CISCO ASA 5505 Failover

I have followed the procedures in the Cisco documents to setup a failover pair (active/stand-by) of Cisco ASA 5505 (ASA5505-SEC-BUN-K9) but the failover does not initiate properly.

I have tried both straight and cross-over cables, have tried different interfaces (2 and 7) of the firewall and have ensured that the:

1) Software versions are the same 2) Identical Licences 3) # interfaces and types are the same 4) Flash memory and Ram are the same size.

Result of the command: "show version"

Cisco Adaptive Security Appliance Software Version 7.2(2) Device Manager Version 5.2(2)

Compiled on Wed 22-Nov-06 14:16 by builders System image file is "disk0:/asa722-k8.bin" Config file at boot was "startup-config"

ProductionFW1 up 2 days 17 hours

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz Internal ATA Compact Flash, 128MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0) Boot microcode : CNlite-MC-Boot- Cisco-1.2 SSL/IKE microcode: CNlite-MC-IPSEC- Admin-3.03 IPSec microcode : CNlite-MC-IPSECm- MAIN-2.04 0: Int: Internal-Data0/0 : address is 001b.XX46.XX76, irq 11 1: Ext: Ethernet0/0 : address is 001b.XX46.XX6e, irq 255 2: Ext: Ethernet0/1 : address is 001b.XX46.XX6f, irq 255 3: Ext: Ethernet0/2 : address is 001b.XX46.XX70, irq 255 4: Ext: Ethernet0/3 : address is 001b.XX46.XX71, irq 255 5: Ext: Ethernet0/4 : address is 001b.XX46.XX72, irq 255 6: Ext: Ethernet0/5 : address is 001b.XX46.XX73, irq 255 7: Ext: Ethernet0/6 : address is 001b.XX46.XX74, irq 255 8: Ext: Ethernet0/7 : address is 001b.XX46.XX75, irq 255 9: Int: Internal-Data0/1 : address is 0000.0003.XX02, irq 255

10: Int: Not used : irq 255 11: Int: Not used : irq 255

Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 20, DMZ Unrestricted Inside Hosts : Unlimited Failover : Active/Standby VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 25 WebVPN Peers : 2 Dual ISPs : Enabled VLAN Trunk Ports : 8

This platform has an ASA 5505 Security Plus license.

Serial Number: XXXXXXXXX Running Activation Key: XXXXXXXX Configuration register is 0x1 Configuration last modified by enable_15 at 16:57:07.812 MST Fri Jul

20 2007

: Saved : Written by enable_15 at 10:11:09.541 MST Mon Jul 23 2007 ! ASA Version 7.2(2) ! hostname ProductionFW1 domain-name enable password XXXXXXXXX encrypted names ! interface Vlan1 nameif inside security-level 100 ip address XXX.XXX.XXX.1 standby XXX.XXX.XXX.2 ! interface Vlan2 nameif outside security-level 0 ip address XXX.XXX.XXX.162 standby XXX.XXX.XXX.163 ! interface Vlan100 description LAN Failover Interface management-only ! interface Ethernet0/0 switchport access vlan 2 speed 100 duplex full ! interface Ethernet0/1 speed 100 duplex full ! interface Ethernet0/2 switchport access vlan 100 speed 100 duplex full ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 shutdown ! interface Ethernet0/6 shutdown ! interface Ethernet0/7 shutdown ! passwd XXXXXXXXX encrypted ftp mode passive clock timezone MST -7 dns server-group DefaultDNS domain-name access-list outside_20_cryptomap extended permit ip XXX.XXX.XXX.0 XXX.XXX.XXX.0 access-list inside_nat0_outbound extended permit ip XXX.XXX.XXX.0 XXX.XXX.XXX.0 access-list inside_nat0_outbound extended permit ip XXX.XXX.XXX.0 host XXX.XXX.XXX.100 access-list inside_nat0_outbound extended permit ip XXX.XXX.XXX.0 XXX.XXX.XXX.0 access-list outside_40_cryptomap extended permit ip XXX.XXX.XXX.0 host XXX.XXX.XXX.100 access-list outside_60_cryptomap extended permit ip XXX.XXX.XXX.0 XXX.XXX.XXX.0 access-list 101 extended permit icmp any any time-exceeded access-list 101 extended permit icmp any any unreachable access-list 101 extended permit icmp any any source-quench access-list 101 extended permit icmp any any echo-reply pager lines 24 logging enable logging buffer-size 1048576 logging asdm-buffer-size 512 logging buffered debugging logging asdm informational logging ftp-bufferwrap logging ftp-server XXX.XXX.XXX.3 / manager XXXXXXXXXXX mtu inside 1500 mtu outside 1500 no failover failover lan unit primary failover lan interface PRTFailover Vlan100 failover interface ip PRTFailover standby monitor-interface inside monitor-interface outside icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 static (outside,inside) tcp XXX.XXX.XXX.1 www XXX.XXX.XXX.164 www netmask static (outside,inside) tcp XXX.XXX.XXX.2 https XXX.XXX.XXX.164 https netmask static (outside,inside) tcp XXX.XXX.XXX.3 https XXX.XXX.XXX.166 https netmask static (outside,inside) tcp XXX.XXX.XXX.4 ftp XXX.XXX.XXX.167 ftp netmask static (outside,inside) tcp XXX.XXX.XXX.5 XX99 XXX.XXX.XXX.168 XX99 netmask access-group 101 in interface outside route outside XXX.XXX.XXX.XXX 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs enable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none client-firewall none client-access-rule none webvpn functions url-entry html-content-filter none homepage none keep-alive-ignore 4 http-comp gzip filter none url-list none customization value DfltCustomization port-forward none port-forward-name value Application Access sso-server none deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information svc none svc keep-installer installed svc keepalive none svc rekey time none svc rekey method none svc dpd-interval client none svc dpd-interval gateway none svc compression deflate http server enable http XXX.XXX.XXX.0 inside http XXX.XXX.XXX.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 match address outside_20_cryptomap crypto map outside_map 20 set pfs crypto map outside_map 20 set peer XXX.XXX.XXX.166 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 20 set reverse-route crypto map outside_map 40 match address outside_40_cryptomap crypto map outside_map 40 set pfs crypto map outside_map 40 set peer XXX.XXX.XXX.247 crypto map outside_map 40 set transform-set ESP-3DES-MD5 crypto map outside_map 40 set reverse-route crypto map outside_map 60 match address outside_60_cryptomap crypto map outside_map 60 set pfs crypto map outside_map 60 set peer XXX.XXX.XXX.67 crypto map outside_map 60 set transform-set ESP-3DES-MD5 crypto map outside_map 60 set reverse-route crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 28800 crypto isakmp nat-traversal 20 crypto isakmp ipsec-over-tcp port 10000 tunnel-group XXX.XXX.XXX.166 type ipsec-l2l tunnel-group XXX.XXX.XXX.166 ipsec-attributes pre-shared-key XXXXXXXXXXXXXX tunnel-group XXX.XXX.XXX.247 type ipsec-l2l tunnel-group XXX.XXX.XXX.247 ipsec-attributes pre-shared-key XXXXXXXXXXXXXX isakmp keepalive disable tunnel-group XXX.XXX.XXX.67 type ipsec-l2l tunnel-group XXX.XXX.XXX.67 ipsec-attributes pre-shared-key XXXXXXXXXXXXXX isakmp keepalive disable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address XXX.XXX.XXX.1-XXX.XXX.XXX.254 inside dhcpd dns XXX.XXX.XXX.2 XXX.XXX.XXX.5 interface inside dhcpd lease 86400 interface inside dhcpd domain interface inside dhcpd enable inside !

! ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 ! prompt hostname context Cryptochecksum:7dcbee5ed02e904b13d33f00a488aa28 : end

Reply to
Loading thread data ...

I am just guessing here, but the above portion of the config has 'No failover' defined. I would guess that is the problem.

Reply to
Chad Mahoney

I disabled the failover as it was not working and seemed to destabilize the primary firewall. When it is enabled it returns a message indicating that It cannot find the secondary firewall eventhough it can ping it. After that the secondary firewall shows up as unknown in the Show Failover. I will post more information when I get back to the remote location to plug in the secondary FW and retry the failover setup. I am just waiting on parts for other parts of my network.


Reply to

Try removing the "management-only" on your failover vlan. Also, you cannot use a cross-over for the failover interface, you will need a switch.


Reply to

The 'No Failover' is there to disable the failover as it was causing stability issues with the primary firewall.

When the failover is enabled, the primary firewall cannot connect to the secondary firewall, but if I ping the secondary firewall I get a response. I can post more information, but would need to go to my off site location and plug in the secondary FW and start the failover again.


Reply to

You can use a crossover cable between the configured failover ports on the ASA devices.

Here is a working configuration:

failover failover lan unit primary failover lan interface Failover GigabitEthernet0/2 failover link Failover GigabitEthernet0/2 failover interface ip Failover standby monitor-interface DMZ monitor-interface LAN monitor-interface INET

Pick a physical interface for your failover, not a VLAN. After this configuration, the failover interface config will look similar to this:

interface GigabitEthernet0/2 description LAN/STATE Failover Interface

A "show failover" command will demonstrate how the failover is functioning. Do not forget to alter the second line of the provided configuration for the secondary firewall.

Reply to
Scott Perry

Thanks for the information. I have some more solutions to try today. I re-read the documentation that CISCO has supplied and came up with the following exerpts (Cisco Systems, 2006. Cisco Security Appliance Command Line Configuration Guide, For the Cisco ASA 5500 Series and Cisco PIX 500 Series, Software Version 7.2(2). Cisco Systems, Inc. San Jose, CA,

formatting link
Text Part Number OL-10088-02.)

Page 14-4 States that you can use a cross-over cable You can use any unused Ethernet interface on the device as the failover link. You cannot specify an interface that is currently configured with a name. The failover link interface is not configured as a normal networking interface; it exists only for failover communication. This interface should only be used for the failover link (and optionally for the Stateful Failover link). You can connect the LAN-based failover link by using a dedicated switch with no hosts or routers on the link or by using a crossover Ethernet cable to link the units directly.

Page 14-22 States that I should be using a VLAN Step 4 Define the failover interface: a. Specify the interface to be used as the failover interface: hostname(config)# failover lan interface if_name phy_if

The if_name argument assigns a name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. On the ASA 5505 adaptive security appliance, the phy_if specifies a VLAN.

On Page 14-7 There is another note that caught my eye yesterday:

If the secondary unit boots without detecting the primary unit, it becomes the active unit. It uses its own MAC addresses for the active IP addresses. However, when the primary unit becomes available, the secondary unit changes the MAC addresses to those of the primary unit, which can cause an interruption in your network traffic. To avoid this, configure the failover pair with virtual MAC addresses. See the "Configuring Virtual MAC Addresses" section on page 14-25 for more information.

As I had not done this would it have caused the network to become unstable?

Reply to

Just to update this. I tried again with the MAC address information but it did not work.

I ended up setting the seconday back to the factory default settings (config factory-default) and removed the dchpd and dchpd pool addresses. I then uploaded the configuration from the primary firewall via tftp. I set the failover to be secondary (failover lan unit secondary).

After hooking up the two firewalls the failover now works!!

Thanks for every> Thanks for the information. I have some more solutions to try today.

Reply to
Wade B Gieni Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.