cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11152
Views
0
Helpful
20
Replies

cannot ping/telnet the standby asa

kokhong.chew
Level 1
Level 1

I got 2 x 5520 ASAs configured in active/standby mode and they are connected to 2 x 4500 switches in which too configured for failover.

Telnet to ASAs is allowed only via subnet 172.18.0.0./24

I can only ping and telnet to the active ASA from subnet 172.18.0.0./24 but not the standby

But i can ping and telnet to both the active and standby ASAs within the 4500 switches.

Please advise ? Thanks

20 Replies 20

Jon Marshall
Hall of Fame
Hall of Fame

Can you check the routing table on the standby firewall and compare it to the routing table on the active firewall.

Are you exchanging routes dynamically between the ASA and the 4500 switches ?

Jon

Hi Jon

           No dynamic routing in standby ASA

C    172.18.5.0 255.255.255.0 is directly connected, TJM_LAN

           There are dynamic routings in active ASA

D    172.18.186.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.212.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.213.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.210.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.211.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.208.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.209.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.206.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.207.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.204.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.205.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.202.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.203.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.201.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
C    172.18.7.8 255.255.255.248 is directly connected, LEASED_LINE
D    172.18.4.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                              [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
C    172.18.5.0 255.255.255.0 is directly connected, TJM_LAN
D    172.18.2.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                              [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.3.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                              [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    MES-TJM-LAN18 255.255.0.0 is a summary, 115:52:25, Null0
D    172.18.112.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.113.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.110.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.111.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.108.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.109.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.106.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.107.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.104.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.105.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.102.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.103.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN
D    172.18.101.0 255.255.255.0 [90/3072] via 172.18.5.3, 115:52:18, TJM_LAN
                                [90/3072] via 172.18.5.2, 115:52:18, TJM_LAN

Make sure there is static route pointing the inside.  Since it is running eigrp, it is the correct output that the primary showing entire routing table and the failover is only showing  Connected or Static.

route inside 172.18.0.0 255.255.0.0 1

Hope this help.

Pls. try this ping test from a directly connected host to the inside interface.  As you are using dyanmic routing prototcol, these updates will not be sent to the standby until it becomes active.

Pls. read here:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1052476

Pls. read the column: State Information Not Passed to Standby Unit

-KS

Hi Rickyt888

                      Thanks. I will try . . . add the static route on the standby ASA only ?  By the way,it is by designsuch that only can ping/telnet active ASA ?

No. You will be able to telnet/ssh/asdm to the active as well as the standby provided you have a route from the client to both the active and the standby firewall.

Use a host/client that belongs on the same subnet (so dynamic routing doesn't come into the picture) as the active and the standby and you will be able to telnet/ssh/asdm to both of them.

-KS

You will have to add a static route with administrative distance higher number than your routing protocol. The static route applies to both Active and Standby firewalls. But, it will be used only on the Standby because of the administrative distance.

Im not sure if ospf route synchronization would happen with standby ASA. as seen standby ASA just monitors the failover interfaces, and take the IP of the primary ASA if it fails.. having said this, you would be able to reach the standby ASA from the layer 3 subnet directly connected to the core switch. Have a static route on  the core switch to reach the failover IP address (which is used just for mgmt purpose and not for routing), and redistribute that route to inside/outside , wherever needed ! Route tables info are not passed onto the secondary unit with stateful failover...

have a look at this topic in this forum:

https://supportforums.cisco.com/message/894013#894013

Hope this helps.. all the best..


Raj

kokhong.chew
Level 1
Level 1

So is it a design issue in active/standby failover mode ? ? ?

You may not have read the link that I posted earlier.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1052476

State Information Not Passed to Standby Unit : The routing tables. After a failover occurs, some packets may be lost or routed out of the wrong interface (the default route) while the dynamic routing protocols rediscover routes.

The standby unit will only see connected and static route.  It will not see any dynamic routes.

Your options are to add a static route (host route) to the monitoring server or authentication server or to use a host directly connected to the interface that you want to manage.

-KS

KS

         I did went through the link . . .  but i cant find any mention of the suggested adding a static route unless i really miss it ?

That link does not talk about what you need to do accomplish in order to manage the standby unit. It just talks about what is to be expected with dynamic routing protocols in a failover scenario.

-KS

KS

          Well, now i can see that there isn't any documentation on how to manage the standby :|

Well, I guess it is obvoius that you need route and permission for "TO" the box traffic and Route, Translation and Permission for "THROUGH" the box traffic

Adding the route in the stanyby unit will not replicate to the acive. Config will be diff. on both units. You should only add command to the active unit.  Since dynamic routing is preferred that is the reason Raj had given you a good suggestion to add a higher metric static route no the active unit.

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: