12-03-2013 12:44 AM - edited 03-11-2019 08:11 PM
Hello
i have 2 ASA5510-SEC-BUN-K9
i configured them into H/A Active Standby every thing Works Fine Replication is Succcess
the Problem is the users defined on the Active Units they work fine but if convert the 2nd unit to be active its work but i can not use the Same users that is work fine on the Active (Primary).
so the Secondary Unit Functioally is fine but its give invalid Loggin (Loggin Error) on ASDM.
they should be the Same and replacated over the replication function.
Any help
i am using the ASA 9.1(3)
ASDM 7.1(4)
Solved! Go to Solution.
12-03-2013 04:42 AM
thank you
i was busy try to fiuger out what is the reason for that after i monitor all the Important Interfaces i see that the keep using the 2nd unit
i turn off the Secondary unit which is use to be active to understand where is the fail
i am using now the primary unit its give me status as
Failover On
Failover unit Primary
Failover LAN Interface: Fail Ethernet0/2 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 6 of 110 maximum
failover replication http
Version: Ours 9.1(3), Mate 9.1(3)
Last Failover at: 15:30:37 AST Dec 3 2013
This host: Primary - Active
Active time: 683 (sec)
slot 0: ASA5510 hw/sw rev (2.0/9.1(3)) status (Up Sys)
Interface MNG (100.100.100.1): Normal (Not-Monitored)
Interface EPRIS (0.0.0.0): Normal (Not-Monitored)
Interface SYS-INFO (172.16.1.1): Normal (Waiting)
Interface PI-DMZ (172.16.2.1): Normal (Waiting)
Interface AF-DMZ (172.16.3.1): Failed (Waiting)
Interface PI-INT (172.16.4.1): Failed (Waiting)
Interface SEC (10.78.0.46): Normal (Waiting)
Interface GEPDH (192.168.201.137): Normal (Waiting)
slot 1: empty
Other host: Secondary - Failed
Active time: 1815 (sec)
slot 0: ASA5510 hw/sw rev (2.0/9.1(3)) status (Unknown/Unknown)
Interface MNG (100.100.100.2): Unknown (Not-Monitored)
Interface EPRIS (0.0.0.0): Unknown (Not-Monitored)
Interface SYS-INFO (172.16.1.2): Unknown (Waiting)
Interface PI-DMZ (172.16.2.2): Unknown (Waiting)
Interface AF-DMZ (172.16.3.2): Unknown (Waiting)
Interface PI-INT (172.16.4.2): Unknown (Waiting)
Interface SEC (10.78.0.47): Unknown (Monitored)
Interface GEPDH (192.168.201.136): Unknown (Monitored)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : State Ethernet0/3 (down)
Stateful Obj xmit xerr rcv rerr
General 17654 0 17148 0
sys cmd 870 0 870 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 4530 0 3774 0
UDP conn 2222 0 1757 0
ARP tbl 10030 0 10746 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 2 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 25460
Xmit Q: 0 30 19502
but i still pinging all the server on fails interface can you know why????
12-03-2013 04:49 AM
I am not 100% sure, but it could be that reachability between the Active and Standby on those "failed" interfaces has gone down. check to see if there is connectivity between the Active and Standby on those interfaces and make sure there is nothing in the switching path that could be causing the issue.
--
Please remember to rate and select a correct answer
12-03-2013 04:43 AM
i turned on now but same result for the SSH
12-03-2013 04:51 AM
sorry I forgot to inclued:
aaa authentication ssh console LOCAL
add that and it should work
--
Please remember to rate and select a correct answer
12-03-2013 05:09 AM
Man this something Seriuos i dnot know why this Happning the IPs on those Ranges are reachable
12-03-2013 05:17 AM
Do you see anything in the logs?
try flapping the interfaces (shut, no shut). shut down the interfaces in question, wait a few seconds, and then bring them back up. Do the interfaces show as monitored now?
Remove the IP configuration from the interfaces in question and then add them back. do the interfaces show as monitored now?
if none of these work, issue the command show failover history and post the output here.
--
Please remember to rate and select a correct answer
12-03-2013 05:31 AM
yes i did ping from the Firewall its self and restart the Switches and they came back to normal
is there a rang of ports for the MS AD like 49155-49156 do you know about that
coz i toke what is list on Microsoft Support and its dosnt work for replication between the Servers and tha AD
12-03-2013 05:36 AM
Sorry I am not sure what we are talking about now. We were talking about the ASA firewall interface monitor status?
If there is an issue with the connectivity between MS servers and the AD, please post a new question as this post is quite long now. It is also good to start a new question for this, not so much that it is a new topic but the answer might help someone else in the future and it will be easier for them to find.
--
Please remember to rate and select a correct answer
12-03-2013 06:25 AM
you helped me alot today i am so gladfule to you
last thing plz
where is this on ASDM
crypto key generate rsa modulus 2048
12-03-2013 07:11 AM
I am not 100% sure where it is located in the ASDM, as I have never configured the RSA keys using the ASDM. And I currently don't have an ASA to browse around to find it. But I would imagine it is located in Configuration > Remote Access VPN > Certificate Management. Or somewhere in that area. Mybe in the Advanced section.
--
Please remember to rate and select a correct answer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide