Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA problem

I want to configure a active/active failover using asa5520 and ips ssm module in it

wht i have tried but before that i will connecting the interfaces of these firewalls to a 3548 switch

wht i hv tried

asa1---g/0 goes to a 3548A switch

asa1---g0/3 is the stateful and failover link

asa1- g0/1 is connected to 3548B

asa1---g0/2 connected to 3548C

asa2--g/0 goes to 3548 switch

asa2- g0/3 is the stateful and failover link

asa2--g0/1 is connected to 3548B

asa2---g0/2 connected to 3548C

create 2 context OL and UA

the configuration is as such

asa1---

failover

failover lan unit primary

failover lan interface LAN-fo GigabitEthernet0/3

failover polltime unit 1 holdtime 5

failover link LAN-fo GigabitEthernet0/3

failover interface ip LAN-fo 172.16.1.117 255.255.255.252 standby 172.16.1.118

failover group 1

preempt

failover group 2

secondary

preempt

context OL

description Virtual Firewall For ONLINE APPS

allocate-interface GigabitEthernet0/0

allocate-interface GigabitEthernet0/1

allocate-interface Management0/0

config-url disk0:/ol.cfg

join-failover-group 2

!

context UA

description Virtual Firewall For UAT

allocate-interface GigabitEthernet0/0

allocate-interface GigabitEthernet0/2

allocate-interface Management0/0

config-url disk0:/ua .cfg

join-failover-group 1

asa2---

failover

failover lan unit secondary

failover lan interface LAN-fo GigabitEthernet0/3

failover polltime unit 1 holdtime 5

failover link LAN-fo GigabitEthernet0/3

failover interface ip LAN-fo 172.16.1.117 255.255.255.252 standby 172.16.1.118

failover group 1

preempt

failover group 2

secondary

preempt

as you can see g0/0 is shared ad connected to 3548 A switch, i must see 4 mac address on switch for the interfaces they connect

so asa1 --g0/0---3458 port4------3458 port 6-----g0/0----asa2

teh ip address on g0/0 of asa1 is

for context OL

ip address 192.168.18.135 255.255.255.0 standby 192.168.18.136

for UA

ip address 192.168.17.135 255.255.255.0 standby 192.168.17.136

the default gatewys are 192.168.18.1

now from the primary firewall going to context UA

i can ping the gateway 192.168.18.1

but when i go to OL

i cant ping 192.168.18.1

the 3548A switch maintains 4 macs..but sometime it losses the mac

icant understand why i cant ping from context OL its defalut gatewway

the problem doesnt come with interfaces g0/1 and g0/2 because they are not sahred.but i guess it the way its configured

Anybody

1 REPLY
Silver

Re: ASA problem

Try this:

To bootstrap the secondary unit in an Active/Active failover configuration,

perform the following steps:

----------------------------------------------------------------------------

----

Step 1 (PIX security appliance platform only) Enable LAN-based failover.

hostname(config)# failover lan enable

Step 2 Define the failover interface. Use the same settings as you used for

the primary unit.

a. Specify the interface to be used as the failover interface.

hostname(config)# failover lan interface if_name phy_if

131
Views
0
Helpful
1
Replies
CreatePlease to create content