• cabling news
  Newsletter Industry News Our Site News
• help
  Home Cabling Guide Cabling FAQ Free Helpdesk Forums Learn Cabling
• resources
  Color Codes Pin Layouts Links E-books Bookstore Online Tools Downloads
• this site
  Home Page Contact us Advertise Here Link to us
• this page
  Bookmark It! Print
• +

Cisco Systems Which cable for ASA failover?

Bookmark this page:   Yahoo!   Google   Windows Live   del.icio.us   digg   Netscape

Subject Author Date Which cable for ASA failover? John Oliver 05-25-07  Re: Which cable for ASA failover? mcaissie 05-25-07  Re: Which cable for ASA failover? John Oliver 05-25-07  Re: Which cable for ASA failover? mcaissie 05-25-07  Re: Which cable for ASA failover? John Oliver 05-25-07  Re: Which cable for ASA failover? mcaissie 05-25-07  Re: Which cable for ASA failover? John Oliver 05-25-07  Re: Which cable for ASA failover? mcaissie 05-28-07

Posted by John Oliver on May 25, 2007, 2:26 pm Please log in for more thread options I've configured my two ASA 5510s for failover. But it just won't start to work. I cannot pint the failover interface for the other ASA from either one. I've tried connecting the failover ports with straight-through as well as crossover cables. At no time have I been able to get the slightest sign of any connectivity over the faiolveer ports. I can ping all other IPs from each ASA... each one can ping the inside, outside, and management interface of the other. Is this another special Cisco-only cable? Special pinout? Some further config that's necessary? The TAC isn't of much use... they say my config is fine and that I need to "ensure physical connectivity", but go mute when I ask them precisely how I should do that ;-) -- * John Oliver http://www.john-oliver.net/ *

Posted by mcaissie on May 25, 2007, 2:54 pm Please log in for more thread options You don't need a special cable . I think ASA supports both the straiht-through and the crossover, but the crossover for sure. Can you post your failover config of both unit. And be sure your interfaces are not shutdown. > I've configured my two ASA 5510s for failover. But it just won't start > to work. I cannot pint the failover interface for the other ASA from > either one. I've tried connecting the failover ports with > straight-through as well as crossover cables. At no time have I been > able to get the slightest sign of any connectivity over the faiolveer > ports. I can ping all other IPs from each ASA... each one can ping the > inside, outside, and management interface of the other. > > Is this another special Cisco-only cable? Special pinout? Some further > config that's necessary? The TAC isn't of much use... they say my > config is fine and that I need to "ensure physical connectivity", but go > mute when I ask them precisely how I should do that ;-) > > -- > * John Oliver http://www.john-oliver.net/ *

Posted by John Oliver on May 25, 2007, 3:39 pm Please log in for more thread options On Fri, 25 May 2007 18:54:32 GMT, mcaissie wrote: > You don't need a special cable . > > I think ASA supports both the straiht-through and the crossover, but the > crossover for sure. > > Can you post your failover config of both unit. > > And be sure your interfaces are not shutdown. ntasa01# sh conf : Saved : Written by enable_15 at 09:08:16.980 PDT Thu May 24 2007 ! ASA Version 7.0(6) ! hostname ntasa01 enable password **************** encrypted names dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address 168.143.121.4 255.255.255.0 standby 168.143.121.5 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.15.30.1 255.255.255.0 standby 10.15.30.2 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 description LAN/STATE Failover Interface ! interface Management0/0 nameif management security-level 100 ip address 10.12.14.253 255.255.255.0 management-only ! passwd **************** encrypted ftp mode passive clock timezone PST -8 clock summer-time PDT recurring 2 Sun Mar 1:59 1 Sun Nov 3:00 pager lines 24 logging asdm informational mtu management 1500 mtu outside 1500 mtu inside 1500 failover failover lan unit primary failover lan interface failover Ethernet0/3 failover link failover Ethernet0/3 failover interface ip failover 172.16.2.1 255.255.255.252 standby 172.16.2.2 asdm image disk0:/asdm506.bin no asdm history enable arp timeout 14400 nat (inside) 1 10.15.30.0 255.255.255.0 static (inside,outside) 10.15.30.193 168.143.121.193 netmask 255.255.255.255 static (inside,outside) 10.15.30.194 168.143.121.194 netmask 255.255.255.255 route management 192.168.2.0 255.255.255.0 10.12.14.254 1 route outside 0.0.0.0 0.0.0.0 168.143.121.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute username ***** password **************** encrypted privilege 15 aaa authentication serial console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable http 10.12.14.2 255.255.255.255 management http 192.168.2.192 255.255.255.255 management snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 192.168.2.192 255.255.255.255 management telnet 10.12.14.2 255.255.255.255 management telnet timeout 15 ssh timeout 15 console timeout 0 ntp server 192.168.2.2 Cryptochecksum:801337793f18d2af0c0105f054a6e8f0 ntasa02# sh conf : Saved : Written by enable_15 at 07:43:15.088 PDT Thu May 24 2007 ! ASA Version 7.0(6) ! hostname ntasa02 enable password **************** encrypted names dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address 168.143.121.5 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.15.30.2 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 description LAN Failover Interface ! interface Management0/0 nameif management security-level 100 ip address 10.12.14.252 255.255.255.0 management-only ! passwd **************** encrypted ftp mode passive clock timezone PST -8 clock summer-time PDT recurring 2 Sun Mar 1:59 1 Sun Nov 3:00 pager lines 24 logging asdm informational mtu management 1500 mtu inside 1500 mtu outside 1500 failover failover lan unit secondary failover lan interface failover Ethernet0/3 failover interface ip failover 172.16.2.2 255.255.255.252 standby 172.16.2.1 asdm image disk0:/asdm506.bin no asdm history enable arp timeout 14400 route management 192.168.2.0 255.255.255.0 10.12.14.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute username ***** password **************** encrypted privilege 15 aaa authentication telnet console LOCAL aaa authentication serial console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.2.192 255.255.255.255 management http 10.12.14.2 255.255.255.255 management snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 192.168.2.192 255.255.255.255 management telnet 10.12.14.2 255.255.255.255 management telnet timeout 15 ssh timeout 15 console timeout 0 ntp server 192.168.2.2 Cryptochecksum:ab8d7fc833b79bd4bcb69bfe67d4fe1b -- * John Oliver http://www.john-oliver.net/ *

