Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Not able to access secondary ASA in active/standby cluster

Hi,

I have cisco asa 5540 active/standby cluster. For some reason i am not able to access the secondary asa using the Inside interface IP. Is understand this is possible. Please advice?

Thanks,

Sridhar

6 REPLIES

Not able to access secondary ASA in active/standby cluster

Hello,

You mean the standby inside IP address right?

Can you provide the following info from both units

show run interface

show IP

sh failover

show run ssh

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Not able to access secondary ASA in active/standby cluster

Please find the output of the commands that you had requested. FYI, currently my secondary FW ia active.

interface GigabitEthernet1/3

description LAN/STATE Failover Interface

GigabitEthernet1/3 failover 10.158.111.130 255.255.255.252 unset

FW01# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet1/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 8 of 210 maximum
Version: Ours 8.2(4), Mate 8.2(4)
Last Failover at: 14:07:07 IST Jun 29 2013
        This host: Secondary - Active
                Active time: 6887679 (sec)
                slot 0: ASA5540 hw/sw rev (2.0/8.2(4)) status (Up Sys)
                  Interface INSIDE (10.158.9.124): Normal
                  Interface OUTSIDE_ISP (x.x.x.x): Normal
                  Interface DMZ_CLIENTS (x.x.x.x): Normal
                  Interface INSIDE_WAN (x.x.x.x): Normal
                  Interface management (0.0.0.0): No Link (Waiting)
                  Interface Load-Sharing-New (x.x.x.x): Normal
                  Interface DMZ (x.x.x.x): Normal
                  Interface sitetosite-vpn (x.x.x.x): Normal
                slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)
        Other host: Primary - Standby Ready
                Active time: 0 (sec)
                slot 0: ASA5540 hw/sw rev (2.0/8.2(4)) status (Up Sys)
                  Interface INSIDE (10.158.9.125): Normal
                  Interface OUTSIDE_ISP (x.x.x.x): Normal
                  Interface DMZ_CLIENTS (x.x.x.x): Normal
                  Interface INSIDE_WAN (x.x.x.x): Normal
                  Interface management (0.0.0.0): No Link (Waiting)
                  Interface Load-Sharing-New (x.x.x.x): Normal
                  Interface DMZ (TEST-IP): Normal
                  Interface sitetosite-vpn (x.x.x.x): Normal
                slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)

Stateful Failover Logical Update Statistics
        Link : failover GigabitEthernet1/3 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         10383362519 0          3408215444 1046
        sys cmd         3205448    0          3205441    0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        2895912172 0          2685351628 1
        UDP conn        7443102441 0          603371824  1045
        ARP tbl         40453663   0          113002446  0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKE upd     601040     0          2697267    0
        VPN IPSEC upd   81735      0          581202     0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     6028       0          5636       0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       62      3474166977
        Xmit Q:         0       901     10396523222

FW01# sh run

FW01# sh running-config ssh

ssh scopy enable

ssh server1 255.255.255.255 INSIDE

ssh server2 255.255.255.255 INSIDE

ssh server3 255.255.255.255 INSIDE

ssh timeout 5

ssh version 2

Re: Not able to access secondary ASA in active/standby cluster

Hello,

Okay and you are trying to SSH from one of this boxes ( Server 1, 2 or 3 ) ?

Can you apply this on the Secondary/Current active FW

capture test interface inside match ssh host x.x.x.x (Client IP address) host 10.158.9.124

cap asp type asp-drop all circular-buffer

then attempt to connect via SSH to the 10.158.9.124

share

show cap test

show cap asp

EDIT: What version are you running?

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Not able to access secondary ASA in active/standby cluster

I can connect to the Secondary FW (currently active) using 10.158.9.124 IP. when the primary FW is active, what IP i should use to connect to secondary FW in the cluster? is it the standby IP configured for the LAN Failover interface? If so, i couldnt connect for some reason. Also, i dont think i need to add SSH access in secondary as it gets the same conf from primary, where the access is already allowed.

Not able to access secondary ASA in active/standby cluster

Hello,

From a host behind the inside interface you should try to hit or access:10.158.9.125

Let me know how it goes,

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Not able to access secondary ASA in active/standby cluster

thats what i have been doing all these days, ssh & asdm access to 10.158.9.125. no luck

681
Views
0
Helpful
6
Replies
CreatePlease to create content