Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA/PIX failover trouble with xlate

Hi people,

I configured two ASA 5540 in active/stand by, the trouble is when secundary ASA go to active, the tables xlate are starting  to create and it ,gives me problems, there is some way that both ASA have the same xlate.

thanks

Alex

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA/PIX failover trouble with xlate

Alex,    look at  couple of links bellow .

you already  have lan failover 

failover
failover lan unit primary
failover lan interface failover Ethernet9
failover lan enable
failover key *****
failover interface ip failover 192.168.40.1 255.255.255.192 standby 192.168.40.2

For stateful you will need dedicated interface or share lan failover interface with stateful failover, or you may use a subinterface  for stateful failover implementation.

failover link state
failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2

See Stateful failover section , as Jon indicated you will need ( failover link )   in order to enable stateful  failover and pass per-connection state to standby unit.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef

Go over some  good guidelines

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/ef.html#wp1928149

 

 

Regards

4 REPLIES
Hall of Fame Super Blue

Re: ASA/PIX failover trouble with xlate

Alex

The xlate table should be replicated with stateful failover. Are you sure you have configured stateful failover and not just failover ? -

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html

Jon

New Member

Re: ASA/PIX failover trouble with xlate

thank you  jon.

the problem is that I have a database server when failover is turned on, connections are rejected by the firewall begins to assemble the xlate table. thank you very much for your help I hope to solve the problem.

the config of failover is this

failover
failover lan unit primary
failover lan interface failover Ethernet9
failover lan enable
failover key *****
failover interface ip failover 192.168.40.1 255.255.255.192 standby 192.168.40.2

-------

and

you recomendation to suggest is

failover replication  http

thanks

New Member

Re: ASA/PIX failover trouble with xlate

Hallo,,

Have you add the virtual mac adresses (active and standby mac address) to the interfaces in the failover config?

Regards,

Marcel

Re: ASA/PIX failover trouble with xlate

Alex,    look at  couple of links bellow .

you already  have lan failover 

failover
failover lan unit primary
failover lan interface failover Ethernet9
failover lan enable
failover key *****
failover interface ip failover 192.168.40.1 255.255.255.192 standby 192.168.40.2

For stateful you will need dedicated interface or share lan failover interface with stateful failover, or you may use a subinterface  for stateful failover implementation.

failover link state
failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2

See Stateful failover section , as Jon indicated you will need ( failover link )   in order to enable stateful  failover and pass per-connection state to standby unit.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef

Go over some  good guidelines

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/ef.html#wp1928149

 

 

Regards

391
Views
0
Helpful
4
Replies
CreatePlease to create content