Posted by mcaissie on May 25, 2007, 4:02 pm Please log in for more thread options This line must be the same on both units. The first IP is for the primary and the other for the secondary > failover interface ip failover 172.16.2.1 255.255.255.252 standby 172.16.2.2 >failover interface ip failover 172.16.2.2 255.255.255.252 standby 172.16.2.1 So you have to change it on the secondary for > failover interface ip failover 172.16.2.1 255.255.255.252 standby 172.16.2.2 > On Fri, 25 May 2007 18:54:32 GMT, mcaissie wrote: >> You don't need a special cable . >> >> I think ASA supports both the straiht-through and the crossover, but >> the >> crossover for sure. >> >> Can you post your failover config of both unit. >> >> And be sure your interfaces are not shutdown. > > ntasa01# sh conf > : Saved > : Written by enable_15 at 09:08:16.980 PDT Thu May 24 2007 > ! > ASA Version 7.0(6) > ! > hostname ntasa01 > enable password **************** encrypted > names > dns-guard > ! > interface Ethernet0/0 > nameif outside > security-level 0 > ip address 168.143.121.4 255.255.255.0 standby 168.143.121.5 > ! > interface Ethernet0/1 > nameif inside > security-level 100 > ip address 10.15.30.1 255.255.255.0 standby 10.15.30.2 > ! > interface Ethernet0/2 > shutdown > no nameif > no security-level > no ip address > ! > interface Ethernet0/3 > description LAN/STATE Failover Interface > ! > interface Management0/0 > nameif management > security-level 100 > ip address 10.12.14.253 255.255.255.0 > management-only > ! > passwd **************** encrypted > ftp mode passive > clock timezone PST -8 > clock summer-time PDT recurring 2 Sun Mar 1:59 1 Sun Nov 3:00 > pager lines 24 > logging asdm informational > mtu management 1500 > mtu outside 1500 > mtu inside 1500 > failover > failover lan unit primary > failover lan interface failover Ethernet0/3 > failover link failover Ethernet0/3 > failover interface ip failover 172.16.2.1 255.255.255.252 standby > 172.16.2.2 > asdm image disk0:/asdm506.bin > no asdm history enable > arp timeout 14400 > nat (inside) 1 10.15.30.0 255.255.255.0 > static (inside,outside) 10.15.30.193 168.143.121.193 netmask > 255.255.255.255 > static (inside,outside) 10.15.30.194 168.143.121.194 netmask > 255.255.255.255 > route management 192.168.2.0 255.255.255.0 10.12.14.254 1 > route outside 0.0.0.0 0.0.0.0 168.143.121.1 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 > timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > username ***** password **************** encrypted privilege 15 > aaa authentication serial console LOCAL > aaa authentication ssh console LOCAL > aaa authentication telnet console LOCAL > http server enable > http 10.12.14.2 255.255.255.255 management > http 192.168.2.192 255.255.255.255 management > snmp-server enable traps snmp authentication linkup linkdown coldstart > telnet 192.168.2.192 255.255.255.255 management > telnet 10.12.14.2 255.255.255.255 management > telnet timeout 15 > ssh timeout 15 > console timeout 0 > ntp server 192.168.2.2 > Cryptochecksum:801337793f18d2af0c0105f054a6e8f0 > > > > ntasa02# sh conf > : Saved > : Written by enable_15 at 07:43:15.088 PDT Thu May 24 2007 > ! > ASA Version 7.0(6) > ! > hostname ntasa02 > enable password **************** encrypted > names > dns-guard > ! > interface Ethernet0/0 > nameif outside > security-level 0 > ip address 168.143.121.5 255.255.255.0 > ! > interface Ethernet0/1 > nameif inside > security-level 100 > ip address 10.15.30.2 255.255.255.0 > ! > interface Ethernet0/2 > shutdown > no nameif > no security-level > no ip address > ! > interface Ethernet0/3 > description LAN Failover Interface > ! > interface Management0/0 > nameif management > security-level 100 > ip address 10.12.14.252 255.255.255.0 > management-only > ! > passwd **************** encrypted > ftp mode passive > clock timezone PST -8 > clock summer-time PDT recurring 2 Sun Mar 1:59 1 Sun Nov 3:00 > pager lines 24 > logging asdm informational > mtu management 1500 > mtu inside 1500 > mtu outside 1500 > failover > failover lan unit secondary > failover lan interface failover Ethernet0/3 > failover interface ip failover 172.16.2.2 255.255.255.252 standby > 172.16.2.1 > asdm image disk0:/asdm506.bin > no asdm history enable > arp timeout 14400 > route management 192.168.2.0 255.255.255.0 10.12.14.254 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 > timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > username ***** password **************** encrypted privilege 15 > aaa authentication telnet console LOCAL > aaa authentication serial console LOCAL > aaa authentication ssh console LOCAL > http server enable > http 192.168.2.192 255.255.255.255 management > http 10.12.14.2 255.255.255.255 management > snmp-server enable traps snmp authentication linkup linkdown coldstart > telnet 192.168.2.192 255.255.255.255 management > telnet 10.12.14.2 255.255.255.255 management > telnet timeout 15 > ssh timeout 15 > console timeout 0 > ntp server 192.168.2.2 > Cryptochecksum:ab8d7fc833b79bd4bcb69bfe67d4fe1b > > -- > * John Oliver http://www.john-oliver.net/ *

Posted by John Oliver on May 25, 2007, 4:29 pm Please log in for more thread options On Fri, 25 May 2007 20:02:53 GMT, mcaissie wrote: > This line must be the same on both units. The first IP is for the primary > and the other for the secondary > >> failover interface ip failover 172.16.2.1 255.255.255.252 standby > 172.16.2.2 > > >failover interface ip failover 172.16.2.2 255.255.255.252 standby > 172.16.2.1 > > > So you have to change it on the secondary for >> failover interface ip failover 172.16.2.1 255.255.255.252 standby > 172.16.2.2 OK, I did that. Now, I see: ntasa01# sh failover Failover On Failover unit Primary Failover LAN Interface: failover Ethernet0/3 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 15 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 7.0(6), Mate 7.0(6) Last Failover at: 07:57:39 PDT May 24 2007 This host: Primary - Active Active time: 255225 (sec) slot 0: ASA5510 hw/sw rev (2.0/7.0(6)) status (Up Sys) slot 1: empty Interface management (10.12.14.253): Normal (Waiting) Interface outside (168.143.121.4): Normal Interface inside (10.15.30.1): Normal Other host: Secondary - Standby Ready Active time: 81899 (sec) slot 0: ASA5510 hw/sw rev (2.0/7.0(6)) status (Up Sys) slot 1: empty Interface management (0.0.0.0): Normal (Waiting) Interface outside (168.143.121.5): Normal Interface inside (10.15.30.2): Normal Stateful Failover Logical Update Statistics Link : failover Ethernet0/3 (up) Stateful Obj xmit xerr rcv rerr General 22 0 16 0 sys cmd 16 0 16 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 6 0 0 0 Xlate_Timeout 0 0 0 0 VPN IKE upd 0 0 0 0 VPN IPSEC upd 0 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 2 16 Xmit Q: 0 2 150 But: ntasa01# sh failover state ====My State=== Primary | Active | ====Other State=== Secondary | Standby | ====Configuration State=== Sync Done ====Communication State=== Mac set =========Failed Reason============== My Fail Reason: Other Fail Reason: Comm Failure And I can no longer ping or telnet to the management interface on the secondary unit ntasa02 I can ping e0/0 and e0/1 on it, so it isn't dead. Thanks for getting me on the right track... you're more useful than Cisco! :-) -- * John Oliver http://www.john-oliver.net/ *

Similar Threads	Posted
Which cable for ASA failover?	May 25, 2007, 2:26 pm
Cisco 2600 + DSL + Cable -> Failover and port forwarding	July 2, 2008, 12:47 am
Failover and Load balancing with 1 Cable connection and one T1 connection on Cisco 2801 router	November 13, 2006, 2:23 pm
cisco ASA/PIX failover and VPN, failover IP access problem	August 27, 2008, 11:34 am
PIX Failover	August 15, 2005, 11:20 am
BGP Failover	November 1, 2005, 10:20 pm
PIX Failover Message	February 14, 2005, 10:43 pm
Re: PIX IPv6 Failover bug	November 24, 2005, 7:01 am
2620XM Failover ??	October 19, 2005, 1:47 pm
2620XM Failover???	October 19, 2005, 1:49 pm
PIX IPv6 Failover bug	November 10, 2005, 5:38 am
Failover Clarification	December 11, 2005, 11:56 am
Failover with two switches ..	February 27, 2006, 9:15 am
css11000 and ftp failover	March 14, 2006, 10:39 pm
PIX525: Need Failover help	August 17, 2006, 9:27 pm

Contact Us | Privacy Policy