Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3676
Views
0
Helpful
24
Replies

ASA Failover Active Standby Users

Go to solution
Ahmad Khalifa
Level 1
Level 1

‎12-03-2013 12:44 AM - edited ‎03-11-2019 08:11 PM

Hello

     i have 2 ASA5510-SEC-BUN-K9

     i configured them into H/A Active Standby every thing Works Fine Replication is Succcess

     the Problem is the users defined on the Active Units they work fine but if convert the 2nd unit to be active its work but i can not use the Same users      that is work fine on the Active (Primary).

     so the Secondary Unit Functioally is fine but its give invalid Loggin (Loggin Error) on ASDM.

     they should be the Same and replacated over the replication function.

     Any help

     i am using the ASA 9.1(3)

               ASDM 7.1(4)

Labels:
0 Helpful
24 Replies 24

Go to solution
Ahmad Khalifa
Level 1
Level 1
In response to Marius Gunnerud

‎12-03-2013 04:42 AM

thank you

i was busy try to fiuger out what is the reason for that after i monitor all the Important Interfaces i see that the keep using the 2nd unit

i turn off the Secondary unit which is use to be active to understand where is the fail

i am using now the primary unit its give me status as

Failover On

Failover unit Primary

Failover LAN Interface: Fail Ethernet0/2 (Failed - No Switchover)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 6 of 110 maximum

failover replication http

Version: Ours 9.1(3), Mate 9.1(3)

Last Failover at: 15:30:37 AST Dec 3 2013

This host: Primary - Active

Active time: 683 (sec)

slot 0: ASA5510 hw/sw rev (2.0/9.1(3)) status (Up Sys)

  Interface MNG (100.100.100.1): Normal (Not-Monitored)

  Interface EPRIS (0.0.0.0): Normal (Not-Monitored)

  Interface SYS-INFO (172.16.1.1): Normal (Waiting)

  Interface PI-DMZ (172.16.2.1): Normal (Waiting)

  Interface AF-DMZ (172.16.3.1): Failed (Waiting)

  Interface PI-INT (172.16.4.1): Failed (Waiting)

  Interface SEC (10.78.0.46): Normal (Waiting)

  Interface GEPDH (192.168.201.137): Normal (Waiting)

slot 1: empty

Other host: Secondary - Failed

Active time: 1815 (sec)

slot 0: ASA5510 hw/sw rev (2.0/9.1(3)) status (Unknown/Unknown)

  Interface MNG (100.100.100.2): Unknown (Not-Monitored)

  Interface EPRIS (0.0.0.0): Unknown (Not-Monitored)

  Interface SYS-INFO (172.16.1.2): Unknown (Waiting)

  Interface PI-DMZ (172.16.2.2): Unknown (Waiting)

  Interface AF-DMZ (172.16.3.2): Unknown (Waiting)

  Interface PI-INT (172.16.4.2): Unknown (Waiting)

  Interface SEC (10.78.0.47): Unknown (Monitored)

  Interface GEPDH (192.168.201.136): Unknown (Monitored)

slot 1: empty

Stateful Failover Logical Update Statistics

Link : State Ethernet0/3 (down)

Stateful Obj           xmit       xerr       rcv        rerr     

General                    17654      0          17148      0        

sys cmd            870        0          870        0        

up time            0          0          0          0        

RPC services            0          0          0          0        

TCP conn           4530       0          3774       0        

UDP conn           2222       0          1757       0        

ARP tbl            10030      0          10746      0        

Xlate_Timeout            0          0          0          0        

IPv6 ND tbl            0          0          0          0        

VPN IKEv1 SA           0          0          0          0        

VPN IKEv1 P2           0          0          0          0        

VPN IKEv2 SA           0          0          0          0        

VPN IKEv2 P2           0          0          0          0        

VPN CTCP upd           0          0          0          0        

VPN SDI upd           0          0          0          0        

VPN DHCP upd           0          0          0          0        

SIP Session           0          0          0          0        

Route Session           0          0          0          0        

User-Identity           2          0          1          0        

CTS SGTNAME           0          0          0          0        

CTS PAC           0          0          0          0        

TrustSec-SXP           0          0          0          0        

IPv6 Route           0          0          0          0        

Logical Update Queue Information

Cur           Max           Total

Recv Q:           0           9           25460

Xmit Q:           0           30           19502

but i still pinging all the server on fails interface can you know why????

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Ahmad Khalifa

‎12-03-2013 04:49 AM

I am not 100% sure, but it could be that reachability between the Active and Standby on those "failed" interfaces has gone down.  check to see if there is connectivity between the Active and Standby on those interfaces and make sure there is nothing in the switching path that could be causing the issue.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Ahmad Khalifa
Level 1
Level 1
In response to Marius Gunnerud

‎12-03-2013 04:43 AM

i turned on now but same result for the SSH

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Ahmad Khalifa

‎12-03-2013 04:51 AM

sorry I forgot to inclued:

aaa authentication ssh console LOCAL

add that and it should work

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Ahmad Khalifa
Level 1
Level 1
In response to Marius Gunnerud

‎12-03-2013 05:09 AM

Man this something Seriuos i dnot know why this Happning the IPs on those Ranges are reachable

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Ahmad Khalifa

‎12-03-2013 05:17 AM

Do you see anything in the logs?

try flapping the interfaces (shut, no shut).  shut down the interfaces in question, wait a few seconds, and then bring them back up.  Do the interfaces show as monitored now?

Remove the IP configuration from the interfaces in question and then add them back. do the interfaces show as monitored now?

if none of these work, issue the command show failover history and post the output here.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Ahmad Khalifa
Level 1
Level 1
In response to Marius Gunnerud

‎12-03-2013 05:31 AM

yes i did ping from the Firewall its self and restart the Switches and they came back to normal

     is there a rang of ports for the MS AD like 49155-49156 do you know about that

     coz i toke what is list on Microsoft Support and its dosnt work for replication between the Servers and tha AD

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Ahmad Khalifa

‎12-03-2013 05:36 AM

Sorry I am not sure what we are talking about now.  We were talking about the ASA firewall interface monitor status?

If there is an issue with the connectivity between MS servers and the AD, please post a new question as this post is quite long now.  It is also good to start a new question for this, not so much that it is a new topic but the answer might help someone else in the future and it will be easier for them to find.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Ahmad Khalifa
Level 1
Level 1
In response to Marius Gunnerud

‎12-03-2013 06:25 AM

you helped me alot today i am so gladfule to you

     last thing plz

where is this on ASDM

crypto key generate rsa modulus 2048

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Ahmad Khalifa

‎12-03-2013 07:11 AM

I am not 100% sure where it is located in the ASDM, as I have never configured the RSA keys using the ASDM.  And I currently don't have an ASA to browse around to find it.  But I would imagine it is located in Configuration > Remote Access VPN > Certificate Management. Or somewhere in that area.  Mybe in the Advanced section.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card