cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
683
Views
0
Helpful
4
Replies

ASA/PIX failover trouble with xlate

amartinezr
Level 1
Level 1

Hi people,

I configured two ASA 5540 in active/stand by, the trouble is when secundary ASA go to active, the tables xlate are starting  to create and it ,gives me problems, there is some way that both ASA have the same xlate.

thanks

Alex

1 Accepted Solution

Accepted Solutions

Alex,    look at  couple of links bellow .

you already  have lan failover 

failover
failover lan unit primary
failover lan interface failover Ethernet9
failover lan enable
failover key *****
failover interface ip failover 192.168.40.1 255.255.255.192 standby 192.168.40.2

For stateful you will need dedicated interface or share lan failover interface with stateful failover, or you may use a subinterface  for stateful failover implementation.

failover link state
failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2

See Stateful failover section , as Jon indicated you will need ( failover link )   in order to enable stateful  failover and pass per-connection state to standby unit.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef

Go over some  good guidelines

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/ef.html#wp1928149

 

 

Regards

Jorge Rodriguez

View solution in original post

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Alex

The xlate table should be replicated with stateful failover. Are you sure you have configured stateful failover and not just failover ? -

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html

Jon

thank you  jon.

the problem is that I have a database server when failover is turned on, connections are rejected by the firewall begins to assemble the xlate table. thank you very much for your help I hope to solve the problem.

the config of failover is this

failover
failover lan unit primary
failover lan interface failover Ethernet9
failover lan enable
failover key *****
failover interface ip failover 192.168.40.1 255.255.255.192 standby 192.168.40.2

-------

and

you recomendation to suggest is

failover replication  http

thanks

Hallo,,

Have you add the virtual mac adresses (active and standby mac address) to the interfaces in the failover config?

Regards,

Marcel

Alex,    look at  couple of links bellow .

you already  have lan failover 

failover
failover lan unit primary
failover lan interface failover Ethernet9
failover lan enable
failover key *****
failover interface ip failover 192.168.40.1 255.255.255.192 standby 192.168.40.2

For stateful you will need dedicated interface or share lan failover interface with stateful failover, or you may use a subinterface  for stateful failover implementation.

failover link state
failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2

See Stateful failover section , as Jon indicated you will need ( failover link )   in order to enable stateful  failover and pass per-connection state to standby unit.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef

Go over some  good guidelines

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/ef.html#wp1928149

 

 

Regards

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: