Differences between revisions 62 and 63
Revision 62 as of 2016-04-05 08:12:14
Size: 19493
Editor: jksmith4
Comment:
Revision 63 as of 2016-04-05 08:15:18
Size: 19100
Editor: jksmith4
Comment:
Deletions are marked like this. Additions are marked like this.
Line 9: Line 9:
 
Line 12: Line 12:
''2. Do the following to verify a cisco IOS hash. Cisco IOS Software Release 12.2(4) and 12.0(22)S, allow the calculation of the MD5 hash of the

Cisco image file that is loaded on the device. The hash can be compared against the hash of the user and then against the Cisco provided MD5 hash

to confirm the image integrity. ''
''2. Do the following to verify a cisco IOS hash. Cisco IOS Software Release 12.2(4) and 12.0(22)S, allow the calculation of the MD5 hash of the  ''

''Cisco image file that is loaded on the device. The hash can be compared against the hash of the user and then against the Cisco provided MD5 hash  ''

''to confirm the image integrity. ''
Line 33: Line 33:
Line 35: Line 34:

. ''is ideal to show granular details of the ARP table contents. This command will show the number of static entries, total number of dynamic

       
entries, and total number of entries in the ARP resolution table, not including the entries of the CSS management port. ''

''` ''
   . ''is ideal to show granular details of the ARP table contents. This command will show the number of static entries, total number of dynamic  ''
    . ''entries, and total number of entries in the ARP resolution table, not including the entries of the CSS management port.''
Line 43: Line 38:

  . ''will display what ip addresses are resolved to what MAC addresses ''
  . ''will display what ip addresses are resolved to what MAC addresses''

 . ''c.'''#show connection detail''' ''
  . ''will display all of the flag issues of the device''

 . ''d.'''#show xlate''' ''
  . ''display details regarding the translation slots.''

 . ''e.'''#show route''' ''
  . ''will display the routing table''

 . ''f.'''#show slot0''' ''
  . ''will show the contents of slot 0 which is helpful to determine the location of a stored file. ''
Line 48: Line 54:
''` ''

 . ''c.'''#show connection detail''' ''

  . ''will display all of the flag issues of the device ''
 . '''''Configuration Backup''' ''
  a. '''''# copy file_name destination '''is used to copy files. ''

'' "File_name" is the software image name. ''
Line 56: Line 61:
''` ''

 . ''d.'''#show xlate''' ''

  . ''display details regarding the translation slots. ''
'' "Destination" maybe bootflash:, disk0:, disk1:, slot0:, or tftp: ''
Line 64: Line 65:
''` ''

 . ''e.'''#show route''' ''

  . ''will display the routing table ''

'' ''

''` ''

 . ''f.'''#show slot0''' ''

  . ''will show the contents of slot 0 which is helpful to determine the location of a stored file. ''

'' ''

 . '''''Configuration Backup''' ''

  a. '''''# copy file_name destination '''is used to copy files. ''

'' "File_name" is the software image name. ''

'' ''

'' "Destination" maybe bootflash:, disk0:, disk1:, slot0:, or tftp: ''

'' ''
Line 93: Line 66:
Line 97: Line 69:
Line 110: Line 81:
```

''Failover On Failover unit Primary Failover LAN Interface: fover Vlan150 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface

Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Version: Ours 7.2(0)55, Mate 7.2(0)55

Last Failover at: 19:59:58 PST Apr 6 2006 This host: Primary - Active Active time: 34 (sec) slot 0: ASA5505 hw/sw rev (1.0/7.2(0)55) status

(Up Sys) Interface inside (192.168.1.1): Normal Interface outside (192.168.2.201): Normal Interface dmz (172.16.0.1): Normal Interface test

(172.23.62.138): Normal slot 1: empty Other host: Secondary - Standby Ready Active time: 0 (sec) slot 0: ASA5505 hw/sw rev (1.0/7.2(0)55)

status (Up Sys) Interface inside (192.168.1.2): Normal Interface outside (192.168.2.211): Normal Interface dmz (172.16.0.2): Normal

Interface test (172.23.62.137): Normal slot 1: empty ''

````````
''Failover On Failover unit Primary Failover LAN Interface: fover Vlan150 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface  ''

''
Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Version: Ours 7.2(0)55, Mate 7.2(0)55  ''

''
Last Failover at: 19:59:58 PST Apr 6 2006 This host: Primary - Active Active time: 34 (sec) slot 0: ASA5505 hw/sw rev (1.0/7.2(0)55) status  ''

''
(Up Sys) Interface inside (192.168.1.1): Normal Interface outside (192.168.2.201): Normal Interface dmz (172.16.0.1): Normal Interface test  ''

''
(172.23.62.138): Normal slot 1: empty Other host: Secondary - Standby Ready Active time: 0 (sec) slot 0: ASA5505 hw/sw rev (1.0/7.2(0)55)  ''

