Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
4
Replies

ASA 5510 failover fault.

ReneRasmussen
Level 1
Level 1

‎08-25-2010 05:56 AM - edited ‎03-04-2019 09:32 AM

I have setup 2 x ASA 5510 in fail over.

Port 0 connects to internet.

Port 1 is trunked to 5 vlans on inside.

fail over link is on port 3.

If i connect the Trunk on the standby asa, the connection to the Primary goes down.

If all cables is connectet at startup i cannot ping any thing, or connect to internet, or to the asa.

if i then disconnects the trunk on standby asa, it all works.

On the seriel cable, all looks normal.. no errors or anything.

I have no idea what could be causing this.

Fw is asa 8.2(1) and asdm 6.2(1)

Labels:
0 Helpful
4 Replies 4

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎08-25-2010 06:21 AM

Hello,

Can you please post the output of "show failover" from both devices? Also,

can you post the running configuration from both devices here?

Regards,

NT

0 Helpful

ReneRasmussen
Level 1
Level 1
In response to Nagaraja Thanthry

‎08-25-2010 06:29 AM

i will post config and failover from secondary asap.

Here is primary tho.

Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 08:27:08 CEDT Aug 24 2010
This host: Primary - Active
  Active time: 88028 (sec)
  slot 0: ASA5510 hw/sw rev (2.0/8.2(1)) status (Up Sys)
    Interface Outside (xxx.xxx.xxx.226): Normal (Waiting)
    Interface FysiskIntern (0.0.0.0): Normal (Waiting)
    Interface Inside (192.168.0.249): Normal (Not-Monitored)
    Interface dmzzone (192.168.8.1): Normal (Not-Monitored)
    Interface xms (192.168.7.254): Normal (Not-Monitored)
    Interface MPLS (172.28.1.2): Normal (Not-Monitored)
    Interface dak (192.168.40.1): Normal (Not-Monitored)
    Interface management (192.168.1.1): No Link (Not-Monitored)
  slot 1: empty
Other host: Secondary - Failed
  Active time: 211 (sec)
  slot 0: ASA5510 hw/sw rev (2.0/8.2(1)) status (Up Sys)
    Interface Outside (0.0.0.0): Normal (Waiting)
    Interface FysiskIntern (0.0.0.0): No Link (Waiting)
    Interface Inside (0.0.0.0): Normal (Not-Monitored)
    Interface dmzzone (0.0.0.0): Normal (Not-Monitored)
    Interface xms (0.0.0.0): Normal (Not-Monitored)
    Interface MPLS (0.0.0.0): Normal (Not-Monitored)
    Interface dak (0.0.0.0): Normal (Not-Monitored)
    Interface management (0.0.0.0): Normal (Not-Monitored)
  slot 1: empty

Stateful Failover Logical Update Statistics
Link : Unconfigured.

