ā07-13-2010 11:35 PM - edited ā03-11-2019 11:11 AM
Dear All
I have configure 2 Cisco ASA 5550 firewall in Active Standby . Both the firewall are connected back to back . Both the firewalls are running software version 7.2(3). Below are the detais .The poblem ia am bale to telnet the active firewall but not the secondary firewall . It promts me for username and pasword but i cannot give the credentials .Pleae suggest
show failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAIL-STATE-LINK GigabitEthernet1/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1%
Monitored Interfaces 7 of 250 maximum
failover replication http
Version: Ours 7.2(3), Mate 7.2(3)
Last Failover at: 01:13:05 IST Mar 13 2010
This host: Secondary - Active
Active time: 10667580 (sec)
slot 0: ASA5550 hw/sw rev (2.0/7.2(3)) status (Up Sys)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (
Other host: Primary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5550 hw/sw rev (2.0/7.2(3)) status (Up Sys)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (
Stateful Failover Logical Update Statistics
Link : FAIL-STATE-LINK GigabitEthernet1/3 (up)
Stateful Obj xmit xerr rcv rerr
General 393038746 917459 112532 0
sys cmd 111285 327768 111284 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 324641827 0 996 0
UDP conn 68241284 0 216 0
ARP tbl 38939 589691 32 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 417 0 2 0
VPN IPSEC upd 4994 0 2 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 16 113154
Xmit Q: 1024 1024 396290500
ā07-14-2010 06:08 AM
What approach are you using to authenticate 'telnet' or 'ssh' users? If you are using AAA, be sure that you have the Standby IP address configured on the AAA server for authentication.
Let me know if this helps!
Best Regards,
Kevin
ā07-14-2010 08:51 PM
Dear Kevin
Both the ips of the firewall are configured in the tacacs server .
Regards
Umesh Gurav
ā07-14-2010 09:05 PM
Hello,
Looks like you are seeing quite a bit of errors in stateful replication. Could you post the "show failover" output from the primary as well as "show interface gi 1/3"
Regards,
NT
ā07-14-2010 09:10 PM
DC-MUM-FW5550# sh interface gigabitEthernet 1/3
Interface GigabitEthernet1/3 "FAIL-STATE-LINK", is up, line protocol is up
Hardware is VCS7380 rev01, BW 1000 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Media-type configured as RJ45 connector
Description: LAN/STATE Failover Interface
MAC address 001e.7a20.cb42, MTU 1500
16040907 packets input, 2228627800 bytes, 0 no buffer
Received 1948 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
442828514 packets output, 290694114038 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/0) software (0/0)
Traffic Statistics for "FAIL-STATE-LINK":
16040989 packets input, 1939985514 bytes
442846592 packets output, 282761227486 bytes
0 packets dropped
1 minute input rate 1 pkts/sec, 193 bytes/sec
1 minute output rate 19 pkts/sec, 23317 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 1 pkts/sec, 197 bytes/sec
5 minute output rate 19 pkts/sec, 23117 bytes/sec
5 minute drop rate, 0 pkts/sec
Where as Primary i am not able to login via telnet or SSH i need to take the console and then troubleshoot .
Regards
Umesh Gurav
ā07-14-2010 09:25 PM
Hello,
Can you please try this command on the device that is not letting you use AAA credentials:
test aaa-server authentication
Also, if you have AAA authorization configured, can you disable it and see if that is of any help?
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide