03-03-2018 07:48 PM - edited 02-21-2020 07:28 AM
Hello,
I have a pair of ASA 5506-X 9.8(2)20 configured as an act/stby pair. With no encryption of the failover/state traffic, failover works just fine. when I apply the command "failover ipsec pre-shared-key x", failover breaks. Any ideas?
Aside from configuring failover and applying this specific version of code, both chassis are otherwise straight-up factory default. I've included config details below (aside from serial# both chassis are identical). There is a Layer2 network between the chassis, but since failover works without PSK I'm assuming the intermediate network is clean.
weylin
ciscoasa(config)# sh int po3 Interface Port-channel3 "failover&state-localonly-192.168.1.1&2/24", is up, line protocol is up Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps) Input flow control is unsupported, output flow control is off Description: LAN/STATE Failover Interface MAC address 3890.a569.4c38, MTU 1500 IP address PrimaryFailoverIP, subnet mask 255.255.255.0 Traffic Statistics for "failover&state-localonly-192.168.1.1&2/24": 4699 packets input, 312344 bytes 2646 packets output, 366358 bytes 2138 packets dropped 1 minute input rate 2 pkts/sec, 160 bytes/sec 1 minute output rate 1 pkts/sec, 209 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 2 pkts/sec, 197 bytes/sec 5 minute output rate 1 pkts/sec, 327 bytes/sec 5 minute drop rate, 1 pkts/sec Members in this channel: Active: Gi1/3 Gi1/4 ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# sh run int g1/3 ! interface GigabitEthernet1/3 channel-group 3 mode active ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# sh run int g1/4 ! interface GigabitEthernet1/4 channel-group 3 mode active ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# sh ru int po3 ! interface Port-channel3 description LAN/STATE Failover Interface lacp max-bundle 8 ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# sh run names name 192.168.1.1 PrimaryFailoverIP name 192.168.1.2 StandbyFailoverIP ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# sh run failover failover failover lan unit primary failover lan interface failover&state-localonly-192.168.1.1&2/24 Port-channel3 failover link failover&state-localonly-192.168.1.1&2/24 Port-channel3 failover interface ip failover&state-localonly-192.168.1.1&2/24 PrimaryFailoverIP 255.255.255.0 standby StandbyFailoverIP ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# sh run : Saved : : Serial Number: JAD21300AG1 : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.8(2)20 ! hostname ciscoasa enable password $sha512$5000$pzlPUbeLAFypMziJNi/vaw==$WuKJ4ZJUxbjATFELO39FIA== pbkdf2 xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names name 192.168.1.1 PrimaryFailoverIP name 192.168.1.2 StandbyFailoverIP no mac-address auto ! interface GigabitEthernet1/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/3 channel-group 3 mode active ! interface GigabitEthernet1/4 channel-group 3 mode active ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only shutdown no nameif no security-level no ip address ! interface Port-channel3 description LAN/STATE Failover Interface lacp max-bundle 8 ! ftp mode passive pager lines 24 logging console informational failover failover lan unit primary failover lan interface failover&state-localonly-192.168.1.1&2/24 Port-channel3 failover link failover&state-localonly-192.168.1.1&2/24 Port-channel3 failover interface ip failover&state-localonly-192.168.1.1&2/24 PrimaryFailoverIP 255.255.255.0 standby StandbyFailoverIP icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication login-history no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect dns preset_dns_map policy-map type inspect dns migrated_dns_map_2 parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512 no tcp-inspection ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:65197803772b2e503594889c807cd4b7 : end ciscoasa(config)#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide