01-19-2009 02:41 AM - edited 03-11-2019 07:38 AM
Hi all,
I have configured 2 ASA 5505 with security plus license and want to activate failover.
Here is my configuration.
ASA Version 8.0(4)
hostname xxxx
domain-name xxx
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Vlan1
description LAN Failover Interface
!
interface Vlan5
nameif inside
security-level 100
ip address 172.16.11.1 255.255.255.0 standby 172.16.11.2
!
interface Vlan10
nameif outside
security-level 0
ip address xx.xx.xx.29 255.255.255.248 standby xx.xx.xx.30
!
interface Vlan15
nameif DMZ
security-level 50
ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
!
interface Ethernet0/0
switchport access vlan 10
!
interface Ethernet0/1
switchport access vlan 5
!
interface Ethernet0/2
switchport access vlan 5
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
switchport access vlan 5
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
switchport access vlan 15
!
interface Ethernet0/7
boot system disk0:/asa804-k8.bin
ftp mode passive
failover
failover lan unit primary
failover lan interface private Vlan1
failover interface ip private 10.254.254.1 255.255.255.252 standby 10.254.254.2
.
.
.
.
.
.
.
end
I think the configuration should work. If I configure something on the primary ASA everything is distributed to the second ASA.
But the big problem is, that the second ASA looses the VLAN configuration on the Ethernet Ports. If I connect to the second ASA in EXEC mode not in configuration mode and I put in the show running command, then I see all Ethernet Ports in the default VLAN 1. So no Failover works...
Any ideas?? Could that be a bug??
Thanks for help Rene
01-24-2009 12:52 PM
You should keep the secondary unit power off. You do not need to bootstrap the secondary unit in the failover pair when you use cable-based failover. Leave the secondary unit powered off until instructed to power it on. Follow the steps in the below URL to configure Active/Standby failover using a serial cable as the failover link.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1058096
01-25-2009 12:44 AM
hi,
thanks for reply.
What do you mean with a serial cable? There is no serial cable on the ASA models....??
Rene
01-25-2009 02:40 AM
Rene,
I suppose you are doing a Lan failover and the 2nd unit has all the configuration to be aware that it is the failover in the pair,right?
Did you try to replicate manually teh config from the primary to the 2ndary and see what happens?
Regards,
Vlad
01-25-2009 05:40 AM
Hi guys,
the second ASA has the following configuration
ASA Version 8.0(4)
hostname xxxx
domain-name xxx
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Vlan1
description LAN Failover Interface
!
interface Vlan5
nameif inside
security-level 100
ip address 172.16.11.1 255.255.255.0 standby 172.16.11.2
!
interface Vlan10
nameif outside
security-level 0
ip address xx.xx.xx.29 255.255.255.248 standby xx.xx.xx.30
!
interface Vlan15
nameif DMZ
security-level 50
ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
boot system disk0:/asa804-k8.bin
ftp mode passive
failover
failover lan unit secondary
failover lan interface private Vlan1
failover interface ip private 10.254.254.1 255.255.255.252 standby 10.254.254.2
.
.
.
.
So Failover isn't working. The second unit has on every Ethernet Interface VLAN 1 active.
Any ideas?
Rene
01-25-2009 11:27 AM
Hi Rene,
Not very sure , but I think you have an issue with the interfaces configuration as they are different on the boxes.
I suppose the main box does not detect the same config on the second and it does not build up the failover to syncronise teh confguration.
Try setting up the interfaces on the 2nd box and let me know if it worked.
Regards,
Vlad
01-27-2009 12:41 AM
Rene,
Still have problems with this?
01-27-2009 11:02 PM
yes !!!!
any ideas??
Rene
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: