cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
952
Views
0
Helpful
5
Replies

Active Standby Failover

umeshgurav
Level 1
Level 1

Dear All

I have configure 2 Cisco ASA 5550 firewall in Active Standby . Both the firewall are connected back to back . Both the firewalls are running software version  7.2(3). Below are the detais .The poblem ia am bale to telnet the active firewall but not the secondary firewall . It promts me for username and pasword but i cannot give the credentials .Pleae suggest

show  failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAIL-STATE-LINK GigabitEthernet1/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1%
Monitored Interfaces 7 of 250 maximum
failover replication http
Version: Ours 7.2(3), Mate 7.2(3)
Last Failover at: 01:13:05 IST Mar 13 2010
        This host: Secondary - Active
                Active time: 10667580 (sec)
                slot 0: ASA5550 hw/sw rev (2.0/7.2(3)) status (Up Sys)
                 
            slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (
        Other host: Primary - Standby Ready
                Active time: 0 (sec)
                slot 0: ASA5550 hw/sw rev (2.0/7.2(3)) status (Up Sys)
                                  slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (

Stateful Failover Logical Update Statistics
        Link : FAIL-STATE-LINK GigabitEthernet1/3 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         393038746  917459     112532     0
        sys cmd         111285     327768     111284     0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        324641827  0          996        0
        UDP conn        68241284   0          216        0
        ARP tbl         38939      589691     32         0
        Xlate_Timeout   0          0          0          0
        VPN IKE upd     417        0          2          0
        VPN IPSEC upd   4994       0          2          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       16      113154
        Xmit Q:         1024    1024    396290500

5 Replies 5

Kevin Redmon
Cisco Employee
Cisco Employee

What approach are you using to authenticate 'telnet' or 'ssh' users?  If you are using AAA, be sure that you have the Standby IP address configured on the AAA server for authentication.

Let me know if this helps!

Best Regards,

Kevin

Dear Kevin

Both the ips of the firewall are configured in the tacacs server .

Regards

Umesh Gurav

Hello,

Looks like you are seeing quite a bit of errors in stateful replication. Could you post the "show failover" output from the primary as well as "show interface gi 1/3"

Regards,

NT

DC-MUM-FW5550# sh interface gigabitEthernet 1/3
Interface GigabitEthernet1/3 "FAIL-STATE-LINK", is up, line protocol is up
  Hardware is VCS7380 rev01, BW 1000 Mbps
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Media-type configured as RJ45 connector
        Description: LAN/STATE Failover Interface
        MAC address 001e.7a20.cb42, MTU 1500
      
        16040907 packets input, 2228627800 bytes, 0 no buffer
        Received 1948 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        442828514 packets output, 290694114038 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        0 rate limit drops
        input queue (curr/max packets): hardware (0/0) software (0/0)
        output queue (curr/max packets): hardware (0/0) software (0/0)
  Traffic Statistics for "FAIL-STATE-LINK":
        16040989 packets input, 1939985514 bytes
        442846592 packets output, 282761227486 bytes
        0 packets dropped
      1 minute input rate 1 pkts/sec,  193 bytes/sec
      1 minute output rate 19 pkts/sec,  23317 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 1 pkts/sec,  197 bytes/sec
      5 minute output rate 19 pkts/sec,  23117 bytes/sec
      5 minute drop rate, 0 pkts/sec

Where as Primary i am not able to login via telnet or SSH i need to take the console and then troubleshoot .

Regards

Umesh Gurav

Hello,

Can you please try this command on the device that is not letting you use AAA credentials:

test aaa-server authentication

Also, if you have AAA authorization configured, can you disable it and see if that is of any help?

Regards,

NT

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: