Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

Hi Prashanth,

Can we use same failover interface for both LAN as well as stateful failover?.

New Member

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

Hello Karthik,

Yes we can use the same Physical Interface for both the Failover Lan and State links, it should not be a problem. However this has to be planned well, for example you have 8 interfaces (6 Gig + 2 FA) and you make the FA Interface the Failover + State Link, i would say its a bad design and you are in for frequent failovers.

--- Always make sure that your Failover + State Interfaces are having equal to the highest capacity interfaces especially when you have http replication enabled i would suggest that you try to have seperate Fail & State links configured.

--- Also i would advice not to use the onboard GE interfaces as they are not as powerful as the module interfaces, meaning it is not multi threaded and only one Core is used to pull data off those interfaces.

--- Make sure if you have a 5580 or higher to use the command show io-bridge to make sure that the distribution between the 2 io-slots are equal.

What i've mentioned above is from my experience on what i see working best, but also consider what is mentioned on the ASA Configuration guide about the same:

Failover Interface Speed for Stateful Links

If you use the failover link as the Stateful Failover link, you should  use the fastest Ethernet interface available. If you experience  performance problems on that interface, consider dedicating a separate  interface for the Stateful Failover interface.

Use the following failover interface speed guidelines for the adaptive security appliances:

Cisco ASA 5510

Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due to the CPU speed limitation.

Cisco ASA 5520/5540/5550

Stateful link speed should match the fastest data link.

Cisco ASA 5580/5585

Use  only non-management 1 Gigabit ports for the stateful link because  management ports have lower performance and cannot meet the performance  requirement for stateful failover.

For optimum performance when using long distance LAN failover, the  latency for the failover link should be less than 10 milliseconds and no  more than 250 milliseconds. If latency is more than10 milliseconds,  some performance degradation occurs due to retransmission of failover  messages.

All platforms support sharing of failover heartbeat and stateful link,  but we recommend using a separate heartbeat link on systems with high  Stateful Failover traffic.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077536

Hope that helps.

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

Thanks Prashanth.... This clarifies me and gave me some good idea on the Failover interface settings and few more options on the performance of the failover and its dependencies.... valuable info.....

New Member

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

Hello Prashant,

Thanks  for being kind and answering me.

The 1st query was regarding the FWSM and not for the ASA, In ASA i have no doubts for the security-level.

---  You have mentioned that you have vlan 2 on your fwsm which means  you  have enabled the vlan 2 in your firewall vlan group on the switch   configuration.

YES

---   However the ping is not working, so make sure the switch vlan 2 ip   address is in the same subnet as the firewall vlan 2 ip address which   was configured.

YES

--- show arp should give you the arp entry for the firewall interface on the switch   and vice versa on the switch as well, if you dont the arp entry, try  to  remove the vlan 2 from firewall vlan group and reenable it.

I will check and update u

--- In the firewall make sure that you have the permit icmp interface any so that icmp pings are not dropped even to allow return icmp pings.

it is done already,

--- Check the syslogs on the firewall to see what is going on.

Nothing Seen for this issue

I have 1 more query, without ICMP permit any MGMT command it does'nt allow me to telnet MGMT interface !! WHY ???

New Member

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

Hello Clark,

The 1st query was regarding the FWSM and not for the ASA, In ASA i have no doubts for the security-level.

My Response holds true for both FWSM as well as ASA in response to your first question on the Security Levels, i just edited my previous post to accomodate FWSM as well in my response.

--- Check the syslogs on the firewall to see what is going on.

Nothing Seen for this issue

There should be something in the syslogs. I am sure there should be an event logged or turn on your logging to Notifications if its set to a lower level.

I have 1 more query, without ICMP permit any MGMT command it does'nt allow me to telnet MGMT interface !! WHY ???

I dont really think it has any relavence to telnetting to the ASA Firewall, you do not need any access-list permitting access at all infact and you just need to configure management access as shown below :

ssh source_IP_address mask source_interface

telnet source_IP_address mask source_interface

My advice to you is always enable logging when you are confused about a particular aspect or functionality in the firewall atleast to notifications level as this is what gives us an understanding of how the firewall thinks for itself on looking at a particular packet. This is the way it talks to you.

Hope that answers your questions...

New Member

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

Hello,

we are trying to design a sandwich ASA with contexts mode.

we have a couple ASA 5505 with licences for context and failover.

we are thinking on Active-Pasive and two context:

internet --- ASA1andASA2 in failover Context 1 ---- DMZ  --- ASA1andASA2 in failover with NAT context 2  ---- LAN.

with 3 interfaces physic is possible? (beacuse probably is necesary to use one for failover and one for management)

no problem for use NAT on context 2?

no problems for use static routes?

can you give us your advice?. also if possible some link were we can found information about the configuration?.

kind regards.

New Member

Ask the Expert:Configuring, Troubleshooting & Best Practices on

I have a problem.

My dedicated server has hardware firewall ASA5505.

I have to read mysql data of the server,but firewall don't accept that.

I am going to change firewall configuration of cisco firewall using ssh.

But I don't know how to do.

Can you tell me mysql accept command?

thnkx.

New Member

Ask the Expert:Configuring, Troubleshooting & Best Practices on

Hi Prasanth,

We have Cisco ASA5550 running code : asa825-k8.bin.

We have access to our firewall via TACACS only and local username/password incase if TACACS fails.

Recently our audit team found that there is default password is still on firewall, How do I remove default password from Cisco ASA 5550.

Kind Regards,

Vishal

New Member

Ask the Expert:Configuring, Troubleshooting & Best Practices on

HI expert,

Would you please help me in this issue I have ASA 5510 and I need to block URL to be applied to specific users not using the IP address. I integrate ASA with my active directory now it’s (ASA) detecting the users from my domain but he is not applied the rules on the users.

It’s only working using the IP address using trend micro content security

Any help in this issue.

Please contact me on my email:

mamer@vseegypt.com

mamer1983@hotmail.com

Thanks

New Member

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

Hi Prashanth

we have cisco asa 5550 firewall running on ios 8.2

i have add two new interface on firewall,  but it show failled on sh failover output

Last Failover at: 22:50:59 IST Dec 4 2012
        This host: Secondary - Active
                Active time: 2043566 (sec)
                slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                  Interface DMZ-Inside (10.132.x.x/fe80::226:bff:fe43:6672): Normal
                  Interface outside (180.x.x.x): Normal
                  Interface management (192.168.1.1): No Link (Not-Monitored)
                  Interface IPVSIX (0.0.0.0/fe80::225:84ff:fefd:1d7): Normal
                  Interface TATA-INTERNET (115.x.x.226): Normal
                slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
        Other host: Primary - Failed
                Active time: 0 (sec)
                slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                  Interface DMZ-Inside (10.132.x.x/fe80::226:bff:fe43:6686): Normal
                  Interface outside (180.x.x.x) Normal
                  Interface management (0.0.0.0): Normal (Not-Monitored)
                  Interface IPVSIX (0.0.0.0/fe80::225:84ff:fefd:1ff): Failed (Waiting)
                  Interface TATA-INTERNET (115.x.x.227): Normal (Waiting)
                slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)

Stateful Failover Logical Update Statistics
        Link : Unconfigured.

Thanks

Bhupendra Jain

Hall of Fame Super Silver

Ask the Expert:Configuring, Troubleshooting & Best Practices on

Bhupendra,

Please start a new thread. The Ask The Expert event is closed.

13064
Views
25
Helpful
40
Replies
CreatePlease login to create content