03-11-2010 12:22 PM - edited 03-11-2019 10:20 AM
I have 2 ASA 5520's set up in an Active/Standby scenario. The link between them is but a mere cross-over cable. The failover works fine. it fails over and picks up without missing a beat. My question is....if the primary fails over to the secondary, should I still be able to use ASDM to manage the ASA? Is ASDM supported on the secondary ASA when its active?
Solved! Go to Solution.
03-18-2010 06:52 AM
Reload will fix it or you can toggle the "http server enable" line as well. It will complain that you are trying to make change on the standby unit but just do it and then issue "sh asp table socket" again.
We are very close....
By saying toggle I mean issue a "no http server en" and then "http server en"
-KS
03-11-2010 05:02 PM
I have (2) 5520's in active/standby as well. They are non production, so I was able to test your question.
Unfortunately not working. I shut down the Primary (Active), the failover works, but ASDM loses connection to
the Standby (Active) even though the Management0/0 interface has the 192.168.1.1 address. For some reason
I picked up 192.168.1.3, when it was 192.168.1.2 before the failover. I tried several things including hard coding the
192.168.1.x/24 address, but no go. It is worthy of note, I am using ASDM 6.1(3) with ASA 8.0(4).
03-11-2010 05:05 PM
Hi,
If failover happened in ASA,obviously you should able to access the standby firewall with the primary IP address and you can configure and manage the firewalls.
Can you paste the output of the below commands
sh run | i failover
sh run interfaces
Regards
Karuppu
03-11-2010 05:22 PM
Yes, you can access it, but not throgh ASDM
03-11-2010 05:54 PM
Hi,
No.. Even via ASDM also you should able to access the secondary firewall.
Regards
Karuppu
I have tested successfully.
On Fri, Mar 12, 2010 at 9:22 AM, ruizdamon <
03-12-2010 02:01 PM
03-11-2010 08:27 PM
jonesl1,
Primary and Secondary may take the roll of active or standby.
Which ever unit becomes active, that unit will take the active IP for layer 3 and active mac for layer 2. The active IP and MAC are that of the primary unit's.
So, if the secondary unit becomes active it will (answer for) assume the active IP and the active MAC.
Now, I hope you have all interfaces configured with active and standby IP addresses. In which case you should be able to asdm, ssh and telnet into both the active and standby IP at all times provided you have enabled these.
If the primary unit is active you will reach that unit when you try to asdm, telnet or ssh to the active IP address. You can verify by issuing sh ver and verifying the serial number.
If the secondary unit is active then it will respond to the active IP address and you can verify the serial number with a sh ver.
-KS
03-12-2010 02:02 PM
03-12-2010 03:47 PM
Are you sure you have the correct ASDM image loaded in the secondary ASA?
If not, that might explain the problem.
03-12-2010 03:56 PM
Yes,
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 03:55:32 PST Mar 12 2010
This host: Secondary - Failed
Active time: 9180 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface outside (209.120.231.11): Normal
Interface inside (172.20.0.4): Normal
Interface dmz (172.20.96.2): Normal
Interface management (192.168.1.2): Failed (Waiting)
slot 1: empty
Other host: Primary - Active
Active time: 9060 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface outside (209.120.231.2): Normal
Interface inside (172.20.0.2): Normal
Interface dmz (172.20.96.1): Normal
Interface management (192.168.1.1): Normal (Waiting)
slot 1: empty
03-12-2010 04:19 PM
yes, the pair is
ASDM 6.1(3) and ASA 8.0(4)
03-15-2010 05:43 AM
Thank you all for your replies and I apologize for the slow responses. I have been out of the office the last couple days. However, I have yet to figure this out.
To answer your questions, here are the versions of software I'm using and they are identical on both boxes.
ASA 8.2(1) and ASDM 6.2(1)
I do have Active/standby IP addresses assigned to each interface: For example:
int g0/0
desc int outside
ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2
int g0/1
desc int inside
ip address 2.2.2.1 255.255.255.0 standby 2.2.2.2
I can see the Active IP switch with whichever ASA becomes active. That also seems to be working ok (checking via telnet). I checked the serial
numbers and verified the IP addresses are switching. However, ronce the secondary becomes active, I can no longer ASDM into it using the Active IP address. I CAN however ASDM into it using the standby IP address. Though this does me no good since I'm unable to make any changes to the secondary (cant replicate changes to the primary). So therefore, I cant make changes via asdm if the secondary becomes active.
I dont understand why this isnt working. Damon, I appreciate you looking into this and seeing my headache with me . Just for the record, I do not have a management interface set up and am just using the inside interface (in-band) to make my changes.
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/2
failover link failover GigabitEthernet0/2
failover interface ip failover 192.168.56.1 255.255.255.252 standby 192.168.56.2
Last Failover at: 01:23:46 CST Mar 12 2010
This host: Primary - Active
Active time: 1128937 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface outside (x.x.x.254): Normal
Interface DMZ (x.x.x.1): Normal
Interface inside (x.x.x.10): Normal
Interface management (192.168.1.1): No Link (Waiting)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(6)E3) status (Up/Up)
IPS, 6.0(6)E3, Up
Other host: Secondary - Standby Ready
Active time: 1131563 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface outside (x.x.x.244): Normal
Interface DMZ (x.x.x.2): Normal
Interface inside (x.x.x.13): Normal
Interface management (0.0.0.0): No Link (Waiting)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(6)E3) status (Up/Up)
IPS, 6.0(6)E3, Up
If anyone can help or see where I am going wrong....I would appreciate any help.
Btw, thank you guys for assisting and trying to work through this with me.
03-15-2010 09:09 AM
I have scoured the documentation. Does anyone know where this issue is addressed?
03-15-2010 09:07 PM
1. When the primary is active and secondary is standby you are able to asdm into both (x.x.x.13 - standby IP) and
(x.x.x.10 - active IP) addresses. Both IPs work.
2. When they switch roles - when the primary is standby and the secondary is active - you are no longer able to asdm to the active ip .10 address but are able to asdm to the .13 standby IP address which is now the primary firewall.
Is this correct? Honestly this does not make any sense at all.
You have proved that the asdm version/image is working fine on the secondary when it is standby. What do the logs and captures say when it fails on the secondary unit when it is active?
sh logg | i x.x.x.x where x.x.x.x is the client IP
cap capin int inside match ip any x.x.x.10 eq 443
sh cap capin det
Also from the client PC go to the run line and issue "telnet x.x.x.10 443" and see if you see a black window with a blinking cursor when the secondary unit is active.
-KS
03-16-2010 12:04 AM
I'm still thinking that a missing ASDM image on the standby ASA would explain this problem. When I asked you to check this you showed me an output from "show failover" which doesn't show the ASDM version.
Could you make the standby active and do these commands:
show disk0:
show version
show run | inc asdm
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide