Hi,

If failover happened in ASA,obviously you should able to access the standby firewall with the primary IP address and you can configure and manage the firewalls.

Can you paste the output of the below commands

sh run | i failover

sh run interfaces

Regards

Karuppu

Yes, you can access it, but not throgh ASDM

Hi,

No.. Even via ASDM also you should able to access the secondary firewall.

Regards

Karuppu

I have tested successfully.

On Fri, Mar 12, 2010 at 9:22 AM, ruizdamon <

Thanks for your support. I could not get it to work.  Please seee attached config info.

Thank you, I tried it both ways, and it still fails.  Please seee attached.

Are you sure you have the correct ASDM image loaded in the secondary ASA?

If not, that might explain the problem.

Yes,

Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 03:55:32 PST Mar 12 2010
        This host: Secondary - Failed
                Active time: 9180 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                  Interface outside (209.120.231.11): Normal
                  Interface inside (172.20.0.4): Normal
                  Interface dmz (172.20.96.2): Normal
                  Interface management (192.168.1.2): Failed (Waiting)
                slot 1: empty
        Other host: Primary - Active
                Active time: 9060 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                  Interface outside (209.120.231.2): Normal
                  Interface inside (172.20.0.2): Normal
                  Interface dmz (172.20.96.1): Normal
                  Interface management (192.168.1.1): Normal (Waiting)
                slot 1: empty

yes, the pair is

ASDM 6.1(3) and ASA 8.0(4)

Thank you all for your replies and I apologize for the slow responses.  I have been out of the office the last couple days.  However,  I have yet to figure this out. 

To answer your questions, here are the versions of software I'm using and they are identical on both boxes.

ASA 8.2(1) and ASDM 6.2(1)

I do have Active/standby IP addresses assigned to each interface: For example:

int g0/0

   desc int outside

   ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2

int g0/1

   desc int inside

   ip address 2.2.2.1 255.255.255.0 standby 2.2.2.2

I can see the Active IP switch with whichever ASA becomes active.  That also seems to be working ok (checking via telnet).  I checked the serial

numbers and verified the IP addresses are switching.  However, ronce the secondary becomes active, I can no longer ASDM into it using the Active IP address.   I CAN however ASDM into it using the standby IP address.  Though this does me no good since I'm unable to make any changes to the secondary (cant replicate changes to the primary).   So therefore, I cant make changes via asdm if the secondary becomes active.

I dont understand why this isnt working.   Damon, I appreciate you looking into this and seeing my headache with me .  Just for the record, I do not have a management interface set up and am just using the inside interface (in-band) to make my changes.

failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/2
failover link failover GigabitEthernet0/2
failover interface ip failover 192.168.56.1 255.255.255.252 standby 192.168.56.2

Last Failover at: 01:23:46 CST Mar 12 2010
        This host: Primary - Active
                Active time: 1128937 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface outside (x.x.x.254): Normal
                  Interface DMZ (x.x.x.1): Normal
                  Interface inside (x.x.x.10): Normal
                  Interface management (192.168.1.1): No Link (Waiting)
                slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(6)E3) status (Up/Up)
                  IPS, 6.0(6)E3, Up
        Other host: Secondary - Standby Ready
                Active time: 1131563 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface outside (x.x.x.244): Normal
                  Interface DMZ (x.x.x.2): Normal
                  Interface inside (x.x.x.13): Normal
                  Interface management (0.0.0.0): No Link (Waiting)
                slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(6)E3) status (Up/Up)
                  IPS, 6.0(6)E3, Up

If anyone can help or see where I am going wrong....I would appreciate any help.

Btw, thank you guys for assisting and trying to work through this with me.

I have scoured the documentation.  Does anyone know where this issue is addressed?

1. When the primary is active and secondary is standby you are able to asdm into both (x.x.x.13 - standby IP) and
(x.x.x.10 - active IP) addresses. Both IPs work.

2. When they switch roles - when the primary is standby and the secondary is active - you are no longer able to asdm to the active ip .10 address but are able to asdm to the .13 standby IP address which is now the primary firewall.

Is this correct? Honestly this does not make any sense at all.

You have proved that the asdm version/image is working fine on the secondary when it is standby. What do the logs and captures say when it fails on the secondary unit when it is active?

sh logg | i x.x.x.x where x.x.x.x is the client IP

cap capin int inside match ip any x.x.x.10 eq 443

sh cap capin det

Also from the client PC go to the run line and issue "telnet x.x.x.10 443" and see if you see a black window with a blinking cursor when the secondary unit is active.

-KS

I'm still thinking that a missing ASDM image on the standby ASA would explain this problem. When I asked you to check this you showed me an output from "show failover" which doesn't show the ASDM version.

Could you make the standby active and do these commands:

show disk0:

show version

show run | inc asdm