''
status (Up Sys) Interface inside (192.168.1.2): Normal Interface outside (192.168.2.211): Normal Interface dmz (172.16.0.2): Normal  ''

''
Interface test (172.23.62.137): Normal slot 1: empty ''
Line 133: Line 100:
```

 1. ''State Last Failure Reason Date/Time '''This host - Primary''' Negotiation Backplane Failure 15:44:56 UTC Jun 20 2009 Other host -
           
Secondary Not Detected Comm Failure 15:36:30 UTC Jun 20 2009 ====Configuration State=== Sync Done ====Communication State=== Mac set ''

 1. ''ciscoasa(config)# '''show failover state''' State Last Failure Reason Date/Time '''This host - Secondary''' Group 1 Failed Backplane

Failure 03:42:29 UTC Apr 17 2009 Group 2 Failed Backplane Failure 03:42:29 UTC Apr 17 2009 Other host - Primary Group 1 Active Comm Failure

03:41:12 UTC Apr 17 2009 Group 2 Active Comm Failure 03:41:12 UTC Apr 17 2009 ====Configuration State=== Sync Done ====Communication State===

Mac set ''

`````
`

 1. ''State Last Failure Reason Date/Time '''This host - Primary''' Negotiation Backplane Failure 15:44:56 UTC Jun 20 2009 Other host -  ''
  . ''
Secondary Not Detected Comm Failure 15:36:30 UTC Jun 20 2009 ====Configuration State=== Sync Done ====Communication State=== Mac set ''

 1. ''ciscoasa(config)# '''show failover state''' State Last Failure Reason Date/Time '''This host - Secondary''' Group 1 Failed Backplane  ''

''
Failure 03:42:29 UTC Apr 17 2009 Group 2 Failed Backplane Failure 03:42:29 UTC Apr 17 2009 Other host - Primary Group 1 Active Comm Failure  ''

''
03:41:12 UTC Apr 17 2009 Group 2 Active Comm Failure 03:41:12 UTC Apr 17 2009 ====Configuration State=== Sync Done ====Communication State===  ''

''
Mac set ''
Line 158: Line 122:
```

1. Download the new software to both units, and specify the new image to load with the boot system command.                                                   

- Refer to Upgrade a Software Image and ASDM Image using CLI for more information. ''

 2. ''Make both failover groups active on the primary unit by entering the failover active command in the system execution space of the primary unit:                                                                                                                                                                                                             

primary '' '''''#failover active''' ''

 3. ''Reload the secondary unit to boot the new image by entering the failover reload-standby command in the system execution space of the primary unit: primary '' '''''#failover reload-standby''' ''

 4
. ''When the secondary unit has finished reloading, and both failover groups are in the Standby Ready state on that unit, make both failover         groups active on the secondary unit using the no failover active command in the system execution space of the primary unit:                                   primary '' '''''#no failover active''' ''

    ''
Note: Use the show failover command in order to verify that both failover groups are in the Standby Ready state on the secondary unit. ''

 a
. ''Make sure both failover groups are in the Standby Ready state on the primary unit, and then reload the primary unit using the reload         command: primary '' '''''#reload''' ''

 
b. ''If the failover groups are configured with the preempt command, they will automatically become active on their designated unit after the            preempt delay has passed. If the failover groups are not configured with the preempt command, you can return them to active status on        their designated units using the failover active group command. ''

```````

''
'''Troubleshoot''' ''

''
'''<<BR>>%ASA-5-720012: (VPN-Secondary) Failed to update IPSec failover runtime data on the standby unit (or) %ASA-6-720012: (VPN-unit) Failed to

       
update IPsec failover runtime data on the standby unit''' ''

''
'''Problem<<BR>>''' ''

   ''
One of these error messages appear when you try to upgrade the Cisco Adaptive Security Appliance (ASA): ''

```

''
'''%ASA-5-720012: (VPN-Secondary) Failed to update IPSec failover runtime data on the standby unit. %ASA-6-720012: (VPN-unit) Failed to update

      
IPsec failover runtime data on the standby unit. Solution ''' ''

```````

```

''
These error messages are informative errors. The messages do not impact functionality of the ASA or the VPN. These messages appear when the     VPN failover subsystem cannot update IPsec-related runtime data because the corresponding IPsec tunnel has been deleted on the standby unit. In     order to resolve these, run the wr standby command on the active unit. ''

``````

```

'''__Configuring the primary and secondary units:__''' 

     
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html ''

````````
 1. Download the new software to both units, and specify the new image to load with the boot system command.

