Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Setting up failover on two ASA 5525-X firewalls

I inherited two 5525-X firewalls. The one has a VPN Premium License, while the other I can only get to boot into ROMMON mode. There also does not appear to be any flash drive on which I can save the config, so I am guessing the two were bought to be in active/standby mode. I can make all the changes to the first, but can save nothing to the 2nd.

I ahve looked around for some docs on setting up failover on the cisco site and the Internet, but am coming up short. Any suggestions?

Thanks in advance.

Here's the current config for the primary ASA. Again, the 2nd has not flash nor can I save any configs to it.

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA5525 VPN Premium license.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Thanks for the additional

Thanks for the additional information. Am I correct in understanding that the output in your second post was generated from your second ASA after you got it out of ROMMON? What did you need to do to get it out of ROMMON?

 

If you get it out of ROMMON and do not accept the option for the initial configuration dialogue what do you get? Are you able to do show version? do show flash?

 

In reading through the original post I am focusing on your statement that the second ASA does not have a flash drive. When you compare the two ASA5525X are you saying that both have a slot for a flash drive but that only the first ASA has a drive in the slot? That would be a problem. Both ASA should have a flash drive regardless of whether they are intended as a failover pair or not.

 

HTH

 

Rick

7 REPLIES
Hall of Fame Super Silver

In the first place what you

In the first place what you have given us in this post is the show version and not the config of the ASA5525X.

 

In the second place there is no point in talking about failover until you have solved the issue of the other ASA booting into ROMMON. If the ASA is operating in ROMMON then it is not surprising that you can not save the config. You tell us that the ASA boots into ROMMON but have not told us whether you have been able to get the ASA out of ROMMON and into operating mode. If so what did you do to get it into operating mode? In any case we should determine what causes the ASA to boot into ROMMON. Probably a good place to start would be for you to connect to the console of that ASA, power it up, and capture and post all of the output generated during the boot process.

 

HTH

 

Rick

New Member

Point taken.Am attaching a

Point taken.

Am attaching a copy of the primary ASA 5525. I was able to successfully configure the failover portion as you can see, and it is no wonder indeed why they are not communicating.

However, I am able to partially configure the failover ASA 5525, but the config will not write nor will it communicate due to space issues. I am certain I am simply missing a couple items here.

See below:

Firewall Mode [Routed]: 
Enable password [<use current password>]: 
Allow password recovery [yes]? 
Clock (UTC):
  Year [2014]: 
  Month [Aug]: 
  Day [20]: 
  Time [14:38:02]: 
Management IP address: 10.10.0.100
Management network mask: 255.255.240.0
Host name: slcvw-failover
Domain name: wjbradley.local
IP address of host running Device Manager: 172.31.255.2

The following configuration will be used:
Enable password: <current password>
Allow password recovery: yes
Clock (UTC): 14:38:02 Aug 20 2014
Firewall Mode: Routed
Management IP address: 10.10.0.100
Management network mask: 255.255.240.0
Host name: slcvw-failover
Domain name: wjbradley.local
IP address of host running Device Manager: 172.31.255.2

Use this configuration and save to flash? [yes]
INFO: Security level for "management" set to 0 by default.
Cryptochecksum: a4e92204 5ed2bcc2 d45c4a79 0193b7bf 

%Error copying system:/running-config (Not enough space on device)
Error executing command
Error writing to flash
Pre-configure Firewall now through interactive prompts [yes]? 

Hall of Fame Super Silver

Thanks for the additional

Thanks for the additional information. Am I correct in understanding that the output in your second post was generated from your second ASA after you got it out of ROMMON? What did you need to do to get it out of ROMMON?

 

If you get it out of ROMMON and do not accept the option for the initial configuration dialogue what do you get? Are you able to do show version? do show flash?

 

In reading through the original post I am focusing on your statement that the second ASA does not have a flash drive. When you compare the two ASA5525X are you saying that both have a slot for a flash drive but that only the first ASA has a drive in the slot? That would be a problem. Both ASA should have a flash drive regardless of whether they are intended as a failover pair or not.

 

HTH

 

Rick

New Member

You are correct. That output

You are correct. That output is what happens when I manually set IP address, gateway, etc. and then upload my standard asa913-smp-k8.bin file. It comes up with those settings that I enter:

rommon #1> ADDRESS=10.10.0.100
rommon #2> SERVER=10.10.5.150
rommon #3> GATEWAY=10.10.0.1
rommon #4> IMAGE=asa913-smp-k8.bin
rommon #5> PORT=Management0/0
rommon #6> tftp

!!!!!!!

Pre-configure Firewall now through interactive prompts [yes]? 
Firewall Mode [Routed]: 
Enable password [<use current password>]: 
Allow password recovery [yes]? 

ad nauseum....

--------

If I choose not to go through the setup, I am able to bring up a prompt and get into enable mode, but not config is available.

Pre-configure Firewall now through interactive prompts [yes]? no

Type help or '?' for a list of available commands.
slcvw-failover> en
Password: 
slcvw-failover# 
slcvw-failover# sho conf
No Configuration
slcvw-failover# 

However, this does look promising. Let me work on this a bit more and see if I can get it to talk to the primary asa. I'll have to set the failover IP addresses again. I can at least see now that I can see the interfaces when I do a "sho int". And I can now make config changes. Let me see if failover works.

I'll get back to you shortly if I find a solution.
 

 

New Member

Found this:http://www.cisco

Found this:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_active_standby.html

Looks to be about what i was looking for. Will try again to set up failover.

New Member

Turns out the memory had come

Turns out the memory had come loose during shipping. Once I re-attached underneath the I/O module, everything is working.

Thanks for your help.

Hall of Fame Super Silver

I am glad that you have

I am glad that you have resolved the issue and that my suggestons were helpful. Thank you for posting back to the forum to indicate that you had resoved the problem and how you resolved it. That is helpful information. And thank you for using the rating system to mark this question as answered. This will indicate to other readers of the forum that helpful information is in this thread.

 

HTH

 

Rick

482
Views
5
Helpful
7
Replies
CreatePlease login to create content