Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Failover Active Standby Users

Hello

     i have 2 ASA5510-SEC-BUN-K9

     i configured them into H/A Active Standby every thing Works Fine Replication is Succcess

     the Problem is the users defined on the Active Units they work fine but if convert the 2nd unit to be active its work but i can not use the Same users      that is work fine on the Active (Primary).

     so the Secondary Unit Functioally is fine but its give invalid Loggin (Loggin Error) on ASDM.

     they should be the Same and replacated over the replication function.

     Any help

     i am using the ASA 9.1(3)

               ASDM 7.1(4)

Everyone's tags (5)
9 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Green

ASA Failover Active Standby Users

I might be overlooking it, but you have not aaa statements defining what database is to be used for authentication.  Add the following command and test please.

aaa authentication http console LOCAL

--

Please rememeber to rate and select a correct answer

--

Please remember to rate and select a correct answer
VIP Green

Re: ASA Failover Active Standby Users

the path is:

Configuration > Device Management > AAA Access

Thank you for the rating

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
VIP Green

Re: ASA Failover Active Standby Users

The redundant interfaces are only locally significant so having both failover ASAs and redundant interfaces should not be done...if you ask me.  By default the ASA failover will be initiated if one interface failes, so unless you change that setting (which i would not recommend) the redundant interface configuration is not used.

To show which ASA is the Active and Standby you can issue the command show failover state.  The command show failover will show you more.  If you are uncertain which ASA is the Active, then it will be just about impossible to figure out which one is active and which is standby.  You would need to check the LED status on the physical ASA.  If the Active LED is green then this ASA is the Active ASA, if it is amber / orange then it is the standby.  You could also connect to it with a serial cable and issue the show failover state command.

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
VIP Green

Re: ASA Failover Active Standby Users

ah ok, sorry my bad.

By default the first redundant interface that appears in the configuration is the active one.  However, you can issue the following command to see which interface is currently the active interface.

show interface redundant1 detail

show interface redundant 1 detail | grep Member

--

Please remember to rate and select a correct answer


					
				
			
			
				
--

Please remember to rate and select a correct answer
VIP Green

Re: ASA Failover Active Standby Users

You don't have the ASA configure for SSH:

crypto key generate rsa modulus 2048

ssh 172.16.2.0 255.255.255.0 PI-DMZ
ssh 172.16.4.0 255.255.255.0 PI-INT
ssh 100.100.100.0 255.255.255.0 MNG
ssh 0.0.0.0 0.0.0.0 PI-DMZ
ssh 0.0.0.0 0.0.0.0 SEC

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
VIP Green

Re: ASA Failover Active Standby Users

Also I noticed this:

  Interface MNG (100.100.100.1): Normal (Not-Monitored)

  Interface EPRIS (0.0.0.0): Unknown (Waiting)

  Interface SYS-INFO (172.16.1.1): Normal (Not-Monitored)

  Interface PI-DMZ (172.16.2.1): Normal (Not-Monitored)

  Interface AF-DMZ (172.16.3.1): Normal (Not-Monitored)

  Interface PI-INT (172.16.4.1): Normal (Not-Monitored)

  Interface SEC (10.78.0.46): Normal (Not-Monitored)

  Interface GEPDH (192.168.201.137): Normal (Not-Monitored)

Your interfaces are not being monitored so if one of these goes down a failover will not happen.

You need to add the following command to the interfaces that you want to be monitored and initiate a failover if they go down.

monitor-interface SYS-INFO

Add this command for each interface you want to monitor just change the interface name at the end of the statement.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
VIP Green

Re: ASA Failover Active Standby Users

sorry I forgot to inclued:

aaa authentication ssh console LOCAL

add that and it should work

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
VIP Green

Re: ASA Failover Active Standby Users

Do you see anything in the logs?

try flapping the interfaces (shut, no shut).  shut down the interfaces in question, wait a few seconds, and then bring them back up.  Do the interfaces show as monitored now?

Remove the IP configuration from the interfaces in question and then add them back. do the interfaces show as monitored now?

if none of these work, issue the command show failover history and post the output here.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
VIP Green

Re: ASA Failover Active Standby Users

Sorry I am not sure what we are talking about now.  We were talking about the ASA firewall interface monitor status?

If there is an issue with the connectivity between MS servers and the AD, please post a new question as this post is quite long now.  It is also good to start a new question for this, not so much that it is a new topic but the answer might help someone else in the future and it will be easier for them to find.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
24 REPLIES
VIP Green

ASA Failover Active Standby Users

Are you 100% sure that the configuration has been replicated to the Standby ASA?

Could you take a screen shot of the error you are receiving and post it here.

Could you post a full sanitized configuration also.

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Re: ASA Failover Active Standby Users

Failover On

Failover unit Primary

Failover LAN Interface: Fail Ethernet0/2 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 1 of 110 maximum

failover replication http

Version: Ours 9.1(3), Mate 9.1(3)

Last Failover at: 20:56:38 AST Dec 2 2013

This host: Primary - Active

Active time: 54348 (sec)

slot 0: ASA5510 hw/sw rev (2.0/9.1(3)) status (Up Sys)

  Interface MNG (100.100.100.1): Normal (Not-Monitored)

  Interface EPRIS (0.0.0.0): Unknown (Waiting)

  Interface SYS-INFO (172.16.1.1): Normal (Not-Monitored)

  Interface PI-DMZ (172.16.2.1): Normal (Not-Monitored)

  Interface AF-DMZ (172.16.3.1): Normal (Not-Monitored)

  Interface PI-INT (172.16.4.1): Normal (Not-Monitored)

  Interface SEC (10.78.0.46): Normal (Not-Monitored)

  Interface GEPDH (192.168.201.137): Normal (Not-Monitored)

slot 1: empty

Other host: Secondary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5510 hw/sw rev (2.0/9.1(3)) status (Up Sys)

  Interface MNG (100.100.100.2): Normal (Not-Monitored)

  Interface EPRIS (0.0.0.0): Unknown (Waiting)

  Interface SYS-INFO (172.16.1.2): Normal (Not-Monitored)

  Interface PI-DMZ (172.16.2.2): Normal (Not-Monitored)

  Interface AF-DMZ (172.16.3.2): Normal (Not-Monitored)

  Interface PI-INT (172.16.4.2): Normal (Not-Monitored)

  Interface SEC (10.78.0.47): Normal (Not-Monitored)

  Interface GEPDH (192.168.201.136): Normal (Not-Monitored)

slot 1: empty

Stateful Failover Logical Update Statistics

Link : State Ethernet0/3 (up)

Stateful Obj           xmit       xerr       rcv        rerr     

General                    18554      0          735        0        

sys cmd            735        0          735        0        

up time            0          0          0          0        

RPC services            0          0          0          0        

TCP conn           7848       0          0          0        

UDP conn           2101       0          0          0        

ARP tbl            7869       0          0          0        

Xlate_Timeout            0          0          0          0        

IPv6 ND tbl            0          0          0          0        

VPN IKEv1 SA           0          0          0          0        

VPN IKEv1 P2           0          0          0          0        

VPN IKEv2 SA           0          0          0          0        

VPN IKEv2 P2           0          0          0          0        

VPN CTCP upd           0          0          0          0        

VPN SDI upd           0          0          0          0        

VPN DHCP upd           0          0          0          0        

SIP Session           0          0          0          0        

Route Session           0          0          0          0        

User-Identity           1          0          0          0        

CTS SGTNAME           0          0          0          0        

CTS PAC           0          0          0          0        

TrustSec-SXP           0          0          0          0        

IPv6 Route           0          0          0          0        

Logical Update Queue Information

Cur           Max           Total

Recv Q:           0           9           6252

Xmit Q:           0           29           21621

: Saved
:
ASA Version 9.1(3) 
!
hostname C-PP9-EPRISFW
enable password EoUpTSBftt4Y1RlD encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd EoUpTSBftt4Y1RlD encrypted
names
!
interface Ethernet0/0
 speed 1000
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 speed 1000
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 description LAN Failover Interface
!
interface Ethernet0/3
 description STATE Failover Interface
!
interface Management0/0
 description Local Management Interfaces
 management-only
 nameif MNG
 security-level 100
 ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2 
!
interface Redundant1
 description EPRIS Redundant Interfaces
 member-interface Ethernet0/0
 member-interface Ethernet0/1
 nameif EPRIS
 security-level 0
 no ip address
!
interface Redundant1.1
 description Interface for UPS,Switches
 vlan 901
 nameif SYS-INFO
 security-level 40
 ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2 
!
interface Redundant1.2
 description PI System Archiving Servers
 vlan 902
 nameif PI-DMZ
 security-level 50
 ip address 172.16.2.1 255.255.255.0 standby 172.16.2.2 
!
interface Redundant1.3
 description PI System Asset Freamwork
 vlan 903
 nameif AF-DMZ
 security-level 45
 ip address 172.16.3.1 255.255.255.0 standby 172.16.3.2 
!
interface Redundant1.4
 description PI System Interfaces 
 vlan 904
 nameif PI-INT
 security-level 85
 ip address 172.16.4.1 255.255.255.0 standby 172.16.4.2 
!
interface Redundant1.9
 description SEC WAN IP Address
 vlan 9
 nameif SEC
 security-level 0
 ip address 10.78.0.46 255.0.0.0 standby 10.78.0.47 
!
interface Redundant1.11
 description GE PDH Historian Network
 vlan 921
 nameif GEPDH
 security-level 99
 ip address 192.168.201.137 255.255.255.0 standby 192.168.201.136 
!
banner exec *****************************************************************************
banner exec WARNING TO UNAUTHORIZED USERS:
banner exec This Production System Do Not Trun Off the Firewalls or Try to Access
banner exec This system is for use by authorized users only. Any individual using this system, by such use,
banner exec acknowledges and consents to the right of the company to monitor, access, use, and disclose any
banner exec information generated, received, or stored on the systems...........
banner exec for any Information or Support Call NAZCO Crop.  +966 138311078 , +966 138332785 , +966138332817 
banner exec *****************************************************************************
banner login *****************************************************************************
banner login WARNING TO UNAUTHORIZED USERS:
banner login This Production System Do Not Trun Off the Firewalls or Try to Access
banner login This system is for use by authorized users only. Any individual using this system, by such use,
banner login acknowledges and consents to the right of the company to monitor, access, use, and disclose any
banner login information generated, received, or stored on the systems...........
banner login for any Information or Support Call NAZCO Crop.  +966 138311078 , +966 138332785 , +966138332817 
banner login *****************************************************************************
banner motd *****************************************************************************
banner motd WARNING TO UNAUTHORIZED USERS:
banner motd This Production System Do Not Trun Off the Firewalls or Try to Access
banner motd This system is for use by authorized users only. Any individual using this system, by such use,
banner motd acknowledges and consents to the right of the company to monitor, access, use, and disclose any
banner motd information generated, received, or stored on the systems...........
banner motd for any Information or Support Call NAZCO Crop.  +966 138311078 , +966 138332785 , +966138332817 
banner motd *****************************************************************************
banner asdm *****************************************************************************
banner asdm WARNING TO UNAUTHORIZED USERS:
banner asdm This Production System Do Not Trun Off the Firewalls or Try to Access
banner asdm This system is for use by authorized users only. Any individual using this system, by such use,
banner asdm acknowledges and consents to the right of the company to monitor, access, use, and disclose any
banner asdm information generated, received, or stored on the systems...........
banner asdm for any Information or Support Call NAZCO Crop.  +966 138311078 , +966 138332785 , +966138332817 
banner asdm *****************************************************************************
boot system disk0:/asa913-k8.bin
ftp mode passive
clock timezone AST 3
dns domain-lookup SEC
same-security-traffic permit intra-interface
object network PIDMZ100_SEC100
 host 172.16.2.100
 description Primary PI 172.16.2.100 PP9 to SEC 10.78.0.100
object network PIDMZ101_SEC101
 host 172.16.2.101
 description Secondary PI 172.16.2.101 PP9 to SEC 10.78.0.101
object network AFDMZ102_SEC102
 host 172.16.3.102
 description Primary PI AF 172.16.3.102 PP9 to SEC 10.78.0.102
object network AFDMZ103_SEC103
 host 172.16.3.103
 description Secondary PI AF 172.16.3.103 PP9 to SEC 10.78.0.103
object service PI_PORT
 service tcp destination eq 5450 
 description PI communication
object service Remote
 service tcp destination eq 3389 
 description Remote Desktop Port
object service SQL
 service tcp destination eq 1433 
 description SQL Port AF-DMZ
object service SymaDB
 service tcp destination eq 2638 
 description Symantic Embedded database communication
object service SymaRC
 service tcp destination eq 9090 
 description Symantic Browser-based remote console via Apache
object service RawSD
 service tcp destination eq 3002 
 description Raw Serial Data
object service SRConsole
 service tcp destination eq 9300 
 description Shared Remote Console
object service VMedia
 service tcp destination eq 17988 
 description Virtual Media
object service PIAF
 service tcp destination eq 5457 
 description primary port that PI AF SDK uses to communicate with PI AF
object service PIOLEDB
 service tcp destination eq 5459 
 description some client products, such as PI OLEDB Enterprise and PI WebParts to communicate with PI AF server
object network GEPDH32_PIDMZ32
 host 192.168.201.32
 description EPRIS GEPDH 192.168.201.32 Primary Interface to PI
object network GEPDH34_PIDMZ34
 host 192.168.201.34
 description EPRIS GEPDH 192.168.201.34 Secondary Interface to PI
object network GEPDHNTP250_PIDMZ250
 host 192.168.201.250
 description GE LANTIME NTP Server to PI Servers
object network GEUDHNTP250_PIDMZ250
 host 192.168.101.250
 description GE UDH LAN Time Server to PI Server
object network PIDMZ100
 host 172.16.2.100
 description PI Server 1
object network PIDMZ101
 host 172.16.2.101
 description PI Server 2
object network AFDMZ102
 host 172.16.3.102
 description AF Server 1
object network AFDMZ103
 host 172.16.3.103
 description AF Server 2
object network EPRIS_SW1
 host 172.16.1.134
 description EPRIS SW1 to SEC 10.78.225.134
object network EPRIS_SW2
 host 172.16.1.135
 description EPRIS SW 2 to SEC 10.78.225.135
object network PIINT104
 host 172.16.4.104
 description PI Interface 1
object network PIINT105
 host 172.16.4.105
 description PI Interface 2
object network GEHST1_EPRIS119
 host 192.168.201.119
object network GEHST2_EPRIS131
 host 192.168.201.131
object network GEHST3_EPRIS132
 host 192.168.201.132
object network GEPDHNTP250_PIINT250
 host 192.168.201.250
 description GE LANTIME NTP Server to PI Interfaces
object network PIINT104_GEPDH138
 host 172.16.4.104
 description NAT PI Interfaces 1  to GEPDH 192.168.201.138
object network PIINT105_GEPDH141
 host 172.16.4.105
 description NAT PI Interfaces 2 to GEPDH 192.168.201.141
object network AK
 host 172.16.2.79
object network RPPUPS
 host 172.16.4.48
 description RPP-UPS SNMP
object service ldapU
 service udp destination eq 389 
object service ldapUDP
 service tcp destination eq ldap 
object service Kerberos88
 service tcp destination eq 88 
object service OM
 service tcp destination eq 5723 
object service REP
 service tcp destination eq 135 
object service Kerberos88U
 service udp destination eq 88 
object service LDAP_GC
 service tcp destination eq 3268 
object service LDAP_GC_SSL
 service tcp destination eq 3269 
object-group network DM_INLINE_NETWORK_1
 network-object object AFDMZ102
 network-object object AFDMZ103
object-group network DM_INLINE_NETWORK_2
 network-object object PIDMZ100
 network-object object PIDMZ101
object-group service DM_INLINE_SERVICE_1
 service-object icmp 
 service-object object PI_PORT 
object-group network DM_INLINE_NETWORK_3
 network-object object PIDMZ100
 network-object object PIDMZ101
object-group service PI
 description OSI Soft PI Ports communication
 service-object object PIAF 
 service-object object PIOLEDB 
 service-object object PI_PORT 
object-group service DM_INLINE_SERVICE_3
 service-object object Remote 
 group-object PI
object-group service DM_INLINE_SERVICE_2
 service-object icmp 
 service-object object PI_PORT 
 service-object object Remote 
object-group network DM_INLINE_NETWORK_4
 network-object object PIINT104_GEPDH138
 network-object object PIINT105_GEPDH141
object-group network DM_INLINE_NETWORK_5
 network-object object GEHST1_EPRIS119
 network-object object GEHST2_EPRIS131
 network-object object GEHST3_EPRIS132
object-group network DM_INLINE_NETWORK_7
 network-object object AFDMZ102
 network-object object AFDMZ103
 network-object 172.16.50.0 255.255.255.0
object-group service DM_INLINE_SERVICE_6
 service-object icmp 
 group-object PI
object-group service DM_INLINE_SERVICE_4
 service-object icmp 
 service-object object Remote 
object-group network DM_INLINE_NETWORK_6
 network-object object PIINT104_GEPDH138
 network-object object PIINT105_GEPDH141
object-group service Domain_AD
 description Directory, Replication, User and Computer Authentication, Group Policy, Trusts
 service-object tcp-udp destination eq 445 
 service-object tcp-udp destination eq kerberos 
 service-object tcp destination eq ldap 
 service-object tcp destination eq ldaps 
 service-object tcp destination eq netbios-ssn 
 service-object udp destination eq netbios-ns 
 service-object tcp-udp destination eq domain 
 service-object tcp destination eq domain 
 service-object udp destination eq domain 
 service-object object ldapU 
 service-object object Kerberos88 
 service-object object OM 
 service-object object REP 
 service-object object Kerberos88U 
 service-object object LDAP_GC 
 service-object object LDAP_GC_SSL 
 service-object tcp-udp destination eq 464 
object-group service Symantec
 description Symantec Update
 service-object tcp destination eq ftp 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object object SymaDB 
 service-object object SymaRC 
object-group service DM_INLINE_SERVICE_10
 service-object icmp 
 service-object object PI_PORT 
object-group network DM_INLINE_NETWORK_9
 network-object object AFDMZ102_SEC102
 network-object object AFDMZ103_SEC103
object-group network DM_INLINE_NETWORK_35
 network-object object PIDMZ100
 network-object object PIDMZ101
object-group service DM_INLINE_SERVICE_12
 service-object icmp 
 service-object udp destination eq ntp 
object-group service iLO
 description iLO HP Servers Remote Terminal
 service-object object RawSD 
 service-object object SRConsole 
 service-object object VMedia 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq ssh 
 service-object tcp destination eq telnet 
 service-object object Remote 
object-group service NTP
 description Network Time Server
 service-object udp destination eq ntp 
object-group network DM_INLINE_NETWORK_11
 network-object object EPRIS_SW1
 network-object object EPRIS_SW2
object-group network DM_INLINE_NETWORK_13
 network-object object PIDMZ100_SEC100
 network-object object PIDMZ101_SEC101
 network-object object AFDMZ102_SEC102
 network-object object AFDMZ103_SEC103
object-group network DM_INLINE_NETWORK_12
 network-object object EPRIS_SW1
 network-object object EPRIS_SW2
object-group network DM_INLINE_NETWORK_15
 network-object object AFDMZ102
 network-object object AFDMZ103
object-group network DM_INLINE_NETWORK_17
 network-object object PIDMZ100
 network-object object PIDMZ101
object-group network DM_INLINE_NETWORK_14
 network-object object AFDMZ102_SEC102
 network-object object AFDMZ103_SEC103
object-group network DM_INLINE_NETWORK_18
 network-object object GEHST1_EPRIS119
 network-object object GEHST2_EPRIS131
 network-object object GEHST3_EPRIS132
object-group network DM_INLINE_NETWORK_20
 network-object object PIDMZ100
 network-object object PIDMZ101
object-group network DM_INLINE_NETWORK_21
 network-object object GEPDHNTP250_PIDMZ250
 network-object object GEPDHNTP250_PIINT250
object-group network DM_INLINE_NETWORK_22
 network-object object PIDMZ100
 network-object object PIDMZ101
object-group network DM_INLINE_NETWORK_23
 network-object object PIINT104
 network-object object PIINT105
object-group network DM_INLINE_NETWORK_24
 network-object object PIDMZ100
 network-object object PIDMZ101
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
 port-object eq telnet
object-group service DM_INLINE_SERVICE_5
 service-object icmp 
 service-object object PI_PORT 
 service-object object Remote 
 service-object tcp destination eq 445 
 service-object tcp destination eq netbios-ssn 
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
 port-object eq telnet
object-group network DM_INLINE_NETWORK_19
 network-object object PIINT104_GEPDH138
 network-object object PIINT105_GEPDH141
object-group network DM_INLINE_NETWORK_16
 network-object object PIINT104
 network-object object PIINT105
object-group network DM_INLINE_NETWORK_25
 network-object object PIDMZ100
 network-object object PIDMZ101
object-group service DM_INLINE_SERVICE_8
 service-object icmp 
 service-object object PI_PORT 
object-group service DM_INLINE_SERVICE_9
 service-object icmp 
 service-object udp destination eq ntp 
object-group network DM_INLINE_NETWORK_8
 network-object object PIDMZ100_SEC100
 network-object object PIDMZ101_SEC101
 network-object object AFDMZ102_SEC102
 network-object object AFDMZ103_SEC103
object-group network DM_INLINE_NETWORK_27
 network-object object AFDMZ102_SEC102
 network-object object AFDMZ103_SEC103
 network-object object PIDMZ100_SEC100
 network-object object PIDMZ101_SEC101
object-group network DM_INLINE_NETWORK_28
 network-object object PIINT104_GEPDH138
 network-object object PIINT105_GEPDH141
object-group network DM_INLINE_NETWORK_29
 network-object object AFDMZ102
 network-object object AFDMZ103
object-group network DM_INLINE_NETWORK_30
 network-object object PIDMZ100
 network-object object PIDMZ101
object-group network DM_INLINE_NETWORK_10
 network-object object PIDMZ100
 network-object object PIDMZ101
object-group network DM_INLINE_NETWORK_26
 network-object object PIINT104
 network-object object PIINT105
object-group network DM_INLINE_NETWORK_32
 network-object object PIDMZ100
 network-object object PIDMZ101
object-group service DM_INLINE_SERVICE_11
 service-object icmp 
 group-object PI
 service-object object Remote 
object-group network DM_INLINE_NETWORK_33
 network-object object AFDMZ102_SEC102
 network-object object AFDMZ103_SEC103
object-group network DM_INLINE_NETWORK_34
 network-object object PIDMZ100
 network-object object PIDMZ101
object-group network DM_INLINE_NETWORK_36
 network-object object AFDMZ102
 network-object object AFDMZ103
object-group service DM_INLINE_SERVICE_13
 service-object icmp 
 group-object PI
object-group network DM_INLINE_NETWORK_31
 network-object object AFDMZ102_SEC102
 network-object object AFDMZ103_SEC103
access-list AF_DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 
access-list AF_DMZ_access_in extended permit object Remote object-group DM_INLINE_NETWORK_15 object-group DM_INLINE_NETWORK_17 
access-list AF_DMZ_access_in extended deny ip any any 
access-list PI_DMZ_access_in extended permit object-group DM_INLINE_SERVICE_5 object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_23 
access-list PI_DMZ_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_24 object-group DM_INLINE_NETWORK_7 
access-list PI_DMZ_access_in extended permit object PI_PORT object-group DM_INLINE_NETWORK_3 10.78.0.0 255.255.248.0 
access-list PI_DMZ_access_in extended permit object-group NTP object-group DM_INLINE_NETWORK_20 object-group DM_INLINE_NETWORK_21 
access-list PI_DMZ_access_in extended deny ip any any 
access-list SEC_access_in extended permit ip 10.0.0.0 255.0.0.0 object-group DM_INLINE_NETWORK_8 
access-list SEC_access_in extended permit object-group DM_INLINE_SERVICE_3 10.0.0.0 255.0.0.0 object-group DM_INLINE_NETWORK_13 
access-list SEC_access_in extended permit tcp 10.0.0.0 255.0.0.0 object-group DM_INLINE_NETWORK_9 eq www 
access-list SEC_access_in extended permit icmp 10.0.0.0 255.0.0.0 object-group DM_INLINE_NETWORK_27 
access-list SEC_access_in extended permit object-group Domain_AD 10.0.0.0 255.0.0.0 object-group DM_INLINE_NETWORK_31 
access-list PI-INT_access_in extended permit object-group DM_INLINE_SERVICE_10 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_5 
access-list PI-INT_access_in extended permit object PI_PORT object-group DM_INLINE_NETWORK_16 object-group DM_INLINE_NETWORK_25 
access-list PI-INT_access_in extended permit object-group DM_INLINE_SERVICE_12 object-group DM_INLINE_NETWORK_6 object GEPDHNTP250_PIINT250 
access-list SYS_INFO_access_in extended permit tcp object-group DM_INLINE_NETWORK_11 10.78.0.0 255.255.248.0 object-group DM_INLINE_TCP_1 
access-list SYS_INFO_access_in extended deny ip any any 
access-list GEPDH_access_in extended permit object-group DM_INLINE_SERVICE_8 object-group DM_INLINE_NETWORK_18 object-group DM_INLINE_NETWORK_19 
access-list GEPDH_access_in extended permit object-group DM_INLINE_SERVICE_9 object GEPDHNTP250_PIINT250 object-group DM_INLINE_NETWORK_28 
access-list GEPDH_access_in extended permit udp object GEPDHNTP250_PIDMZ250 object-group DM_INLINE_NETWORK_35 eq ntp 
access-list PI-DMZ_access_in extended permit object-group DM_INLINE_SERVICE_11 object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_NETWORK_26 
access-list PI-DMZ_access_in extended permit object-group DM_INLINE_SERVICE_13 object-group DM_INLINE_NETWORK_34 object-group DM_INLINE_NETWORK_36 
access-list PI-DMZ_access_in extended permit ip object-group DM_INLINE_NETWORK_32 10.0.0.0 255.0.0.0 
access-list SYS-INFO_access_in extended deny ip any any 
access-list AF-DMZ_access_in extended permit object-group DM_INLINE_SERVICE_6 object-group DM_INLINE_NETWORK_29 object-group DM_INLINE_NETWORK_30 
access-list AF-DMZ_access_in extended permit ip object-group DM_INLINE_NETWORK_33 10.0.0.0 255.0.0.0 
access-list AF-DMZ_access_in extended permit object-group Domain_AD object-group DM_INLINE_NETWORK_14 10.0.0.0 255.0.0.0 
pager lines 24
logging enable
logging timestamp
logging standby
logging asdm-buffer-size 512
logging asdm informational
mtu MNG 1500
mtu EPRIS 1500
mtu SYS-INFO 1500
mtu PI-DMZ 1500
mtu AF-DMZ 1500
mtu PI-INT 1500
mtu SEC 1500
mtu GEPDH 1500
failover
failover lan unit primary
failover lan interface Fail Ethernet0/2
failover key *****
failover replication http
failover link State Ethernet0/3
failover interface ip Fail 30.30.30.1 255.255.255.252 standby 30.30.30.2
failover interface ip State 40.40.40.1 255.255.255.252 standby 40.40.40.2
no monitor-interface MNG
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network PIDMZ100_SEC100
 nat (PI-DMZ,SEC) static 10.78.0.100
object network PIDMZ101_SEC101
 nat (PI-DMZ,SEC) static 10.78.0.101
object network AFDMZ102_SEC102
 nat (AF-DMZ,SEC) static 10.78.0.102
object network AFDMZ103_SEC103
 nat (AF-DMZ,SEC) static 10.78.0.103
object network GEPDHNTP250_PIDMZ250
 nat (GEPDH,PI-DMZ) static 172.16.2.250
object network GEHST1_EPRIS119
 nat (GEPDH,PI-INT) static 172.16.4.119
object network GEHST2_EPRIS131
 nat (GEPDH,PI-INT) static 172.16.4.131
object network GEHST3_EPRIS132
 nat (GEPDH,PI-INT) static 172.16.4.132
object network GEPDHNTP250_PIINT250
 nat (GEPDH,PI-INT) static 172.16.4.250
object network PIINT104_GEPDH138
 nat (PI-INT,GEPDH) static 192.168.201.138
object network PIINT105_GEPDH141
 nat (PI-INT,GEPDH) static 192.168.201.141
access-group SYS-INFO_access_in in interface SYS-INFO
access-group PI-DMZ_access_in in interface PI-DMZ
access-group AF-DMZ_access_in in interface AF-DMZ
access-group PI-INT_access_in in interface PI-INT
access-group SEC_access_in in interface SEC
access-group GEPDH_access_in in interface GEPDH
route SEC 0.0.0.0 0.0.0.0 10.78.0.40 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 172.16.2.0 255.255.255.0 PI-DMZ
http 172.16.4.0 255.255.255.0 PI-INT
http 100.100.100.0 255.255.255.0 MNG
http 0.0.0.0 0.0.0.0 PI-DMZ
http 0.0.0.0 0.0.0.0 SEC
snmp-server host PI-DMZ 172.16.2.100 community *****
snmp-server location SEC Rabigh Power Plant
snmp-server contact NAZCO Corp. +966541308105
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 10.0.0.0 255.0.0.0 SEC
telnet 0.0.0.0 0.0.0.0 SEC
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 2
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.201.250 source GEPDH prefer
username admin password hOo2ZNjnaK6h3EGM encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname priority state 
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:f8345826fedf2e45de6ad1d7300a1c97
: end
asdm image disk0:/asdm-714.bin
no asdm history enable

Message was edited by: Ahmad Khalifa

VIP Green

ASA Failover Active Standby Users

I might be overlooking it, but you have not aaa statements defining what database is to be used for authentication.  Add the following command and test please.

aaa authentication http console LOCAL

--

Please rememeber to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Re: ASA Failover Active Standby Users

thank you

what i did is issue the Comand and reload the 2nd unit

and its use the Same user that uesd on P Unit

thank you for that

if i want to know where is this command effect on ASDM can you tell me ?

VIP Green

Re: ASA Failover Active Standby Users

the path is:

Configuration > Device Management > AAA Access

Thank you for the rating

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Re: ASA Failover Active Standby Users

i have ASA5510

i configured Redundant Interfaces

     is there is a way to know which one is Active and the Other one is Standby

  sorry for asking alot

     Telnet is enabled on SEC interface i try to use it "connection time out " you can review the Configuration on the previous scenario

Message was edited by: Ahmad Khalifa

VIP Green

Re: ASA Failover Active Standby Users

The redundant interfaces are only locally significant so having both failover ASAs and redundant interfaces should not be done...if you ask me.  By default the ASA failover will be initiated if one interface failes, so unless you change that setting (which i would not recommend) the redundant interface configuration is not used.

To show which ASA is the Active and Standby you can issue the command show failover state.  The command show failover will show you more.  If you are uncertain which ASA is the Active, then it will be just about impossible to figure out which one is active and which is standby.  You would need to check the LED status on the physical ASA.  If the Active LED is green then this ASA is the Active ASA, if it is amber / orange then it is the standby.  You could also connect to it with a serial cable and issue the show failover state command.

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Re: ASA Failover Active Standby Users

yes my frined i know that

what iam talking about is the Redundant Interfaces per units not on the Failover it self

VIP Green

Re: ASA Failover Active Standby Users

ah ok, sorry my bad.

By default the first redundant interface that appears in the configuration is the active one.  However, you can issue the following command to see which interface is currently the active interface.

show interface redundant1 detail

show interface redundant 1 detail | grep Member

--

Please remember to rate and select a correct answer


					
				
			
			
				
--

Please remember to rate and select a correct answer
New Member

Re: ASA Failover Active Standby Users

what about the Telnet

     Telnet is enabled on SEC 10.78.0.0 interface i try to use it "connection time out " you can review the Configuration on the previous scenario

VIP Green

Re: ASA Failover Active Standby Users

Telnet is not supported on the interface that is configured with the lowest security level on an ASA

interface Redundant1.9
 description SEC WAN IP Address
 vlan 9
 nameif SEC
 security-level 0
 ip address 10.78.0.46 255.0.0.0 standby 10.78.0.47 

You would need to change the security level on the interface or switch to using SSH.  It is not recommended to use Telnet as it is a security risk as it sends traffic unencrypted.

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Re: ASA Failover Active Standby Users

SSH also Dosent Work ??

any Idias

VIP Green

Re: ASA Failover Active Standby Users

You don't have the ASA configure for SSH:

crypto key generate rsa modulus 2048

ssh 172.16.2.0 255.255.255.0 PI-DMZ
ssh 172.16.4.0 255.255.255.0 PI-INT
ssh 100.100.100.0 255.255.255.0 MNG
ssh 0.0.0.0 0.0.0.0 PI-DMZ
ssh 0.0.0.0 0.0.0.0 SEC

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
VIP Green

Re: ASA Failover Active Standby Users

Also I noticed this:

  Interface MNG (100.100.100.1): Normal (Not-Monitored)

  Interface EPRIS (0.0.0.0): Unknown (Waiting)

  Interface SYS-INFO (172.16.1.1): Normal (Not-Monitored)

  Interface PI-DMZ (172.16.2.1): Normal (Not-Monitored)

  Interface AF-DMZ (172.16.3.1): Normal (Not-Monitored)

  Interface PI-INT (172.16.4.1): Normal (Not-Monitored)

  Interface SEC (10.78.0.46): Normal (Not-Monitored)

  Interface GEPDH (192.168.201.137): Normal (Not-Monitored)

Your interfaces are not being monitored so if one of these goes down a failover will not happen.

You need to add the following command to the interfaces that you want to be monitored and initiate a failover if they go down.

monitor-interface SYS-INFO

Add this command for each interface you want to monitor just change the interface name at the end of the statement.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Re: ASA Failover Active Standby Users

thank you

i was busy try to fiuger out what is the reason for that after i monitor all the Important Interfaces i see that the keep using the 2nd unit

i turn off the Secondary unit which is use to be active to understand where is the fail

i am using now the primary unit its give me status as

Failover On

Failover unit Primary

Failover LAN Interface: Fail Ethernet0/2 (Failed - No Switchover)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 6 of 110 maximum

failover replication http

Version: Ours 9.1(3), Mate 9.1(3)

Last Failover at: 15:30:37 AST Dec 3 2013

This host: Primary - Active

Active time: 683 (sec)

slot 0: ASA5510 hw/sw rev (2.0/9.1(3)) status (Up Sys)

  Interface MNG (100.100.100.1): Normal (Not-Monitored)

  Interface EPRIS (0.0.0.0): Normal (Not-Monitored)

  Interface SYS-INFO (172.16.1.1): Normal (Waiting)

  Interface PI-DMZ (172.16.2.1): Normal (Waiting)

  Interface AF-DMZ (172.16.3.1): Failed (Waiting)

  Interface PI-INT (172.16.4.1): Failed (Waiting)

  Interface SEC (10.78.0.46): Normal (Waiting)

  Interface GEPDH (192.168.201.137): Normal (Waiting)

slot 1: empty

Other host: Secondary - Failed

Active time: 1815 (sec)

slot 0: ASA5510 hw/sw rev (2.0/9.1(3)) status (Unknown/Unknown)

  Interface MNG (100.100.100.2): Unknown (Not-Monitored)

  Interface EPRIS (0.0.0.0): Unknown (Not-Monitored)

  Interface SYS-INFO (172.16.1.2): Unknown (Waiting)

  Interface PI-DMZ (172.16.2.2): Unknown (Waiting)

  Interface AF-DMZ (172.16.3.2): Unknown (Waiting)

  Interface PI-INT (172.16.4.2): Unknown (Waiting)

  Interface SEC (10.78.0.47): Unknown (Monitored)

  Interface GEPDH (192.168.201.136): Unknown (Monitored)

slot 1: empty

Stateful Failover Logical Update Statistics

Link : State Ethernet0/3 (down)

Stateful Obj           xmit       xerr       rcv        rerr     

General                    17654      0          17148      0        

sys cmd            870        0          870        0        

up time            0          0          0          0        

RPC services            0          0          0          0        

TCP conn           4530       0          3774       0        

UDP conn           2222       0          1757       0        

ARP tbl            10030      0          10746      0        

Xlate_Timeout            0          0          0          0        

IPv6 ND tbl            0          0          0          0        

VPN IKEv1 SA           0          0          0          0        

VPN IKEv1 P2           0          0          0          0        

VPN IKEv2 SA           0          0          0          0        

VPN IKEv2 P2           0          0          0          0        

VPN CTCP upd           0          0          0          0        

VPN SDI upd           0          0          0          0        

VPN DHCP upd           0          0          0          0        

SIP Session           0          0          0          0        

Route Session           0          0          0          0        

User-Identity           2          0          1          0        

CTS SGTNAME           0          0          0          0        

CTS PAC           0          0          0          0        

TrustSec-SXP           0          0          0          0        

IPv6 Route           0          0          0          0        

Logical Update Queue Information

Cur           Max           Total

Recv Q:           0           9           25460

Xmit Q:           0           30           19502

but i still pinging all the server on fails interface can you know why????

VIP Green

Re: ASA Failover Active Standby Users

I am not 100% sure, but it could be that reachability between the Active and Standby on those "failed" interfaces has gone down.  check to see if there is connectivity between the Active and Standby on those interfaces and make sure there is nothing in the switching path that could be causing the issue.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Re: ASA Failover Active Standby Users

i turned on now but same result for the SSH

VIP Green

Re: ASA Failover Active Standby Users

sorry I forgot to inclued:

aaa authentication ssh console LOCAL

add that and it should work

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Re: ASA Failover Active Standby Users

Man this something Seriuos i dnot know why this Happning the IPs on those Ranges are reachable

VIP Green

Re: ASA Failover Active Standby Users

Do you see anything in the logs?

try flapping the interfaces (shut, no shut).  shut down the interfaces in question, wait a few seconds, and then bring them back up.  Do the interfaces show as monitored now?

Remove the IP configuration from the interfaces in question and then add them back. do the interfaces show as monitored now?

if none of these work, issue the command show failover history and post the output here.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Re: ASA Failover Active Standby Users

yes i did ping from the Firewall its self and restart the Switches and they came back to normal

     is there a rang of ports for the MS AD like 49155-49156 do you know about that

     coz i toke what is list on Microsoft Support and its dosnt work for replication between the Servers and tha AD

VIP Green

Re: ASA Failover Active Standby Users

Sorry I am not sure what we are talking about now.  We were talking about the ASA firewall interface monitor status?

If there is an issue with the connectivity between MS servers and the AD, please post a new question as this post is quite long now.  It is also good to start a new question for this, not so much that it is a new topic but the answer might help someone else in the future and it will be easier for them to find.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Re: ASA Failover Active Standby Users

you helped me alot today i am so gladfule to you

     last thing plz

where is this on ASDM

crypto key generate rsa modulus 2048

VIP Green

Re: ASA Failover Active Standby Users

I am not 100% sure where it is located in the ASDM, as I have never configured the RSA keys using the ASDM.  And I currently don't have an ASA to browse around to find it.  But I would imagine it is located in Configuration > Remote Access VPN > Certificate Management. Or somewhere in that area.  Mybe in the Advanced section.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
831
Views
0
Helpful
24
Replies
CreatePlease login to create content