ASA/PIX failover trouble with xlate

Answered Question
May 27th, 2010
User Badges:

Hi people,


I configured two ASA 5540 in active/stand by, the trouble is when secundary ASA go to active, the tables xlate are starting  to create and it ,gives me problems, there is some way that both ASA have the same xlate.




thanks


Alex

Correct Answer by JORGE RODRIGUEZ about 7 years 1 month ago

Alex,    look at  couple of links bellow .



you already  have lan failover 


failover
failover lan unit primary
failover lan interface failover Ethernet9
failover lan enable
failover key *****
failover interface ip failover 192.168.40.1 255.255.255.192 standby 192.168.40.2



For stateful you will need dedicated interface or share lan failover interface with stateful failover, or you may use a subinterface  for stateful failover implementation.


failover link state
failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2


See Stateful failover section , as Jon indicated you will need ( failover link )   in order to enable stateful  failover and pass per-connection state to standby unit.


http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef



Go over some  good guidelines


http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/ef.html#wp1928149



 

 

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
amartinezr Thu, 05/27/2010 - 14:17
User Badges:

thank you  jon.


the problem is that I have a database server when failover is turned on, connections are rejected by the firewall begins to assemble the xlate table. thank you very much for your help I hope to solve the problem.


the config of failover is this



failover
failover lan unit primary
failover lan interface failover Ethernet9
failover lan enable
failover key *****
failover interface ip failover 192.168.40.1 255.255.255.192 standby 192.168.40.2

-------

and


you recomendation to suggest is


failover replication  http


thanks

m.slotboom Thu, 05/27/2010 - 15:02
User Badges:

Hallo,,


Have you add the virtual mac adresses (active and standby mac address) to the interfaces in the failover config?


Regards,


Marcel

Correct Answer
JORGE RODRIGUEZ Thu, 05/27/2010 - 15:25
User Badges:
  • Green, 3000 points or more

Alex,    look at  couple of links bellow .



you already  have lan failover 


failover
failover lan unit primary
failover lan interface failover Ethernet9
failover lan enable
failover key *****
failover interface ip failover 192.168.40.1 255.255.255.192 standby 192.168.40.2



For stateful you will need dedicated interface or share lan failover interface with stateful failover, or you may use a subinterface  for stateful failover implementation.


failover link state
failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2


See Stateful failover section , as Jon indicated you will need ( failover link )   in order to enable stateful  failover and pass per-connection state to standby unit.


http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef



Go over some  good guidelines


http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/ef.html#wp1928149



 

 

Regards

Actions

This Discussion