- Refer to Upgrade a Software Image and ASDM Image using CLI for more information. '' ''

 2. Make both failover groups active on the primary unit by entering the failover active command in the system execution space of the primary unit:

primary '' '''''#failover active''' '' ''

 3. Reload the secondary unit to boot the new image by entering the failover reload-standby command in the system execution space of the primary unit: primary '' '''''#failover reload-standby''' '' ''

 3
. When the secondary unit has finished reloading, and both failover groups are in the Standby Ready state on that unit, make both failover
  .
groups active on the secondary unit using the no failover active command in the system execution space of the primary unit:
primary '' '''''#no failover active''' '' ''
  .
Note: Use the show failover command in order to verify that both failover groups are in the Standby Ready state on the secondary unit. '' ''

 3
. Make sure both failover groups are in the Standby Ready state on the primary unit, and then reload the primary unit using the reload
  .
command: primary '' '''''#reload''' '' ''
 ''
b. ''If the failover groups are configured with the preempt command, they will automatically become active on their designated unit after the
  
. preempt delay has passed. If the failover groups are not configured with the preempt command, you can return them to active status on
their designated units using the failover active group command.

'''Troubleshoot''' '' ''

'''<<BR>>%ASA-5-720012: (VPN-Secondary) Failed to update IPSec failover runtime data on the standby unit (or) %ASA-6-720012: (VPN-unit) Failed to  '''

 . '''
update IPsec failover runtime data on the standby unit''' '' ''

'''Problem<<BR>>''' '' ''

 .
One of these error messages appear when you try to upgrade the Cisco Adaptive Security Appliance (ASA): '' ''

''
` ''

'''%ASA-5-720012: (VPN-Secondary) Failed to update IPSec failover runtime data on the standby unit. %ASA-6-720012: (VPN-unit) Failed to update  '''

 . '''
IPsec failover runtime data on the standby unit. Solution'''

These error messages are informative errors. The messages do not impact functionality of the ASA or the VPN. These messages appear when the

 .
VPN failover subsystem cannot update IPsec-related runtime data because the corresponding IPsec tunnel has been deleted on the standby unit. In
order to resolve these, run the wr standby command on the active unit.

''
'''__Configuring the primary and secondary units:__'''   ''

 . ''
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html ''
Line 228: Line 170:
```

'''''COMMAND:''' ''

 '''''ip address''' active_addr netmask '''standby'''standby_addr '''ipv6 address '''{'''autoconfig'''| ipv6-prefix/prefix-length          ''

`````

```
 . '''''COMMAND:''' ''
 '''''ip address''' active_addr netmask '''standby'''standby_addr '''ipv6 address '''{'''autoconfig'''| ipv6-prefix/prefix-length''
Line 246: Line 181:
```

. ''Configures the active and standby IP addresses for each data interface (routed mode), for the management IP address (transparent mode), or

     for ''''
the management-only interface.'''''''' '''

'''''
In routed firewall mode and for the management-only interface, enter this command in interface configuration mode for each interface.In

     
transparent firewall mode, enter the command in global configuration mode.In multiple context mode, configure the interface addresses from

    
within each context.

     
Use the change to context command to switch between contexts. '''''''' ''' ''

'
'' The command prompt changes to ''''''''hostname/context(config-if)#, where context is the name of the current context. '' '''

'''''
You must enter a management IP address for each context in ''''''''transparent firewall multiple context mode.'' ''' '''

'' Each data interface can have an IPv4 address and one or more IPv6 addresses. For IPv6 addresses that use ''the '''eui-64''' option,              you do not need to specify a standby address—one will be created automatically. '' ''

'''Step 2: ''' '' ''

 . '''
COMMAND:''' '' ''

  . '''
failover lan unit primary''' '' ''

. '''PURPOSE:''' '' ''

  .
Designates the unit as the primary unit. '' ''

'''
Step 3:''' '' ''

'''
COMMAND:''' '' ''

```

  .
failover lan interfaceif_name phy_if '' ''
    .
Example:hostname(config)# '''failover lan interface folink GigabitEthernet0/3''' '' ''

. '''PURPOSE:''' '' ''

 .
Specifies the interface to be used as the failover interface.The if_name argument assigns a name to the interface specified by the '' ''

 .
phy_if argument.The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as '' ''

 .
Ethernet0/2.3. On the ASA 5505 adaptive ASA, the phy_if specifies a VLAN. This interface should not be used for any other purpose (except,

  
optionally, the Stateful Failover link). '' ''

````````

'''
''Step 4:''' ''

'''
COMMAND:''' '' ''

 .
failover interface ip if_name [ip_address mask standby ip_address | ipv6_address/prefix standbyipv6_address] '' ''

 .
Example: hostname(config)# '''failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2''' '' ''

 . '''
hostname(config)# failover interface ip folink 2001:a0a:b00::a0a:b70/64 standby 2001:a0a:b00::a0a:b71 ''' '' ''

 . '''
PURPOSE:''' '' ''

 .
Assigns the active and standby IP addresses to the failover link. You can assign either an IPv4 or an IPv6 address to the interface. '' ''

 .
You ''''cannot assign both types of addresses to the failover link.The standby IP address must be in the same subnet as the active IP address. '' '''''

 . '''
You do ''''not need to identify the standby address subnet mask.The failover link IP address and MAC address do not change at failover. '' ''

 .
The active IP address ''''for the failover link always stays with the primary unit, while the standby IP address stays with the secondary unit. '' '''''
 . ''Configures the active and standby IP addresses for each data interface (routed mode), for the management IP address (transparent mode), or ''''for the management-only interface.''

''
In routed firewall mode and for the management-only interface, enter this command in interface configuration mode for each interface.''

''
In  ''''transparent firewall mode, enter the command in global configuration mode.In multiple context mode, configure the interface addresses from within each context. ''''Use the change to context command to switch between contexts. ''  '' ''



'' The command prompt changes to ''hostname/context(config-if)#, where context is the name of the current context. '' '''' ''

You must enter a management IP address for each context in ''transparent firewall multiple context mode.''

'' Each data interface can have an IPv4 address and one or more IPv6 addresses. For IPv6 addresses that use ''the eui-64 option,

 .
you do not need to specify a standby address—one will be created automatically. '' ''

'''Step 2:  '' '' '''

 .
COMMAND:''' '' '' '''
  .
failover lan unit primary''' '' '' '''

'''
. '''PURPOSE:''' '' '' '''

 . '''
Designates the unit as the primary unit. '' '' '''

Step 3:''' '' '' '''

COMMAND:''' '' '' '''

'''
` '''

 . '''
failover lan interfaceif_name phy_if '' '' '''

 . '''
Example:hostname(config)# '''failover lan interface folink GigabitEthernet0/3''' '' '' '''

'''
. '''PURPOSE:''' '' '' '''

 . '''
Specifies the interface to be used as the failover interface.The if_name argument assigns a name to the interface specified by the '' '' '''

 . '''
phy_if argument.The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as '' '' '''

 . '''
Ethernet0/2.3. On the ASA 5505 adaptive ASA, the phy_if specifies a VLAN. This interface should not be used for any other purpose (except,    . optionally, the Stateful Failover link). '' ''
'''

''' '''

''Step 4:''' '''''''' '''

COMMAND:''' '' '' '''

 . '''
failover interface ip if_name [ip_address mask standby ip_address | ipv6_address/prefix standbyipv6_address] '' '' '''

 . '''
Example: hostname(config)# '''failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2''' '' '' '''

 .
hostname(config)# failover interface ip folink 2001:a0a:b00::a0a:b70/64 standby 2001:a0a:b00::a0a:b71 ''' '' '' '''

 .
PURPOSE:''' '' '' '''

 . '''
Assigns the active and standby IP addresses to the failover link. You can assign either an IPv4 or an IPv6 address to the interface. '' '' '''

 . '''
You ''''cannot assign both types of addresses to the failover link.The standby IP address must be in the same subnet as the active IP address. '' ''''' '''

 .
You do ''''not need to identify the standby address subnet mask.The failover link IP address and MAC address do not change at failover. '' '' '''

 . '''
The active IP address ''''for the failover link always stays with the primary unit, while the standby IP address stays with the secondary unit. '' ''''' '''

'' ''''' '''

'''''Step 5:''''''' ''''' '''

'''` '''

 . '''COMMAND: ''' '' ''''' '''

interface phy_if '' ''''' '''

 . Example:hostname(config)# interface vlan100 '' ''''' '''

 . hostname(config-if)# '''no shutdown ''' '' ''''' '''

 . '''PURPOSE:''' '' ''''' '''

Enables the interface '' ''''' '''

'''` '''

'''''Step 6:''''''' ''''' '''

'''COMMAND: ''' '' ''''' '''

'''` '''

 . failover link if_name phy_if '' ''''' '''

 . Example:hostname(config)#''' failover link statelink GigabitEthernet0/2 ''' '' ''''' '''
 PURPOSE: ''' ''''' ''''' '''
  . '''(Optional) Specifies the interface to be used as the Stateful Failover link. Note If the Stateful Failover link uses the failover link or a '''
   . '''data interface, then you only need to supply the if_name argument.The if_name argument assigns a logical name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as '''
   '''Ethernet0/2.3. This interface should not be used for any other purpose (except, optionally, the failover link).''''' ''''' '''

''' '''

'''''Step 7: ''''''' ''''' '''

'''` '''

 . '''COMMAND: ''''' ''''' '''

'''. '''failover interface ip if_name [ip_address mask standby ip_address | ipv6_address/prefix standbyipv6_address] '' ''''' '''

'''. '''Example:hostname(config)# '''failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2''''' ''''' '''

 . '''PURPOSE:''' '' ''''' '''
  . Note If the stateful Failover link uses the failover link or data interface, skip this step. You have already defined the active and
   . standby IP addresses for the interface.The standby IP address must be in the same subnet as the active IP address. You do not need to
   identify the standby address subnet mask.'' ''''' '''

''' '''

'''''Step 8: ''''''' ''''' '''

'''` '''

 . '''COMMAND: ''' '' ''''' '''

 . '''interface phy_if no shutdown''' '' ''''' '''

 . Example: ''' '''hostname(config)# interface vlan100 '' ''''' '''

 . hostname(config-if)#''' no shutdown''''' ''''' '''
  * '''PURPOSE:''''' ''''' '''

 . ''* ''''' '''

 . ''* ''(Optional) Enables the interface.If the Stateful Failover link uses the failover link or a data interface, skip this step. You have already enabled the interface. '' ''''' '''

'' ''''' '''

'''` '''

'''''Step 9: ''''''' ''''' '''

'''` '''

 . '''COMMAND:''' '' ''''' '''

'''. '''failover '' ''''' . '''Example: hostname(config)# '''failover ''' '' ''''' '''

'''''PURPOSE:''''' Enables failover. '' ''''' '''

'''` '''

'''Step 10: ''' '' ''''' '''

'''` '''

'''COMMAND:''' '' ''''' '''

 . Copy running-config startup-config '' ''''' '''

 . Example: hostname(config)# '''copy running-config startup-config''' '' ''''' '''

'''PURPOSE:''' '' ''''' '''

 . Saves the system configuration to Flash memory. '''Configuring the Secondary Unit''' The only configuration required on the secondary unit

is for the failover interface. The secondary unit requires these commands to communicate initially with the primary unit. After the primary unit

sends its configuration to the secondary unit, the only permanent difference between the two configurations is the failover lan unit command,

which identifies each unit as primary or secondary. '''Prerequisites''' When configuring LAN-based failover, you must bootstrap the secondary

device to recognize the failover link before the secondary device can obtain the running configuration from the primary device '' ''''' '''

'

Step 1:''' '' '''''
Line 322: Line 361:
''Step 5:''' '''''

```
 . COMMAND: ''' '' '''''

'''interface phy_if '' '''''

 . '''Example:hostname(config)# interface vlan100 '' '''''

 . '''hostname(config-if)# '''no shutdown ''' '' '''''

 . PURPOSE:''' '' '''''

'''Enables the interface '' '''''

`````

''Step 6:''' '''''

COMMAND: ''' '' '''''

```

 . '''failover link if_name phy_if '' '''''

 . '''Example:hostname(config)#''' failover link statelink GigabitEthernet0/2 ''' '' '''''

 '''PURPOSE: ''' ''''' '''''

  . (Optional) Specifies the interface to be used as the Stateful Failover link. Note If the Stateful Failover link uses the failover link or a

     data interface, then you only need to supply the if_name argument.The if_name argument assigns a logical name to the interface specified by

     the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as

     Ethernet0/2.3. This interface should not be used for any other purpose (except, optionally, the failover link).''''' '''''

``````

''Step 7: ''' '''''

```
 . COMMAND: ''''' '''''
  
. '''failover interface ip if_name [ip_address mask standby ip_address | ipv6_address/prefix standbyipv6_address] '' '''''

. '''Example:hostname(config)# '''failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2''''' '''''

 . PURPOSE:''' '' '''''

  . '''Note If the stateful Failover link uses the failover link or data interface, skip this step. You have already defined the active and

    standby IP addresses for the interface.The standby IP address must be in the same subnet as the active IP address. You do not need to

    identify the standby address subnet mask.'' '''''

``````

''Step 8: ''' '''''

```

 . COMMAND: ''' '' '''''

 . interface phy_if no shutdown''' '' '''''

 . '''Example: ''' '''hostname(config)# interface vlan100 '' '''''

 . '''hostname(config-if)#''' no shutdown''''' '''''

  * PURPOSE:''''' '''''

 . '''''* '''''

 . '''''* ''''''''(Optional) Enables the interface.If the Stateful Failover link uses the failover link or a data interface, skip this step. You have already enabled the interface. '' '''''

''' '' '''''

```````

''Step 9: ''' '''''

```
`
Line 407: Line 364:
   . '''failover '' '''''
. '''Example: hostname(config)# '''failover ''' '' '''''

''' '''''PURPOSE:''''' Enables failover. '' '''''

`````

Step 10: ''' '' '''''

```

COMMAND:''' '' '''''

 . ''' Copy running-config startup-config '' '''''

 . '''Example: hostname(config)# '''copy running-config startup-config''' '' '''''

''' '''PURPOSE:''' '' '''''

 . '''Saves the system configuration to Flash memory. '''Configuring the Secondary Unit''' The only configuration required on the secondary unit

is for the failover interface. The secondary unit requires these commands to communicate initially with the primary unit. After the primary unit

sends its configuration to the secondary unit, the only permanent difference between the two configurations is the failover lan unit command,

which identifies each unit as primary or secondary. '''Prerequisites''' When configuring LAN-based failover, you must bootstrap the secondary

device to recognize the failover link before the secondary device can obtain the running configuration from the primary device '' '''''

''''''''''

````````

Step 1:''' '' '''''

