12-09-2009 12:04 AM - edited 03-11-2019 09:46 AM
I got 2 x 5520 ASAs configured in active/standby mode and they are connected to 2 x 4500 switches in which too configured for failover.
Telnet to ASAs is allowed only via subnet 172.18.0.0./24
I can only ping and telnet to the active ASA from subnet 172.18.0.0./24 but not the standby
But i can ping and telnet to both the active and standby ASAs within the 4500 switches.
Please advise ? Thanks
12-09-2009 04:21 AM
Can you check the routing table on the standby firewall and compare it to the routing table on the active firewall.
Are you exchanging routes dynamically between the ASA and the 4500 switches ?
Jon
12-09-2009 05:38 PM
Hi Jon
No dynamic routing in standby ASA
C 172.18.5.0 255.255.255.0 is directly connected, TJM_LAN
There are dynamic routings in active ASA
D 172.18.186.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.212.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.213.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.210.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.211.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.208.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.209.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.206.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.207.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.204.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.205.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.202.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.203.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.201.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
C 172.18.7.8 255.255.255.248 is directly connected, LEASED_LINE
D 172.18.4.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
C 172.18.5.0 255.255.255.0 is directly connected, TJM_LAN
D 172.18.2.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.3.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D MES-TJM-LAN18 255.255.0.0 is a summary, 115:52:25, Null0
D 172.18.112.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.113.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.110.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.111.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.108.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.109.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.106.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.107.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.104.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.105.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.102.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.103.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D 172.18.101.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
[90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
12-10-2009 10:37 AM
Make sure there is static route pointing the inside. Since it is running eigrp, it is the correct output that the primary showing entire routing table and the failover is only showing Connected or Static.
route inside 172.18.0.0 255.255.0.0
Hope this help.
12-10-2009 11:41 AM
Pls. try this ping test from a directly connected host to the inside interface. As you are using dyanmic routing prototcol, these updates will not be sent to the standby until it becomes active.
Pls. read here:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1052476
Pls. read the column: State Information Not Passed to Standby Unit
-KS
12-10-2009 05:23 PM
Hi Rickyt888
Thanks. I will try . . . add the static route on the standby ASA only ? By the way,it is by designsuch that only can ping/telnet active ASA ?
12-10-2009 09:06 PM
No. You will be able to telnet/ssh/asdm to the active as well as the standby provided you have a route from the client to both the active and the standby firewall.
Use a host/client that belongs on the same subnet (so dynamic routing doesn't come into the picture) as the active and the standby and you will be able to telnet/ssh/asdm to both of them.
-KS
12-17-2009 03:45 PM
You will have to add a static route with administrative distance higher number than your routing protocol. The static route applies to both Active and Standby firewalls. But, it will be used only on the Standby because of the administrative distance.
12-18-2009 09:47 AM
Im not sure if ospf route synchronization would happen with standby ASA. as seen standby ASA just monitors the failover interfaces, and take the IP of the primary ASA if it fails.. having said this, you would be able to reach the standby ASA from the layer 3 subnet directly connected to the core switch. Have a static route on the core switch to reach the failover IP address (which is used just for mgmt purpose and not for routing), and redistribute that route to inside/outside , wherever needed ! Route tables info are not passed onto the secondary unit with stateful failover...
have a look at this topic in this forum:
https://supportforums.cisco.com/message/894013#894013
Hope this helps.. all the best..
Raj
12-18-2009 04:58 PM
So is it a design issue in active/standby failover mode ? ? ?
12-18-2009 05:07 PM
You may not have read the link that I posted earlier.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1052476
State Information Not Passed to Standby Unit : The routing tables. After a failover occurs, some packets may be lost or routed out of the wrong interface (the default route) while the dynamic routing protocols rediscover routes.
The standby unit will only see connected and static route. It will not see any dynamic routes.
Your options are to add a static route (host route) to the monitoring server or authentication server or to use a host directly connected to the interface that you want to manage.
-KS
12-18-2009 05:19 PM
KS
I did went through the link . . . but i cant find any mention of the suggested adding a static route unless i really miss it ?
12-18-2009 05:46 PM
That link does not talk about what you need to do accomplish in order to manage the standby unit. It just talks about what is to be expected with dynamic routing protocols in a failover scenario.
-KS
12-18-2009 06:09 PM
KS
Well, now i can see that there isn't any documentation on how to manage the standby :|
12-18-2009 06:15 PM
Well, I guess it is obvoius that you need route and permission for "TO" the box traffic and Route, Translation and Permission for "THROUGH" the box traffic
Adding the route in the stanyby unit will not replicate to the acive. Config will be diff. on both units. You should only add command to the active unit. Since dynamic routing is preferred that is the reason Raj had given you a good suggestion to add a higher metric static route no the active unit.
-KS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: