Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1027
Views
1
Helpful
0
Replies

ASA Failover Breaks with "failover ipsec pre-shared-key x"

weylin.piegorsch
Level 1
Level 1

‎03-03-2018 07:48 PM - edited ‎02-21-2020 07:28 AM

Hello,

 

I have a pair of ASA 5506-X 9.8(2)20 configured as an act/stby pair.  With no encryption of the failover/state traffic, failover works just fine.  when I apply the command "failover ipsec pre-shared-key x", failover breaks.  Any ideas?

 

Aside from configuring failover and applying this specific version of code, both chassis are otherwise straight-up factory default.  I've included config details below (aside from serial# both chassis are identical).  There is a Layer2 network between the chassis, but since failover works without PSK I'm assuming the intermediate network is clean.

 

weylin

 

 

ciscoasa(config)# sh int po3
Interface Port-channel3 "failover&state-localonly-192.168.1.1&2/24", is up, line protocol is up
  Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
	Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
	Input flow control is unsupported, output flow control is off
	Description: LAN/STATE Failover Interface
	MAC address 3890.a569.4c38, MTU 1500
	IP address PrimaryFailoverIP, subnet mask 255.255.255.0
  Traffic Statistics for "failover&state-localonly-192.168.1.1&2/24":
	4699 packets input, 312344 bytes
	2646 packets output, 366358 bytes
	2138 packets dropped
      1 minute input rate 2 pkts/sec,  160 bytes/sec
      1 minute output rate 1 pkts/sec,  209 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 2 pkts/sec,  197 bytes/sec
      5 minute output rate 1 pkts/sec,  327 bytes/sec
      5 minute drop rate, 1 pkts/sec
  Members in this channel:
      Active:   Gi1/3 Gi1/4 
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# sh run int g1/3
!
interface GigabitEthernet1/3
 channel-group 3 mode active
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# sh run int g1/4
!
interface GigabitEthernet1/4
 channel-group 3 mode active
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# sh ru int po3
!
interface Port-channel3
 description LAN/STATE Failover Interface
 lacp max-bundle 8
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# sh run names
name 192.168.1.1 PrimaryFailoverIP
name 192.168.1.2 StandbyFailoverIP
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# sh run failover
failover
failover lan unit primary
failover lan interface failover&state-localonly-192.168.1.1&2/24 Port-channel3
failover link failover&state-localonly-192.168.1.1&2/24 Port-channel3
failover interface ip failover&state-localonly-192.168.1.1&2/24 PrimaryFailoverIP 255.255.255.0 standby StandbyFailoverIP
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# sh run
: Saved

: 
: Serial Number: JAD21300AG1
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)20 
!
hostname ciscoasa
enable password $sha512$5000$pzlPUbeLAFypMziJNi/vaw==$WuKJ4ZJUxbjATFELO39FIA== pbkdf2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
name 192.168.1.1 PrimaryFailoverIP
name 192.168.1.2 StandbyFailoverIP
no mac-address auto

!
interface GigabitEthernet1/1
 shutdown     
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 channel-group 3 mode active
!
interface GigabitEthernet1/4
 channel-group 3 mode active
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown     
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Port-channel3
 description LAN/STATE Failover Interface
 lacp max-bundle 8
!
ftp mode passive
pager lines 24
logging console informational
failover
failover lan unit primary
failover lan interface failover&state-localonly-192.168.1.1&2/24 Port-channel3
failover link failover&state-localonly-192.168.1.1&2/24 Port-channel3
failover interface ip failover&state-localonly-192.168.1.1&2/24 PrimaryFailoverIP 255.255.255.0 standby StandbyFailoverIP
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!             
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect dns preset_dns_map 
policy-map type inspect dns migrated_dns_map_2
 parameters   
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:65197803772b2e503594889c807cd4b7
: end
ciscoasa(config)#

 

2 people had this problem
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card