ASA 5510 cant configure after changing to failover active/active

Answered Question
Feb 23rd, 2007

Hi all, need some help regarding an ASA 5510. With failover wizzard I changed to active/active. Then the ASA reboots and now I cant configure the appliance in known manner. No IP setting is possible on the interfaces and all the Firewall configs. Now I try to change back but dont know how. Does anybody know the answer?

I have this problem too.
0 votes
Correct Answer by vitripat about 9 years 7 months ago

Trying to configure Active/Active failover using the wizard has converted firewall into multiple context mode.

Now if you only want to configure these ASAs in Active/Standby mode, without multiple context, first we need to bring them in single mode. For this:

- please login to ASA via console

- this should bring you to system execution space

- from here, go to configuration mode

- verify that you ar ein multiple context mode using command

--> show mode

- if its multiple context mode, it will say:

Security context mode: multiple

- to bring this back in single mode, use following command:

--> mode single

Now ASA will reload into your normal old Single mode. Thereafter you can proceed with your normal Active/Standby failover configuration.

Hope this helps.

Regards,

Vibhor.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
vitripat Fri, 02/23/2007 - 15:57

Trying to configure Active/Active failover using the wizard has converted firewall into multiple context mode.

Now if you only want to configure these ASAs in Active/Standby mode, without multiple context, first we need to bring them in single mode. For this:

- please login to ASA via console

- this should bring you to system execution space

- from here, go to configuration mode

- verify that you ar ein multiple context mode using command

--> show mode

- if its multiple context mode, it will say:

Security context mode: multiple

- to bring this back in single mode, use following command:

--> mode single

Now ASA will reload into your normal old Single mode. Thereafter you can proceed with your normal Active/Standby failover configuration.

Hope this helps.

Regards,

Vibhor.

ezy Fri, 02/23/2007 - 16:20

Hi Vibhor, thanks a lot, thats it!!!

ali-franks Thu, 04/26/2007 - 01:42

Vibhor,

further to that I have a question if you have a moment please?

i have upgraded 2 x 5510 to the Sec plus license. I have not as yet, enabled active/active. This is because the output from a sh ver shows 0 contexts. The question is, does this output show 0 contexts purely because A/A has not been enabled or because no contexts are available?

I'm a bit concerned about this...

Cheers

Ali

mark.j.hodge Thu, 04/26/2007 - 03:15

Can you post the output from "sh ver" on both devices.

If you don't have a licence for contexts you should only have an Acitive/Standy failover licence.

ali-franks Thu, 04/26/2007 - 06:28

Hi Mark, Here's the output. Active/Standby only as you can see

# sh ver

Cisco Adaptive Security Appliance Software Version 7.0(5)

Device Manager Version 5.0(5)

Compiled on Mon 10-Apr-06 14:40 by builders

System image file is "disk0:/asa705-k8.bin"

Config file at boot was "startup-config"

up 3 hours 34 mins

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: Ethernet0/0 : address is 0018.195b.e8a0, irq 9

1: Ext: Ethernet0/1 : address is 0018.195b.e8a1, irq 9

2: Ext: Ethernet0/2 : address is 0018.195b.e8a2, irq 9

3: Ext: Ethernet0/3 : address is 0018.195b.e8a3, irq 9

4: Ext: Management0/0 : address is 0018.195b.e89f, irq 11

5: Int: Not licensed : irq 11

6: Int: Not licensed : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Active/Standby

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

VPN Peers : 150

This platform has an ASA 5510 Security Plus license.

Serial Number: xxxxxx

Running Activation Key:xx xxx xxx xx

Configuration register is 0x1

Configuration has not been modified since last system restart.

mark.j.hodge Thu, 04/26/2007 - 07:00

As things stand, you can only run Active/Standby failover.

However I am a little confused, with your license status, the "sh ver" is reporting Security Plus which according to Cisco supports both Active/Standby and Active/Active

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

However contexts apear to be seperately licensed feature, so if/when you purchase such a license, maybe Active/Active will become available automaticaly. As you can probably tell I have never done that particular upgrade, but you would need the licence on both devices if so.

ali-franks Thu, 04/26/2007 - 07:08

I was a bit baffled too when I saw the same doc. Also, tech support docs say that A/A is supported with a Sec Plus.

Thanks for the sanity check anyway Mark.

Ali

mark.j.hodge Thu, 04/26/2007 - 07:58

All I can find on the Cisco site is this

http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd802c1d00.html

Which gives the Part for a 5500 5 Context license, the previous link shows you should have 2 contexts with a Security Plus license.

If possible I would raise a TAC case to get this cleared up.. Not at all obvious..

The other thing you could try, is to upgrade to V7.2 software, if you have appropriate support

If get anything from Cisco please post, as I am curious how this works.

ali-franks Wed, 05/02/2007 - 01:25

Mark,

As you suggested, I upgraded to 7.2.2, using the Sec Plus licenses. This then enabled two contexts, which under 7.0.5 showed none. So happy days!

thanks for the suggestions

Ali

Actions

This Discussion