Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
653
Views
5
Helpful
4
Replies

ASA5505- Active/Stdby config suggestion

mvsheik123
Level 7
Level 7

‎07-25-2008 09:43 AM

Hi All,

I have ASA 5505 with IOS 7.2 (3) -Security plus license acting as EZVPN server for few deployments.

Iam planning to add another similar unit as standby (secondary)

Current config (removed VPN related config)

interface Vlan1

nameif inside

security-level 100

ip address 10.50.25.10 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 64.195.21.236 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3-4

Shutdown

!

route outside 0.0.0.0 0.0.0.0 64.195.21.233 1

Please find the attached and suggest if any additional config needed for adding the second ASA + any specific sequence of connection between the units.

Thank you in advance for your suggestions.

Thanks

MS

Labels:
Preview file
2 KB
0 Helpful
4 Replies 4

mvsheik123
Level 7
Level 7

‎07-25-2008 04:10 PM

Hi all,

I just realized that I uploaded wrong file. I don't need any config on the Stdby ASA except for the 'failover'. Based on that please suggest on config for primary and any sequence suggestions.

Thank you

MS

0 Helpful

sundar.palaniappan
Level 10
Level 10
In response to mvsheik123

‎07-26-2008 06:32 PM

MS

Failover configuration looks good on both units. As you correctly pointed out the only configuration that's required on the standby unit is the failover configuration.

Verify VLAN 1 and 2 interfaces are showing as monitored interfaces and the status should be normal in the 'show failover' output.

HTH

Sundar

mvsheik123
Level 7
Level 7
In response to sundar.palaniappan

‎07-28-2008 07:58 AM

HiAll,

The failover establised with no issues. But some how the 5505 acting as EZVPN server no seeing any IKEs. The debug showing:

**********************************

[IKEv1]: IKE receiver: Local unit is failover enabled but is not currently active.

[IKEv1]: IKE receiver: Local unit is failover enabled but is not currently active.

[IKEv1]: IKE receiver: Local unit is failover enabled but is not currently active.

[IKEv1]: IKE receiver: Local unit is failover enabled but is not currently active.

***************************

On the Remote cleint end ASA: the isakmp sa:

State: AM_WAIT_MSG2.

Everything working fine before the failover unit added.

Please suggest.

Thank you

MS

0 Helpful

mvsheik123
Level 7
Level 7
In response to mvsheik123

‎07-28-2008 12:16 PM

I figured this one out. The reason being Cisco5505 does not let Failover to work while Easyvpn server config exists.

Failover first and then Easyvpn config addition..working fine.

Thank you

MS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents