I have followed the procedures in the Cisco documents to setup a failover pair (active/stand-by) of Cisco ASA 5505 (ASA5505-SEC-BUN-K9) but the failover does not initiate properly.
I have tried both straight and cross-over cables, have tried different interfaces (2 and 7) of the firewall and have ensured that the:
1) Software versions are the same 2) Identical Licences 3) # interfaces and types are the same 4) Flash memory and Ram are the same size.Result of the command: "show version"
Cisco Adaptive Security Appliance Software Version 7.2(2) Device Manager Version 5.2(2)
Compiled on Wed 22-Nov-06 14:16 by builders System image file is "disk0:/asa722-k8.bin" Config file at boot was "startup-config"
ProductionFW1 up 2 days 17 hours
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz Internal ATA Compact Flash, 128MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0) Boot microcode : CNlite-MC-Boot- Cisco-1.2 SSL/IKE microcode: CNlite-MC-IPSEC- Admin-3.03 IPSec microcode : CNlite-MC-IPSECm- MAIN-2.04 0: Int: Internal-Data0/0 : address is 001b.XX46.XX76, irq 11 1: Ext: Ethernet0/0 : address is 001b.XX46.XX6e, irq 255 2: Ext: Ethernet0/1 : address is 001b.XX46.XX6f, irq 255 3: Ext: Ethernet0/2 : address is 001b.XX46.XX70, irq 255 4: Ext: Ethernet0/3 : address is 001b.XX46.XX71, irq 255 5: Ext: Ethernet0/4 : address is 001b.XX46.XX72, irq 255 6: Ext: Ethernet0/5 : address is 001b.XX46.XX73, irq 255 7: Ext: Ethernet0/6 : address is 001b.XX46.XX74, irq 255 8: Ext: Ethernet0/7 : address is 001b.XX46.XX75, irq 255 9: Int: Internal-Data0/1 : address is 0000.0003.XX02, irq 255
10: Int: Not used : irq 255 11: Int: Not used : irq 255Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 20, DMZ Unrestricted Inside Hosts : Unlimited Failover : Active/Standby VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 25 WebVPN Peers : 2 Dual ISPs : Enabled VLAN Trunk Ports : 8
This platform has an ASA 5505 Security Plus license.
Serial Number: XXXXXXXXX Running Activation Key: XXXXXXXX Configuration register is 0x1 Configuration last modified by enable_15 at 16:57:07.812 MST Fri Jul
20 2007: Saved : Written by enable_15 at 10:11:09.541 MST Mon Jul 23 2007 ! ASA Version 7.2(2) ! hostname ProductionFW1 domain-name plume-rt.com enable password XXXXXXXXX encrypted names ! interface Vlan1 nameif inside security-level 100 ip address XXX.XXX.XXX.1 255.255.224.0 standby XXX.XXX.XXX.2 ! interface Vlan2 nameif outside security-level 0 ip address XXX.XXX.XXX.162 255.255.255.240 standby XXX.XXX.XXX.163 ! interface Vlan100 description LAN Failover Interface management-only ! interface Ethernet0/0 switchport access vlan 2 speed 100 duplex full ! interface Ethernet0/1 speed 100 duplex full ! interface Ethernet0/2 switchport access vlan 100 speed 100 duplex full ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 shutdown ! interface Ethernet0/6 shutdown ! interface Ethernet0/7 shutdown ! passwd XXXXXXXXX encrypted ftp mode passive clock timezone MST -7 dns server-group DefaultDNS domain-name plume-rt.com access-list outside_20_cryptomap extended permit ip XXX.XXX.XXX.0
255.255.224.0 XXX.XXX.XXX.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip XXX.XXX.XXX.0 255.255.224.0 XXX.XXX.XXX.