''' '' '''''

```

 . COMMAND:''' '' '''''
Line 468: Line 383:
 . To receive packets from both units in a failover pair, standby IP addresses need to be configured on all interfaces. Note Enter this command    

. exactly as you entered it on the primary unit when you configured the failover interface on the primary unit (including the same IP address).
 . To receive packets from both units in a failover pair, standby IP addresses need to be configured on all interfaces. Note Enter this command

. exactly as you entered it on the primary unit when you configured the failover interface on the primary unit (including the same IP address).  ''''' '''''
Line 473: Line 389:
''''' '''''
Line 491: Line 405:
 . (Optional) Designates this unit as the secondary unitNote This step is optional because, by default, units are designated as secondary unless        
   previously configured. ''''' '''''
 . (Optional) Designates this unit as the secondary unitNote This step is optional because, by default, units are designated as secondary unless
  . previously configured. ''''' '''''
Line 506: Line 419:
```
 . Enables failover: After you enable failover, the active unit sends the configuration in running memory to the standby unit. As the            configuration synchronizes, the messages "Beginning configuration replication: Sending to mate" and "End Configuration Replication to mate"                           appear on the active unit console. ''''' '''''

`````
`

 . Enables failover: After you enable failover, the active unit sends the configuration in running memory to the standby unit. As the
  .
configuration synchronizes, the messages "Beginning configuration replication: Sending to mate" and "End Configuration Replication to mate"
appear on the active unit console. ''''' '''''

`
Line 521: Line 433:
``` `
Line 529: Line 441:

``````

Perform Zero-Downtime Upgrades for Failover Pairs

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111867-asa-failover-upgrade.html#zerotime

Phase 1 Staging:

1. After logging into the firewall access the Privilege EXEC mode.

  1. Firewall>enable

  2. Copy the Cisco ios. firewall#copy flash:{your IOS image filename} tftp://{TFTP server IP address}

2. Do the following to verify a cisco IOS hash. Cisco IOS Software Release 12.2(4) and 12.0(22)S, allow the calculation of the MD5 hash of the

Cisco image file that is loaded on the device. The hash can be compared against the hash of the user and then against the Cisco provided MD5 hash

to confirm the image integrity.

  1. Verify /md5 filesystem:filename [md5-hash]

1. Ex. firewall#verify /md5 disk0:c7301-jk9s-mz.124-10.bin

  • ....<output truncated>.....Done!

  • verify /md5 (disk0:c7301-jk9s-mz.124-10.bin) = ad9f9c902fa34b90de8365c3a5039a5brouter#

Phase 2 Backups:

The following commands are useful to view how the details of the arp table.

  • 1.Show Commands

    • a.#show arp summary

      • is ideal to show granular details of the ARP table contents. This command will show the number of static entries, total number of dynamic

        • entries, and total number of entries in the ARP resolution table, not including the entries of the CSS management port.

  • b.#show arp

    • will display what ip addresses are resolved to what MAC addresses

  • c.#show connection detail

    • will display all of the flag issues of the device

  • d.#show xlate

    • display details regarding the translation slots.

  • e.#show route

    • will display the routing table

  • f.#show slot0

    • will show the contents of slot 0 which is helpful to determine the location of a stored file.

  • Configuration Backup

    1. # copy file_name destination is used to copy files.

"File_name" is the software image name.

"Destination" maybe bootflash:, disk0:, disk1:, slot0:, or tftp:

  1. EX. copy tftp://172.18.0.154/asa912-k8.bin will download the new code from the ipaddress

    1. verify /md5 filesystem:filename [md5-hash] will verify hash of the new code

    2. Upload a new image to the device

      1. #copy tftp: running-config b. Address or name of remote host 192.168.1.1 (Ip of the device being updated)

Phase 3 Upgrade Two Units in an Active/Standby Failover Configuration:

  1. The standby unit can be reloaded to boot to the new image by using the following command #failover reload-standby

  2. After the device is in the Ready state, the active unit needs to fail over to the standby unit by entering #no failover active

  3. Use the following to confirm the standby unit is in the Standby Ready state

#show failover

Failover On Failover unit Primary Failover LAN Interface: fover Vlan150 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface

Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Version: Ours 7.2(0)55, Mate 7.2(0)55

Last Failover at: 19:59:58 PST Apr 6 2006 This host: Primary - Active Active time: 34 (sec) slot 0: ASA5505 hw/sw rev (1.0/7.2(0)55) status

(Up Sys) Interface inside (192.168.1.1): Normal Interface outside (192.168.2.201): Normal Interface dmz (172.16.0.1): Normal Interface test

(172.23.62.138): Normal slot 1: empty Other host: Secondary - Standby Ready Active time: 0 (sec) slot 0: ASA5505 hw/sw rev (1.0/7.2(0)55)

status (Up Sys) Interface inside (192.168.1.2): Normal Interface outside (192.168.2.211): Normal Interface dmz (172.16.0.2): Normal

Interface test (172.23.62.137): Normal slot 1: empty

  1. show failover state

  2. ciscoasa(config)# show failover state

    • State Last Failure Reason Date/TimeThis host - Primary Active NoneOther host - Secondary Standby Ready Ifc Failure 17:38:56 CEDT Jun 10 2013 dmz5: Failed inside: Failed====Configuration State=== Sync Done Sync Done - STANDBY====Communication State=== Mac set

