ASA Active/Standby - now cant connect to them?

Unanswered Question
Dec 1st, 2008

Hi after having an issue with my ASA 5520 Active/Standby i had disabled the failover on both devices.

I then re-enabled the failover by issuing the failover command on the primary device first then the failover command on the second device.

sh failover on the primary:

Failover On

Failover unit Primary

Failover LAN Interface: failover Management0/0 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 250 maximum

Version: Ours 8.0(3), Mate 8.0(3)

Last Failover at: 13:30:37 ACDT Nov 25 2008

This host: Primary - Active

Active time: 619894 (sec)

slot 0: ASA5520 hw/sw rev (2.0/8.0(3)) status (Up Sys)

Interface inside (##.##.231.000): Normal

Interface outside (##.###.##.##): Normal

Interface Liift-DMZ-E (##.##.###.###): Normal (Not-Monitored)

Interface Mesant-DMZ-E (##.##.###.###): Normal (Not-Monitored)

Interface Service-DMZ-E (##.##.###.###): Normal (Not-Monitored)

slot 1: ASA-SSM-10 hw/sw rev (1.0/6.1(1)E2) status (Up/Up)

IPS, 6.1(1)E2, Up

Other host: Secondary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5520 hw/sw rev (2.0/8.0(3)) status (Up Sys)

Interface inside (##.##.231.888): Normal

Interface outside (##.###.##.##): Normal

Interface Liift-DMZ-E (##.##.###.###): Normal (Not-Monitored)

Interface Mesant-DMZ-E (##.##.###.###): Normal (Not-Monitored)

Interface Service-DMZ-E (##.##.###.###): Normal (Not-Monitored)

slot 1: ASA-SSM-10 hw/sw rev (1.0/6.1(1)E2) status (Up/Up)

IPS, 6.1(1)E2, Up

sh failover on the secondary:

sh fail

Failover On

Failover unit Secondary

Failover LAN Interface: failover Management0/0 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 250 maximum

Version: Ours 8.0(3), Mate 8.0(3)

Last Failover at: 16:21:09 ACDT Dec 2 2008

This host: Secondary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5520 hw/sw rev (2.0/8.0(3)) status (Up Sys)

Interface inside (##.##.231.000): Normal (Waiting)

Interface outside (##.##.###.##): Normal (Waiting)

Interface Liift-DMZ-E (##.##.###.###): Normal (Not-Monitored)

Interface Mesant-DMZ-E (##.##.###.###): Normal (Not-Monitored)

Interface Service-DMZ-E (##.##.###.###): Normal (Not-Monitored)

slot 1: ASA-SSM-10 hw/sw rev (1.0/6.1(1)E2) status (Up/Up)

IPS, 6.1(1)E2, Up

Other host: Primary - Active

Active time: 616143 (sec)

slot 0: ASA5520 hw/sw rev (2.0/8.0(3)) status (Up Sys)

Interface inside (##.##.231.888): Normal (Waiting)

Interface outside (##.###.##.##): Normal (Waiting)

Interface Liift-DMZ-E (##.##.###.###): Normal (Not-Monitored)

Interface Mesant-DMZ-E (##.##.###.###): Normal (Not-Monitored)

Interface Service-DMZ-E (##.##.###.###): Normal (Not-Monitored)

slot 1: ASA-SSM-10 hw/sw rev (1.0/6.1(1)E2) status (Up/Up)

IPS, 6.1(1)E2, Up

so looks good.

But since i enabled failover on the secondary unit, i can no loner get SSH or ASDM connection (444) to either of these devices from my pc? i can ping directly connnected networks from both devices and can confirm interfaces are up via console. But i cant management connection to them via IP any more.

anyone ever seen this issue?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Davy Ad Tue, 12/02/2008 - 08:43

Hi Jason,

You said "i had disabled the failover on both devices".

->> You do not have to disable both device

->> Disable only the Active , then check again.

HTH

DAK

its-system Fri, 08/21/2009 - 03:35

"no http server enable" and "http server enable" will solve your ASDM-problem, but you need ssh or the console to do that.

julomban Fri, 08/28/2009 - 07:48

With the above commands should work, if that doesn't work you can try to regenerate the crypto keys and try again...

"crypto key generate rsa key"

Actions

This Discussion