Config

ASA Version 8.2(1)
!
hostname fw
domain-name 123.xx
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
names
name 192.168.0.2 blabla
name
name
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address xxx.xxx.xxx.226 255.255.255.248
!
interface Ethernet0/1
nameif FysiskIntern
security-level 0
no ip address
!
interface Ethernet0/1.2
vlan 2
nameif Inside
security-level 100
ip address 192.168.0.249 255.255.255.0
!
interface Ethernet0/1.3
vlan 3
nameif dmzzone
security-level 50
ip address 192.168.8.1 255.255.255.0
!
interface Ethernet0/1.7
vlan 7
nameif xms
security-level 99
ip address 192.168.7.254 255.255.255.0
!
interface Ethernet0/1.28
vlan 28
nameif MPLS
security-level 100
ip address 172.28.1.2 255.255.255.0
!
interface Ethernet0/1.40
vlan 40
nameif pak
security-level 5
ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description LAN Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name 123.xx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network more blabla
access-list Inside_access_in extended permit tcp any any object-group BogPortalen
access-list Inside_access_in extended permit tcp any any object-group Nordea
access-list Inside_access_in extended permit tcp host AS400 any eq ftp
access-list Inside_access_in extended permit tcp host CCCintegrator01 any eq ftp
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_12
access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 object-group DM_INLINE_NETWORK_1 object-group webservere
access-list Inside_access_in extended permit tcp host CCCapp01 object-group DMZ_Servere
access-list Inside_access_in extended permit tcp host AS400 object-group webservere eq ftp
access-list Inside_access_in extended permit udp host AS400 object-group IBM object-group IBM_Services
access-list Inside_access_in extended permit tcp object-group WebAdmins object-group webservere object-group VedrWeb
access-list Inside_access_in extended permit tcp object-group InterneLocusBrugere host CCCtracksrv01 object-group VedrWeb
access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.0.0 255.255.255.0 mitron 255.255.255.0
access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 host CCCintegrator01 host CCCtracksrv01
access-list Inside_access_in extended permit tcp host CCCexc01 object-group webservere
access-list Inside_access_in extended permit udp any object-group DM_INLINE_NETWORK_11 eq domain
access-list Inside_access_in remark Web, mail , ping.
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list Inside_access_in extended permit tcp any any object-group RDP
access-list Inside_access_in extended permit ip 192.168.0.0 255.255.255.0 remote 255.255.255.0
access-list Inside_access_in extended deny ip 192.168.0.0 255.255.255.0 mitron 255.255.255.0
access-list Inside_access_in extended deny ip any dmz_zone 255.255.255.0
access-list Inside_access_in extended deny ip any any
access-list dmzzone_access_in extended permit ip object-group DMZ_Servere object-group DM_INLINE_NETWORK_2
access-list dmzzone_access_in extended permit ip host CCCtracksrv01 any
access-list dmzzone_access_in extended permit udp any any eq domain
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 eq https
access-list Outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_3 eq www
access-list Outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_5 eq ftp
access-list Outside_access_in extended permit object-group TCPUDP any host xxx.xxx.xxx.228 object-group Integrator
access-list Outside_access_in extended permit tcp any host xxx.xxx.xxx.229 eq smtp
access-list Outside_access_in extended permit object-group TCPUDP any host xxx.xxx.xxx.147 object-group 5K
access-list Outside_access_in extended permit ip any host xxx.xxx.xxx.147
access-list Outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host xxx.xxx.xxx.150 object-group RDP
access-list Outside_access_in extended permit tcp host AgentData host xxx.xxx.xxx.227 object-group 8K
access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 host ProxIt_Server host xxx.xxx.xxx.230
access-list Outside_access_in extended permit tcp object-group Portalen host xxx.xxx.xxx.228 eq https
access-list Outside_access_in extended permit tcp object-group Icebreak_Brugere host xxx.xxx.xxx.228 eq https