`

  1. State Last Failure Reason Date/Time This host - Primary Negotiation Backplane Failure 15:44:56 UTC Jun 20 2009 Other host -

    • Secondary Not Detected Comm Failure 15:36:30 UTC Jun 20 2009 ====Configuration State=== Sync Done ====Communication State=== Mac set

  2. ciscoasa(config)# show failover state State Last Failure Reason Date/Time This host - Secondary Group 1 Failed Backplane

Failure 03:42:29 UTC Apr 17 2009 Group 2 Failed Backplane Failure 03:42:29 UTC Apr 17 2009 Other host - Primary Group 1 Active Comm Failure

03:41:12 UTC Apr 17 2009 Group 2 Active Comm Failure 03:41:12 UTC Apr 17 2009 ====Configuration State=== Sync Done ====Communication State===

Mac set

Reload the former active unit (now the new standby unit) by entering: #reload

  1. When the new standy unit is done reloading and in the Standby Ready state, switch the original active unit to active status

    • #failover active

Upgrade an Active/Active Failover Configuration

Complete these steps in order to upgrade two units in an Active/Active failover configuration:

  1. Download the new software to both units, and specify the new image to load with the boot system command.

- Refer to Upgrade a Software Image and ASDM Image using CLI for more information.

  1. Make both failover groups active on the primary unit by entering the failover active command in the system execution space of the primary unit:

primary #failover active

  1. Reload the secondary unit to boot the new image by entering the failover reload-standby command in the system execution space of the primary unit: primary #failover reload-standby

  2. When the secondary unit has finished reloading, and both failover groups are in the Standby Ready state on that unit, make both failover
    • groups active on the secondary unit using the no failover active command in the system execution space of the primary unit:

      primary #no failover active

    • Note: Use the show failover command in order to verify that both failover groups are in the Standby Ready state on the secondary unit.

  3. Make sure both failover groups are in the Standby Ready state on the primary unit, and then reload the primary unit using the reload
    • command: primary #reload

    b. If the failover groups are configured with the preempt command, they will automatically become active on their designated unit after the

    • preempt delay has passed. If the failover groups are not configured with the preempt command, you can return them to active status on their designated units using the failover active group command.

Troubleshoot


%ASA-5-720012: (VPN-Secondary) Failed to update IPSec failover runtime data on the standby unit (or) %ASA-6-720012: (VPN-unit) Failed to

  • update IPsec failover runtime data on the standby unit

Problem

  • One of these error messages appear when you try to upgrade the Cisco Adaptive Security Appliance (ASA):

`

%ASA-5-720012: (VPN-Secondary) Failed to update IPSec failover runtime data on the standby unit. %ASA-6-720012: (VPN-unit) Failed to update

  • IPsec failover runtime data on the standby unit. Solution

These error messages are informative errors. The messages do not impact functionality of the ASA or the VPN. These messages appear when the

  • VPN failover subsystem cannot update IPsec-related runtime data because the corresponding IPsec tunnel has been deleted on the standby unit. In order to resolve these, run the wr standby command on the active unit.

Configuring the primary and secondary units: 

Step 1: Configuring the Primary Unit

  • COMMAND: ip address active_addr netmask standbystandby_addr ipv6 address {autoconfig| ipv6-prefix/prefix-length

[eui-64] [standbyipv6-prefix] | ipv6-address link-local[standby ipv6-address]}

  • Example:hostname(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

  • hostname(config-if)# ipv6 address 3ffe:c00:0:1::576/64 standby 3ffe:c00:0:1::575

PURPOSE:

  • Configures the active and standby IP addresses for each data interface (routed mode), for the management IP address (transparent mode), or 'for the management-only interface.

In routed firewall mode and for the management-only interface, enter this command in interface configuration mode for each interface.

In 'transparent firewall mode, enter the command in global configuration mode.In multiple context mode, configure the interface addresses from within each context. 'Use the change to context command to switch between contexts.

The command prompt changes to hostname/context(config-if)#, where context is the name of the current context. '

You must enter a management IP address for each context in transparent firewall multiple context mode.

Each data interface can have an IPv4 address and one or more IPv6 addresses. For IPv6 addresses that use the eui-64 option,

  • you do not need to specify a standby address—one will be created automatically.

Step 2:

  • COMMAND:

    • failover lan unit primary

. PURPOSE:

  • Designates the unit as the primary unit.

Step 3:

COMMAND:

`

  • failover lan interfaceif_name phy_if

  • Example:hostname(config)# failover lan interface folink GigabitEthernet0/3

. PURPOSE:

  • Specifies the interface to be used as the failover interface.The if_name argument assigns a name to the interface specified by the

  • phy_if argument.The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as

  • Ethernet0/2.3. On the ASA 5505 adaptive ASA, the phy_if specifies a VLAN. This interface should not be used for any other purpose (except, . optionally, the Stateful Failover link).

