ASA5505- Active/Stdby config suggestion

Unanswered Question
Jul 25th, 2008
User Badges:
  • Gold, 750 points or more

Hi All,


I have ASA 5505 with IOS 7.2 (3) -Security plus license acting as EZVPN server for few deployments.


Iam planning to add another similar unit as standby (secondary)


Current config (removed VPN related config)

interface Vlan1

nameif inside

security-level 100

ip address 10.50.25.10 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 64.195.21.236 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3-4

Shutdown

!

route outside 0.0.0.0 0.0.0.0 64.195.21.233 1


Please find the attached and suggest if any additional config needed for adding the second ASA + any specific sequence of connection between the units.

Thank you in advance for your suggestions.


Thanks

MS




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mvsheik123 Fri, 07/25/2008 - 16:10
User Badges:
  • Gold, 750 points or more

Hi all,


I just realized that I uploaded wrong file. I don't need any config on the Stdby ASA except for the 'failover'. Based on that please suggest on config for primary and any sequence suggestions.


Thank you

MS

sundar.palaniappan Sat, 07/26/2008 - 18:32
User Badges:
  • Green, 3000 points or more

MS


Failover configuration looks good on both units. As you correctly pointed out the only configuration that's required on the standby unit is the failover configuration.


Verify VLAN 1 and 2 interfaces are showing as monitored interfaces and the status should be normal in the 'show failover' output.


HTH


Sundar

mvsheik123 Mon, 07/28/2008 - 07:58
User Badges:
  • Gold, 750 points or more

HiAll,


The failover establised with no issues. But some how the 5505 acting as EZVPN server no seeing any IKEs. The debug showing:


**********************************

[IKEv1]: IKE receiver: Local unit is failover enabled but is not currently active.

[IKEv1]: IKE receiver: Local unit is failover enabled but is not currently active.

[IKEv1]: IKE receiver: Local unit is failover enabled but is not currently active.

[IKEv1]: IKE receiver: Local unit is failover enabled but is not currently active.

***************************


On the Remote cleint end ASA: the isakmp sa:

State: AM_WAIT_MSG2.


Everything working fine before the failover unit added.


Please suggest.


Thank you

MS


mvsheik123 Mon, 07/28/2008 - 12:16
User Badges:
  • Gold, 750 points or more

I figured this one out. The reason being Cisco5505 does not let Failover to work while Easyvpn server config exists.

Failover first and then Easyvpn config addition..working fine.


Thank you

MS


Actions

This Discussion