Re: ASA 5510 Failover works but it doesn't work

jhshin · ‎02-12-2010

I have two asa 5510 configured for active/standby failover. they are configured properly and there is no error in the log.

When i test the failover by shuting down the primary, the standby unit detects it and takes over as a primary role.

everything I see on the console indicates it is working and show failover shows no error.

but when i try to ping the standby unit or connect to ASDM of the standby unit, i can't get to it. if I run no failover active on the standby unit, the primary become active but i can't get ping it or connect to ASDM although show failover indicates it is. only way to restore it is to shut down the standby then the reload the primary one, then it can connect to the primary unit again and failover status shows as if it's normal.

i tried to clear all of failover configuration and reconfigure them to no avail. i compare two devices configuration and they are identical except for failover LAN ip address.

It is very bizarre. i am reaching out to the collective wisdom of this community. please help!

Federico Coto Fajardo · ‎02-12-2010

Hi,

How are the two ASAs connected? Directly or there's a Switch in between?

If there's a Switch are both ports connected to the ASA in the same VLAN?

Let me know.

Federico.

jhshin · ‎02-12-2010

there is a switch in between and they are connected to the same VLAN.

Federico Coto Fajardo · ‎02-12-2010

Hi,

The other interfaces on the ASA (outside, inside) are also connected to the same switch?

Could be something misconfigured on the Switch...

Could you post the configuration for the ASA and the Switch?

Federico.

shimonwright · ‎03-01-2010

I am also having a similar issue, has any resolved this?

My issue is that, I have a total of 8 ASA, 6 of which are configured as Active/Standby pairs, as in:

ASA1

ASA2

ASA3 and ASA4 (HA Pairs)

ASA5 and ASA6 (HA Pairs)

ASA7 and ASA8 (HA Pairs)

All of the ASA's were running older 7.x versions of ASA. I upgraded them all to 8.2.1(11) and likewise I upgarded the ASDM from 5.x to asdm-625.bin.

The upgrades went well from what I can see, and ASDM launches on ASA1 and ASA2 without any issues, however, ALL of the ASA's that make up HA, the ASDM will not launch in the browser.

I've configured ASDM countless time as the steps are few and simple. Also, the ASDM is working on the ASA's which are NOT HA members.

I've compared the configuration of the working ASDM ASA's to the nonworking ASDM ASA's and all seems consistent.

I launched a 'capture dropACLs type asp-drop acl (don't remember the entire syntax) to capture all packets that are dropped by the ASA.

What I've noticed is that the ASA is dropping the communication to 443 but ONLY for accessing the ASDM. Note firewall has been configured to allow all access in and out of the firewall via 'ip any any" statements, which I used, only to eliminate any explicit ACLs from being the issue.

Are there any special configurations that I missed, in order to get ASDM to work on HA pairs?

Thanks to all in advance for any guidance.

shimonwright · ‎03-02-2010

I am also having a similar issue, has any resolved this?

My issue is that, I have a total of 8 ASA, 6 of which are configured as Active/Standby pairs, as in:

ASA1

ASA2

ASA3 and ASA4 (HA Pairs)

ASA5 and ASA6 (HA Pairs)

ASA7 and ASA8 (HA Pairs)

All of the ASA's were running older 7.x versions of ASA. I upgraded them all to 8.2.1(11) and likewise I upgarded the ASDM from 5.x to asdm-625.bin.

The upgrades went well from what I can see, and ASDM launches on ASA1 and ASA2 without any issues, however, ALL of the ASA's that make up HA, the ASDM will not launch in the browser.

I've configured ASDM countless time as the steps are few and simple. Also, the ASDM is working on the ASA's which are NOT HA members.

I've compared the configuration of the working ASDM ASA's to the nonworking ASDM ASA's and all seems consistent.

I launched a 'capture dropACLs type asp-drop acl (don't remember the entire syntax) to capture all packets that are dropped by the ASA.

What I've noticed is that the ASA is dropping the communication to 443 but ONLY for accessing the ASDM. Note firewall has been configured to allow all access in and out of the firewall via 'ip any any" statements, which I used, only to eliminate any explicit ACLs from being the issue.

Are there any special configurations that I missed, in order to get ASDM to work on HA pairs?

Thanks to all in advance for any guidance.

bhillman · ‎03-15-2010

Verify that the following commands are in the ASA

http server enable

http 0.0.0.0 0.0.0.0 inside (or whatever you named your trusted interface)

This should work, you can also enable http secure server if you like, but I would try unencrypted first

also make sure that the command

asdm image disk0:/ is correct. and that the image is the correct version.

Maykol Rojas · ‎03-16-2010

Hello

Well, we need to clarifiy the issue here. The failover seems to be working fine, is the access to the unit that is not working properly right?

You are pointing the problem in the fact that you are not able to access the Standby Unit is that correct? Are you able to access the Active?

Every command has to be the same, the only one that changes is the failover LAN UNIT command, the rest of them have to be identical.

If you are using routing protocols, and you are trying to access the standby unit from a non directly connected network, this wont work as the ASA does not pass the routing table to the standby unit. If you need a workaround for this let me know.

If you want to correct me in anything, please feel free to do it, and also if you have questions, let me know, I would be glad to help.

Thanks.

Mike

Diego Armando Cambronero Arias · ‎09-27-2010

Casi nada Maykol Rojas. Que me dice mae... como has cambiado.

vpokotylo · ‎09-27-2010

Posted by mistake. Sorry and please ignore.