access-list Outside_access_in extended deny ip any any
access-list xms_access_in extended permit object-group DM_INLINE_PROTOCOL_5 mitron 255.255.255.0 object-group DM_INLINE_NETWORK_7
access-list dmzzone_nat0_outbound extended permit ip object-group DMZ_Servere host CCCexc01
access-list Inside_nat0_outbound extended permit ip any 192.168.0.220 255.255.255.252
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 mitron 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 remote 255.255.255.0
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_8 object-group DMZ_Servere
access-list Inside_nat0_outbound extended permit ip any host It_sup_VPN
access-list Inside_nat0_outbound extended permit ip any dummy176 255.255.255.240
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.173.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.26.1.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.26.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip host xxx.xxx.xxx.230 object-group DM_INLINE_NETWORK_9
access-list Inside_nat0_outbound extended permit ip host scannet_EDI host xxx.xxx.xxx.228
access-list Inside_nat0_outbound extended permit ip 192.16.0.0 255.255.255.0 remote 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.16.0.0 255.255.255.0 172.26.1.0 255.255.255.0
access-list pak_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 10.10.20.0 255.255.255.224
access-list xms_nat0_outbound extended permit ip mitron 255.255.255.0 remote 255.255.255.0
access-list TDCnetMPLS_cryptomap_1 extended permit ip 192.168.0.0 255.255.255.0 172.26.1.0 255.255.255.0
access-list Outside_1_cryptomap extended permit ip host xxx.xxx.xxx.230 object-group DM_INLINE_NETWORK_9
access-list Outside_2_cryptomap extended permit ip host scannet_EDI host xxx.xxx.xxx.228
access-list Outside_3_cryptomap extended permit ip object-group DM_INLINE_NETWORK_10 remote 255.255.255.0
access-list Outside_4_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.173.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu FysiskIntern 1500
mtu Inside 1500
mtu dmzzone 1500
mtu xms 1500
mtu MPLS 1500
mtu pak 1500
mtu management 1500
ip local pool VPNPool VpnKlient1-VpnKlient8 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface FAILOVER Ethernet0/3
failover key *****
failover interface ip FAILOVER 192.168.199.1 255.255.255.0 standby 192.168.199.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
icmp permit any MPLS
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
global (dmzzone) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 192.168.0.0 255.255.255.0
nat (dmzzone) 0 access-list dmzzone_nat0_outbound
nat (dmzzone) 0 dmz_zone 255.255.255.0
nat (xms) 0 access-list xms_nat0_outbound
nat (pak) 0 access-list pak_nat0_outbound
static (Inside,Outside) tcp xxx.xxx.xxx.149 ftp CCCintegrator01 ftp netmask 255.255.255.255
static (Inside,Outside) tcp xxx.xxx.xxx.150 https CCCexc01 https netmask 255.255.255.255
static (Inside,Outside) tcp xxx.xxx.xxx.150 3389 Fileprosrv01 3389 netmask 255.255.255.255
static (dmzzone,Outside) tcp xxx.xxx.xxx.227 www WEB_Hjemmeside www netmask 255.255.255.255
static (dmzzone,Outside) tcp xxx.xxx.xxx.227 3389 WEB_Hjemmeside 3389 netmask 255.255.255.255
static (dmzzone,Outside) tcp xxx.xxx.xxx.147 3389 CCCtracksrv01 3389 netmask 255.255.255.255
static (dmzzone,Outside) tcp xxx.xxx.xxx.147 5000 CCCtracksrv01 5000 netmask 255.255.255.255
static (Inside,Outside) xxx.xxx.xxx.229 Nada netmask 255.255.255.255
static (Inside,Outside) xxx.xxx.xxx.230 AS400 netmask 255.255.255.255
static (Inside,Outside) xxx.xxx.xxx.228 CCCint01 netmask 255.255.255.255
static (Inside,dmzzone) 192.168.8.242 CCCexc01 netmask 255.255.255.255
static (Inside,dmzzone) Fileprosrv01 Fileprosrv01 netmask 255.255.255.255
static (Inside,dmzzone) CCCdom01 CCCdom01 netmask 255.255.255.255
static (Inside,dmzzone) CCCftp01 CCCftp01 netmask 255.255.255.255
static (Inside,dmzzone) CCCitsrv CCCitsrv netmask 255.255.255.255
static (Inside,dmzzone) CCCapp01 CCCapp01 netmask 255.255.255.255
static (MPLS,Inside) 192.168.2.100 172.26.1.10 netmask 255.255.255.255
static (dmzzone,Inside) WEB_Hjemmeside WEB_Hjemmeside netmask 255.255.255.255
