We have a pair of ASA firewalls running A/S failover. They talk OSPF with the network. Unfortunately, it seems that the secondary firewall doesn't get any routes (via OSPF or the Primary). This is causing issues with monitoring.
We have temporarily fixed it with a static route to our monitoring station but I was wondering if there is a way to get the routes propagated from the primary to the secondary?
That is what I mean. There are two problems with this scenario. The first is that I mentioned. There is no way to (easily) monitor the firewall. The second, which I just thought of is more of a problem. In the case of a statefull failover, the new primary will have to wait for OSPF to reconverge before it can work.
This would most likely defeat the purpose of a stateful failover connection.
No when it does failover it moves the routing tables along with the mac addresses to the (formerly) passive firewall. Therefore the adjacent router just sees a short loss of carrier to the firewall and then recovers.
Normal loss of comms is under 5 seconds when we do it on our systems.
Floating static routes? I know the PIX supports the ability to add static routes with administrative distances - why not just add a static route with a higher administrative distance thatn OSPF to the config. That way the standby should have a route whilst it isn't participating in OSPF. When it fails over the static should get overwritten by the OSPF route assuming there is one with the same prefix?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :