Porblem with Failover on Cisco ASA 5505

Unanswered Question
Jan 19th, 2009

Hi all,

I have configured 2 ASA 5505 with security plus license and want to activate failover.

Here is my configuration.

ASA Version 8.0(4)

hostname xxxx

domain-name xxx

enable password xxx encrypted

passwd xxx encrypted

names

!

interface Vlan1

description LAN Failover Interface

!

interface Vlan5

nameif inside

security-level 100

ip address 172.16.11.1 255.255.255.0 standby 172.16.11.2

!

interface Vlan10

nameif outside

security-level 0

ip address xx.xx.xx.29 255.255.255.248 standby xx.xx.xx.30

!

interface Vlan15

nameif DMZ

security-level 50

ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2

!

interface Ethernet0/0

switchport access vlan 10

!

interface Ethernet0/1

switchport access vlan 5

!

interface Ethernet0/2

switchport access vlan 5

!

interface Ethernet0/3

switchport access vlan 5

!

interface Ethernet0/4

switchport access vlan 5

!

interface Ethernet0/5

switchport access vlan 5

!

interface Ethernet0/6

switchport access vlan 15

!

interface Ethernet0/7

boot system disk0:/asa804-k8.bin

ftp mode passive

failover

failover lan unit primary

failover lan interface private Vlan1

failover interface ip private 10.254.254.1 255.255.255.252 standby 10.254.254.2

.

.

.

.

.

.

.

end

I think the configuration should work. If I configure something on the primary ASA everything is distributed to the second ASA.

But the big problem is, that the second ASA looses the VLAN configuration on the Ethernet Ports. If I connect to the second ASA in EXEC mode not in configuration mode and I put in the show running command, then I see all Ethernet Ports in the default VLAN 1. So no Failover works...

Any ideas?? Could that be a bug??

Thanks for help Rene

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smalkeric Sat, 01/24/2009 - 12:52

You should keep the secondary unit power off. You do not need to bootstrap the secondary unit in the failover pair when you use cable-based failover. Leave the secondary unit powered off until instructed to power it on. Follow the steps in the below URL to configure Active/Standby failover using a serial cable as the failover link.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1058096

rene.schmid Sun, 01/25/2009 - 00:44

hi,

thanks for reply.

What do you mean with a serial cable? There is no serial cable on the ASA models....??

Rene

hunnetvl01 Sun, 01/25/2009 - 02:40

Rene,

I suppose you are doing a Lan failover and the 2nd unit has all the configuration to be aware that it is the failover in the pair,right?

Did you try to replicate manually teh config from the primary to the 2ndary and see what happens?

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.2.1/user/guide/pxpage.html#wp867570

Regards,

Vlad

rene.schmid Sun, 01/25/2009 - 05:40

Hi guys,

the second ASA has the following configuration

ASA Version 8.0(4)

hostname xxxx

domain-name xxx

enable password xxx encrypted

passwd xxx encrypted

names

!

interface Vlan1

description LAN Failover Interface

!

interface Vlan5

nameif inside

security-level 100

ip address 172.16.11.1 255.255.255.0 standby 172.16.11.2

!

interface Vlan10

nameif outside

security-level 0

ip address xx.xx.xx.29 255.255.255.248 standby xx.xx.xx.30

!

interface Vlan15

nameif DMZ

security-level 50

ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2

!

interface Ethernet0/0

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

boot system disk0:/asa804-k8.bin

ftp mode passive

failover

failover lan unit secondary

failover lan interface private Vlan1

failover interface ip private 10.254.254.1 255.255.255.252 standby 10.254.254.2

.

.

.

.

So Failover isn't working. The second unit has on every Ethernet Interface VLAN 1 active.

Any ideas?

Rene

hunnetvl01 Sun, 01/25/2009 - 11:27

Hi Rene,

Not very sure , but I think you have an issue with the interfaces configuration as they are different on the boxes.

I suppose the main box does not detect the same config on the second and it does not build up the failover to syncronise teh confguration.

Try setting up the interfaces on the 2nd box and let me know if it worked.

Regards,

Vlad

Actions

This Discussion