static (dmzzone,Inside) WEB_Udviklingsside2 WEB_Udviklingsside2 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group dmzzone_access_in in interface dmzzone
access-group xms_access_in in interface xms
route MPLS 172.26.2.0 255.255.255.0 172.28.1.1 1 track 122
route MPLS 172.26.1.0 255.255.255.0 172.28.1.1 1 track 123
route Outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.225 1
route MPLS 172.26.1.0 255.255.255.0 172.28.1.3 10
route MPLS 172.26.2.0 255.255.255.0 172.28.1.3 10
route MPLS 172.28.0.0 255.255.0.0 172.28.1.1 1
route Inside BibiFTPserver 255.255.255.255 192.168.0.239 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 443
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 Inside
http 172.26.1.0 255.255.255.0 MPLS
http 172.26.2.0 255.255.255.0 MPLS
http It_sup_VPN 255.255.255.255 Inside
http It_Chef 255.255.255.255 Inside
http CCCtrm02 255.255.255.255 Inside
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho 172.28.2.2 interface MPLS
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 172.28.3.2 interface MPLS
sla monitor schedule 2 life forever start-time now
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer xxx.xxx.xxx.18
crypto map Outside_map 1 set transform-set ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 2 match address Outside_2_cryptomap
crypto map Outside_map 2 set pfs
crypto map Outside_map 2 set peer xxx.xxx.xxx.98
crypto map Outside_map 2 set transform-set ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 3 match address Outside_3_cryptomap
crypto map Outside_map 3 set peer xxx.xxx.xxx.226
crypto map Outside_map 3 set transform-set ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 4 match address Outside_4_cryptomap
crypto map Outside_map 4 set pfs
crypto map Outside_map 4 set peer xxx.xxx.xxx.231
crypto map Outside_map 4 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
track 122 rtr 2 reachability
!
track 123 rtr 1 reachability
telnet It_sup_VPN 255.255.255.255 Inside
telnet timeout 5
ssh Eltel_Service 255.255.255.255 Outside
ssh timeout 5
console timeout 0
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
group-policy SSLVPN internal
group-policy SSLVPN attributes
vpn-tunnel-protocol webvpn
webvpn
  url-list none
group-policy CareitecVPN internal
group-policy CiscoVpnKlienter internal
group-policy CiscoVpnKlienter attributes
vpn-tunnel-protocol IPSec
address-pools value VPNPool
username careitec password xxxxxxxxxxxxxxx encrypted
username careitec attributes
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPool
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group xxx.xxx.xxx.18 type ipsec-l2l
tunnel-group xxx.xxx.xxx.18 ipsec-attributes
pre-shared-key *
tunnel-group xxx.xxx.xxx.98 type ipsec-l2l
tunnel-group xxx.xxx.xxx.98 ipsec-attributes
pre-shared-key *
tunnel-group xxx.xxx.xxx.226 type ipsec-l2l
tunnel-group xxx.xxx.xxx.226 ipsec-attributes
pre-shared-key *
tunnel-group xxx.xxx.xxx.231 type ipsec-l2l
tunnel-group xxx.xxx.xxx.231 ipsec-attributes
pre-shared-key *
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
default-group-policy SSLVPN
tunnel-group CareitecVPN type remote-access
tunnel-group CareitecVPN general-attributes
address-pool VPNPool
tunnel-group CareitecVPN ipsec-attributes
pre-shared-key *
tunnel-group CiscoVpnKlienter type remote-access
tunnel-group CiscoVpnKlienter general-attributes
address-pool VPNPool
tunnel-group CiscoVpnKlienter ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2ba8d4d07d04e116ceeeee06e5a929c0
: end

0 Helpful

ReneRasmussen
Level 1
Level 1
In response to ReneRasmussen

‎09-09-2010 12:07 AM

I still have this error..

Could it be a FW fault?

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to ReneRasmussen

‎09-09-2010 05:56 AM

Hello Rene,

Sorry, I did not notice your previous update. Can you remove the failover

key from both devices and try to failover again. When you try again, please

do the following:

Step 1: Remove all LAN/WAN cables from the secondary device

Step 2: Connect the failover LAN cable between them

Step 3: Remove the failover key from both devices

Hope this helps.

Regards,

NT

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card