Which cable for ASA failover?

Which cable for ASA failover?
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Which cable for ASA failover? John Oliver 05-25-2007
Posted by John Oliver on May 25, 2007, 2:26 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I've configured my two ASA 5510s for failover. But it just won't start
to work. I cannot pint the failover interface for the other ASA from
either one. I've tried connecting the failover ports with
straight-through as well as crossover cables. At no time have I been
able to get the slightest sign of any connectivity over the faiolveer
ports. I can ping all other IPs from each ASA... each one can ping the
inside, outside, and management interface of the other.

Is this another special Cisco-only cable? Special pinout? Some further
config that's necessary? The TAC isn't of much use... they say my
config is fine and that I need to "ensure physical connectivity", but go
mute when I ask them precisely how I should do that ;-)

--
* John Oliver http://www.john-oliver.net/ *

Pure Networks
Posted by mcaissie on May 25, 2007, 2:54 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
You don't need a special cable .

I think ASA supports both the straiht-through and the crossover, but the
crossover for sure.

Can you post your failover config of both unit.

And be sure your interfaces are not shutdown.


> I've configured my two ASA 5510s for failover. But it just won't start
> to work. I cannot pint the failover interface for the other ASA from
> either one. I've tried connecting the failover ports with
> straight-through as well as crossover cables. At no time have I been
> able to get the slightest sign of any connectivity over the faiolveer
> ports. I can ping all other IPs from each ASA... each one can ping the
> inside, outside, and management interface of the other.
>
> Is this another special Cisco-only cable? Special pinout? Some further
> config that's necessary? The TAC isn't of much use... they say my
> config is fine and that I need to "ensure physical connectivity", but go
> mute when I ask them precisely how I should do that ;-)
>
> --
> * John Oliver http://www.john-oliver.net/ *



Posted by John Oliver on May 25, 2007, 3:39 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On Fri, 25 May 2007 18:54:32 GMT, mcaissie wrote:
> You don't need a special cable .
>
> I think ASA supports both the straiht-through and the crossover, but the
> crossover for sure.
>
> Can you post your failover config of both unit.
>
> And be sure your interfaces are not shutdown.

ntasa01# sh conf
: Saved
: Written by enable_15 at 09:08:16.980 PDT Thu May 24 2007
!
ASA Version 7.0(6)
!
hostname ntasa01
enable password **************** encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 168.143.121.4 255.255.255.0 standby 168.143.121.5
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.15.30.1 255.255.255.0 standby 10.15.30.2
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 10.12.14.253 255.255.255.0
management-only
!
passwd **************** encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 2 Sun Mar 1:59 1 Sun Nov 3:00
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover link failover Ethernet0/3
failover interface ip failover 172.16.2.1 255.255.255.252 standby
172.16.2.2
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat (inside) 1 10.15.30.0 255.255.255.0
static (inside,outside) 10.15.30.193 168.143.121.193 netmask
255.255.255.255
static (inside,outside) 10.15.30.194 168.143.121.194 netmask
255.255.255.255
route management 192.168.2.0 255.255.255.0 10.12.14.254 1
route outside 0.0.0.0 0.0.0.0 168.143.121.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username ***** password **************** encrypted privilege 15
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.12.14.2 255.255.255.255 management
http 192.168.2.192 255.255.255.255 management
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.2.192 255.255.255.255 management
telnet 10.12.14.2 255.255.255.255 management
telnet timeout 15
ssh timeout 15
console timeout 0
ntp server 192.168.2.2
Cryptochecksum:801337793f18d2af0c0105f054a6e8f0



ntasa02# sh conf
: Saved
: Written by enable_15 at 07:43:15.088 PDT Thu May 24 2007
!
ASA Version 7.0(6)
!
hostname ntasa02
enable password **************** encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 168.143.121.5 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.15.30.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description LAN Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 10.12.14.252 255.255.255.0
management-only
!
passwd **************** encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 2 Sun Mar 1:59 1 Sun Nov 3:00
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
failover
failover lan unit secondary
failover lan interface failover Ethernet0/3
failover interface ip failover 172.16.2.2 255.255.255.252 standby
172.16.2.1
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
route management 192.168.2.0 255.255.255.0 10.12.14.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username ***** password **************** encrypted privilege 15
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.192 255.255.255.255 management
http 10.12.14.2 255.255.255.255 management
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.2.192 255.255.255.255 management
telnet 10.12.14.2 255.255.255.255 management
telnet timeout 15
ssh timeout 15
console timeout 0
ntp server 192.168.2.2
Cryptochecksum:ab8d7fc833b79bd4bcb69bfe67d4fe1b

--
* John Oliver http://www.john-oliver.net/ *

Posted by mcaissie on May 25, 2007, 4:02 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
This line must be the same on both units. The first IP is for the primary
and the other for the secondary

> failover interface ip failover 172.16.2.1 255.255.255.252 standby
172.16.2.2

>failover interface ip failover 172.16.2.2 255.255.255.252 standby
172.16.2.1


So you have to change it on the secondary for
> failover interface ip failover 172.16.2.1 255.255.255.252 standby
172.16.2.2


> On Fri, 25 May 2007 18:54:32 GMT, mcaissie wrote:
>> You don't need a special cable .
>>
>> I think ASA supports both the straiht-through and the crossover, but
>> the
>> crossover for sure.
>>
>> Can you post your failover config of both unit.
>>
>> And be sure your interfaces are not shutdown.
>
> ntasa01# sh conf
> : Saved
> : Written by enable_15 at 09:08:16.980 PDT Thu May 24 2007
> !
> ASA Version 7.0(6)
> !
> hostname ntasa01
> enable password **************** encrypted
> names
> dns-guard
> !
> interface Ethernet0/0
> nameif outside
> security-level 0
> ip address 168.143.121.4 255.255.255.0 standby 168.143.121.5
> !
> interface Ethernet0/1
> nameif inside
> security-level 100
> ip address 10.15.30.1 255.255.255.0 standby 10.15.30.2
> !
> interface Ethernet0/2
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/3
> description LAN/STATE Failover Interface
> !
> interface Management0/0
> nameif management
> security-level 100
> ip address 10.12.14.253 255.255.255.0
> management-only
> !
> passwd **************** encrypted
> ftp mode passive
> clock timezone PST -8
> clock summer-time PDT recurring 2 Sun Mar 1:59 1 Sun Nov 3:00
> pager lines 24
> logging asdm informational
> mtu management 1500
> mtu outside 1500
> mtu inside 1500
> failover
> failover lan unit primary
> failover lan interface failover Ethernet0/3
> failover link failover Ethernet0/3
> failover interface ip failover 172.16.2.1 255.255.255.252 standby
> 172.16.2.2
> asdm image disk0:/asdm506.bin
> no asdm history enable
> arp timeout 14400
> nat (inside) 1 10.15.30.0 255.255.255.0
> static (inside,outside) 10.15.30.193 168.143.121.193 netmask
> 255.255.255.255
> static (inside,outside) 10.15.30.194 168.143.121.194 netmask
> 255.255.255.255
> route management 192.168.2.0 255.255.255.0 10.12.14.254 1
> route outside 0.0.0.0 0.0.0.0 168.143.121.1 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> username ***** password **************** encrypted privilege 15
> aaa authentication serial console LOCAL
> aaa authentication ssh console LOCAL
> aaa authentication telnet console LOCAL
> http server enable
> http 10.12.14.2 255.255.255.255 management
> http 192.168.2.192 255.255.255.255 management
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> telnet 192.168.2.192 255.255.255.255 management
> telnet 10.12.14.2 255.255.255.255 management
> telnet timeout 15
> ssh timeout 15
> console timeout 0
> ntp server 192.168.2.2
> Cryptochecksum:801337793f18d2af0c0105f054a6e8f0
>
>
>
> ntasa02# sh conf
> : Saved
> : Written by enable_15 at 07:43:15.088 PDT Thu May 24 2007
> !
> ASA Version 7.0(6)
> !
> hostname ntasa02
> enable password **************** encrypted
> names
> dns-guard
> !
> interface Ethernet0/0
> nameif outside
> security-level 0
> ip address 168.143.121.5 255.255.255.0
> !
> interface Ethernet0/1
> nameif inside
> security-level 100
> ip address 10.15.30.2 255.255.255.0
> !
> interface Ethernet0/2
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/3
> description LAN Failover Interface
> !
> interface Management0/0
> nameif management
> security-level 100
> ip address 10.12.14.252 255.255.255.0
> management-only
> !
> passwd **************** encrypted
> ftp mode passive
> clock timezone PST -8
> clock summer-time PDT recurring 2 Sun Mar 1:59 1 Sun Nov 3:00
> pager lines 24
> logging asdm informational
> mtu management 1500
> mtu inside 1500
> mtu outside 1500
> failover
> failover lan unit secondary
> failover lan interface failover Ethernet0/3
> failover interface ip failover 172.16.2.2 255.255.255.252 standby
> 172.16.2.1
> asdm image disk0:/asdm506.bin
> no asdm history enable
> arp timeout 14400
> route management 192.168.2.0 255.255.255.0 10.12.14.254 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> username ***** password **************** encrypted privilege 15
> aaa authentication telnet console LOCAL
> aaa authentication serial console LOCAL
> aaa authentication ssh console LOCAL
> http server enable
> http 192.168.2.192 255.255.255.255 management
> http 10.12.14.2 255.255.255.255 management
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> telnet 192.168.2.192 255.255.255.255 management
> telnet 10.12.14.2 255.255.255.255 management
> telnet timeout 15
> ssh timeout 15
> console timeout 0
> ntp server 192.168.2.2
> Cryptochecksum:ab8d7fc833b79bd4bcb69bfe67d4fe1b
>
> --
> * John Oliver http://www.john-oliver.net/ *



Posted by John Oliver on May 25, 2007, 4:29 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On Fri, 25 May 2007 20:02:53 GMT, mcaissie wrote:
> This line must be the same on both units. The first IP is for the primary
> and the other for the secondary
>
>> failover interface ip failover 172.16.2.1 255.255.255.252 standby
> 172.16.2.2
>
> >failover interface ip failover 172.16.2.2 255.255.255.252 standby
> 172.16.2.1
>
>
> So you have to change it on the secondary for
>> failover interface ip failover 172.16.2.1 255.255.255.252 standby
> 172.16.2.2

OK, I did that. Now, I see:

ntasa01# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 7.0(6), Mate 7.0(6)
Last Failover at: 07:57:39 PDT May 24 2007
This host: Primary - Active
Active time: 255225 (sec)
slot 0: ASA5510 hw/sw rev (2.0/7.0(6)) status (Up Sys)
slot 1: empty
Interface management (10.12.14.253): Normal (Waiting)
Interface outside (168.143.121.4): Normal
Interface inside (10.15.30.1): Normal
Other host: Secondary - Standby Ready
Active time: 81899 (sec)
slot 0: ASA5510 hw/sw rev (2.0/7.0(6)) status (Up Sys)
slot 1: empty
Interface management (0.0.0.0): Normal (Waiting)
Interface outside (168.143.121.5): Normal
Interface inside (10.15.30.2): Normal

Stateful Failover Logical Update Statistics
Link : failover Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 22 0 16 0
sys cmd 16 0 16 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 6 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 2 16
Xmit Q: 0 2 150


But:

ntasa01# sh failover state
====My State===
Primary | Active |
====Other State===
Secondary | Standby |
====Configuration State===
Sync Done
====Communication State===
Mac set
=========Failed Reason==============
My Fail Reason:
Other Fail Reason:
Comm Failure


And I can no longer ping or telnet to the management interface on the
secondary unit ntasa02 I can ping e0/0 and e0/1 on it, so it isn't
dead.

Thanks for getting me on the right track... you're more useful than
Cisco! :-)

--
* John Oliver http://www.john-oliver.net/ *

Similar ThreadsPosted
Cisco 2600 + DSL + Cable -> Failover and port forwarding July 2, 2008, 12:47 am
Failover and Load balancing with 1 Cable connection and one T1 connection on Cisco 2801 router November 13, 2006, 2:23 pm
cisco ASA/PIX failover and VPN, failover IP access problem August 27, 2008, 11:34 am
WAN failover November 23, 2004, 7:33 am
PIX Failover February 27, 2005, 2:37 pm
PIX Failover August 15, 2005, 11:20 am
BGP Failover November 1, 2005, 10:20 pm
BGP Failover question July 17, 2004, 12:19 pm
PIX Failover monitoring January 26, 2005, 2:39 pm
PIX Failover Message February 14, 2005, 7:43 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map