when you have ASDM access.

ds-inh-fv01/act# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover-lan GigabitEthernet0/7 (up)
Last Failover at: 12:33:12 GMT May 22 2024
This host: Secondary - Active

Interface outside (61.246.231.138): Normal (Monitored)
Interface inside (139.126.81.242): Normal (Monitored)

#####################################################################

check the output from my lab:

ASA-lab(config)# show monitor-interface
This host: Primary - Active
Interface outside (7.2.18.1): Normal (Monitored)
Interface inside (7.2.18.1): Normal (Monitored)
Interface mgmt (190.1.7.58): Normal (Monitored)
Other host: Secondary - Standby Ready
Interface outside (7.2.18.2): Normal (Monitored)
Interface inside (7.2.18.2): Normal (Monitored)
Interface mgmt (190.1.7.59): Normal (Monitored)

okey what if Management is not in use 
please make me correct if i am wrong

++ need to check mgnt ip is accessible or no 

++ need to check whether there is any switch b/w ASA's
++if there is any switch then need to check vlan 

++ need to capture at secondary which is connected to ISE server 
++need to check do we able to ping primary to secondary or not and same 
++ debug ssh
++show failover history 
++ sh asp table routing
++ show monitor-interface



But how does you SSH into your device, using below interface and IP address ? Remember you cannot get into the design because your ingress interface isn't working well. I would suggest to setup your management interface, you can even use a data interface as well for management purposes (not recommended). Again, make sure it's monitored and reachable. I still have a feeling it's not setup correctly, thus you need to sort your L2 VLAN connectivity.

###################################################
Interface outside (61.246.231.138): Normal (Monitored)
Interface inside (139.126.81.242): Normal (Monitored)
##################################################

Review Cisco Networking for a $25 gift card