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip XXX.XXX.XXX.0 255.255.224.0 host XXX.XXX.XXX.100 access-list inside_nat0_outbound extended permit ip XXX.XXX.XXX.0 255.255.224.0 XXX.XXX.XXX.0 255.255.255.0 access-list outside_40_cryptomap extended permit ip XXX.XXX.XXX.0 255.255.224.0 host XXX.XXX.XXX.100 access-list outside_60_cryptomap extended permit ip XXX.XXX.XXX.0 255.255.224.0 XXX.XXX.XXX.0 255.255.255.0 access-list 101 extended permit icmp any any time-exceeded access-list 101 extended permit icmp any any unreachable access-list 101 extended permit icmp any any source-quench access-list 101 extended permit icmp any any echo-reply pager lines 24 logging enable logging buffer-size 1048576 logging asdm-buffer-size 512 logging buffered debugging logging asdm informational logging ftp-bufferwrap logging ftp-server XXX.XXX.XXX.3 / manager XXXXXXXXXXX mtu inside 1500 mtu outside 1500 no failover failover lan unit primary failover lan interface PRTFailover Vlan100 failover interface ip PRTFailover 192.168.254.1 255.255.255.0 standby 192.168.254.2 monitor-interface inside monitor-interface outside icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (outside,inside) tcp XXX.XXX.XXX.1 www XXX.XXX.XXX.164 www netmask 255.255.255.255 static (outside,inside) tcp XXX.XXX.XXX.2 https XXX.XXX.XXX.164 https netmask 255.255.255.255 static (outside,inside) tcp XXX.XXX.XXX.3 https XXX.XXX.XXX.166 https netmask 255.255.255.255 static (outside,inside) tcp XXX.XXX.XXX.4 ftp XXX.XXX.XXX.167 ftp netmask 255.255.255.255 static (outside,inside) tcp XXX.XXX.XXX.5 XX99 XXX.XXX.XXX.168 XX99 netmask 255.255.255.255 access-group 101 in interface outside route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs enable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none client-firewall none client-access-rule none webvpn functions url-entry html-content-filter none homepage none keep-alive-ignore 4 http-comp gzip filter none url-list none customization value DfltCustomization port-forward none port-forward-name value Application Access sso-server none deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information svc none svc keep-installer installed svc keepalive none svc rekey time none svc rekey method none svc dpd-interval client none svc dpd-interval gateway none svc compression deflate http server enable http XXX.XXX.XXX.0 255.255.224.0 inside http XXX.XXX.XXX.0 255.255.255.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 match address outside_20_cryptomap crypto map outside_map 20 set pfs crypto map outside_map 20 set peer XXX.XXX.XXX.166 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 20 set reverse-route crypto map outside_map 40 match address outside_40_cryptomap crypto map outside_map 40 set pfs crypto map outside_map 40 set peer XXX.XXX.XXX.247 crypto map outside_map 40 set transform-set ESP-3DES-MD5 crypto map outside_map 40 set reverse-route crypto map outside_map 60 match address outside_60_cryptomap crypto map outside_map 60 set pfs crypto map outside_map 60 set peer XXX.XXX.XXX.67 crypto map outside_map 60 set transform-set ESP-3DES-MD5 crypto map outside_map 60 set reverse-route crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 28800 crypto isakmp nat-traversal 20 crypto isakmp ipsec-over-tcp port 10000 tunnel-group XXX.XXX.XXX.166 type ipsec-l2l tunnel-group XXX.XXX.XXX.166 ipsec-attributes pre-shared-key XXXXXXXXXXXXXX tunnel-group XXX.XXX.XXX.247 type ipsec-l2l tunnel-group XXX.XXX.XXX.247 ipsec-attributes pre-shared-key XXXXXXXXXXXXXX isakmp keepalive disable tunnel-group XXX.XXX.XXX.67 type ipsec-l2l tunnel-group XXX.XXX.XXX.67 ipsec-attributes pre-shared-key XXXXXXXXXXXXXX isakmp keepalive disable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address XXX.XXX.XXX.1-XXX.XXX.XXX.254 inside dhcpd dns XXX.XXX.XXX.2 XXX.XXX.XXX.5 interface inside dhcpd lease 86400 interface inside dhcpd domain plume-rt.com interface inside dhcpd enable inside !! ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 ! prompt hostname context Cryptochecksum:7dcbee5ed02e904b13d33f00a488aa28 : end