Step 4:

COMMAND:

  • failover interface ip if_name [ip_address mask standby ip_address | ipv6_address/prefix standbyipv6_address]

  • Example: hostname(config)# failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2

  • hostname(config)# failover interface ip folink 2001:a0a:b00::a0a:b70/64 standby 2001:a0a:b00::a0a:b71

  • PURPOSE:

  • Assigns the active and standby IP addresses to the failover link. You can assign either an IPv4 or an IPv6 address to the interface.

  • You 'cannot assign both types of addresses to the failover link.The standby IP address must be in the same subnet as the active IP address.

  • You do 'not need to identify the standby address subnet mask.The failover link IP address and MAC address do not change at failover.

  • The active IP address 'for the failover link always stays with the primary unit, while the standby IP address stays with the secondary unit.

Step 5:'

`

  • COMMAND:

interface phy_if

  • Example:hostname(config)# interface vlan100

  • hostname(config-if)# no shutdown

  • PURPOSE:

Enables the interface

`

Step 6:'

COMMAND:

`

  • failover link if_name phy_if

  • Example:hostname(config)# failover link statelink GigabitEthernet0/2 PURPOSE:

    • (Optional) Specifies the interface to be used as the Stateful Failover link. Note If the Stateful Failover link uses the failover link or a

      • data interface, then you only need to supply the if_name argument.The if_name argument assigns a logical name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose (except, optionally, the failover link).

Step 7: '

`

  • COMMAND:

. failover interface ip if_name [ip_address mask standby ip_address | ipv6_address/prefix standbyipv6_address]

. Example:hostname(config)# failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2

  • PURPOSE:

    • Note If the stateful Failover link uses the failover link or data interface, skip this step. You have already defined the active and
      • standby IP addresses for the interface.The standby IP address must be in the same subnet as the active IP address. You do not need to

        identify the standby address subnet mask.

Step 8: '

`

  • COMMAND:

  • interface phy_if no shutdown

  • Example: hostname(config)# interface vlan100

  • hostname(config-if)# no shutdown

    • PURPOSE:

  • *

  • * (Optional) Enables the interface.If the Stateful Failover link uses the failover link or a data interface, skip this step. You have already enabled the interface.

`

Step 9: '

`

  • COMMAND:

. failover . Example: hostname(config)# failover

PURPOSE: Enables failover.

`

Step 10:

`

COMMAND:

  • Copy running-config startup-config

  • Example: hostname(config)# copy running-config startup-config

PURPOSE:

  • Saves the system configuration to Flash memory. Configuring the Secondary Unit The only configuration required on the secondary unit

is for the failover interface. The secondary unit requires these commands to communicate initially with the primary unit. After the primary unit

sends its configuration to the secondary unit, the only permanent difference between the two configurations is the failover lan unit command,

which identifies each unit as primary or secondary. Prerequisites When configuring LAN-based failover, you must bootstrap the secondary

device to recognize the failover link before the secondary device can obtain the running configuration from the primary device

'

Step 1:

`

  • COMMAND:

    • failover lan interface if_name phy_if

    • Example: hostname(config)# failover lan interface folink vlan 100Specifies the interface to be used as the failover interface. (

    • Use the same settings that you used for the primary unit.)

  • The if_name argument assigns a name to the interface specified by the phy_if argument.

`

`

Step 2:

  • failover interface ip if_name [ip_address mask standby ip_address | ipv6_address/prefix standbyipv6_address]

  • Example: hostname(config)# failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2

  • hostname(config)# failover interface ip folink 2001:a0a:b00::a0a:b70/64 standby 2001:a0a:b00::a0a:b71

  • To receive packets from both units in a failover pair, standby IP addresses need to be configured on all interfaces. Note Enter this command

. exactly as you entered it on the primary unit when you configured the failover interface on the primary unit (including the same IP address).

`

Step 3:

  • interface phy_ifno shutdown

Example: hostname(config)# interface vlan100hostname(config-if)# no shutdownEnables the interface

`

Step 4:

`

  • failover lan unit secondary Example: hostname(config)# failover lan unit secondary

  • (Optional) Designates this unit as the secondary unitNote This step is optional because, by default, units are designated as secondary unless
    • previously configured.

`

Step 5:

`

  • COMMAND:

    • Example:hostname(config)# failover

  • PURPOSE:

`

  • Enables failover: After you enable failover, the active unit sends the configuration in running memory to the standby unit. As the
    • configuration synchronizes, the messages "Beginning configuration replication: Sending to mate" and "End Configuration Replication to mate"

      appear on the active unit console.

`

Step 6:

`

  • COMMAND:

`

  • #copy running-config startup-config

. Example:hostname(config)# copy running-config startup-config

  • PURPOSE:

    • Saves the configuration to Flash memory.Enter the command after the running configuration has completed replication.