取消
显示结果 
搜索替代 
您的意思是: 
cancel
5437
查看次数
0
有帮助
6
回复

各路神仙帮忙看看,为什么不能同步?

savi_bj
Level 1
Level 1
两台ASA5550-BUN-K9 做active 但是配置不能同步,提示Failover LAN Failed
ciscoasa# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: dxx-fo GigabitEthernet1/1 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 410 maximum
Version: Ours 8.4(1), Mate Unknown
Last Failover at: 11:37:14 GMT Oct 5 2016
This host: Primary - Active
Active time: 254 (sec)
slot 0: ASA5550 hw/sw rev (2.0/8.4(1)) status (Up Sys)
Interface inside (192.168.1.1): Normal (Waiting)
Interface management (0.0.0.0): No Link (Waiting)
Interface outside (10.142.128.4): Normal (Waiting)
Interface outside2 (132.35.111.187): No Link (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: empty
Interface inside (192.168.1.2): Unknown (Waiting)
Interface management (0.0.0.0): Unknown (Waiting)
Interface outside (10.142.128.5): Unknown (Waiting)
Interface outside2 (132.35.111.188): Unknown (Waiting)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : dxx-link GigabitEthernet1/2 (administratively down)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
ciscoasa(config)# sh int ip b
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.1 YES CONFIG up up
GigabitEthernet0/1 unassigned YES unset down down
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
Internal-Data0/0 unassigned YES unset up up
Management0/0 unassigned YES unset down down
GigabitEthernet1/0 10.142.128.4 YES CONFIG up up
GigabitEthernet1/1 192.168.254.1 YES unset up up
GigabitEthernet1/2 192.168.253.1 YES unset up up
GigabitEthernet1/3 132.35.111.187 YES CONFIG down down
Internal-Data1/0 unassigned YES unset up
ASA-1
ciscoasa(config)# sh ver
Cisco Adaptive Security Appliance Software Version 8.4(1)
Device Manager Version 6.4(1)
Compiled on Mon 31-Jan-11 02:11 by builders
System image file is "disk0:/asa841-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 21 mins 17 secs
failover cluster up 21 mins 17 secs
Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: GigabitEthernet0/0 : address is 6400.f181.0968, irq 9
1: Ext: GigabitEthernet0/1 : address is 6400.f181.0969, irq 9
2: Ext: GigabitEthernet0/2 : address is 6400.f181.096a, irq 9
3: Ext: GigabitEthernet0/3 : address is 6400.f181.096b, irq 9
4: Ext: Management0/0 : address is 6400.f181.0967, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Not used : irq 5
7: Ext: GigabitEthernet1/0 : address is 6400.f123.b103, irq 255
8: Ext: GigabitEthernet1/1 : address is 6400.f123.b104, irq 255
9: Ext: GigabitEthernet1/2 : address is 6400.f123.b105, irq 255
10: Ext: GigabitEthernet1/3 : address is 6400.f123.b106, irq 255
11: Int: Internal-Data1/0 : address is 0000.0003.0002, irq 255
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 400 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 5000 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5550 VPN Premium license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 400 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 5000 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 4 perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5550 VPN Premium license.
Serial Number: JMX1521L094
Running Permanent Activation Key: 0x293df840 0xcc69c314 0xe8227520 0x86e01028 0x0a3a0587
Configuration register is 0x1
Configuration last modified by enable_15 at 03:34:03.619 UTC Wed Oct 5 2016
主配置
ASA Version 8.4(1)
!
hostname ciscoasa
domain-name zhifu.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.248 standby 192.168.1.2
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description STATE Failover Interface
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
interface GigabitEthernet1/0
nameif outside
security-level 0
ip address 10.142.128.4 255.255.255.248 standby 10.142.128.5
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
media-type sfp
nameif outside2
security-level 0
ip address 132.35.110.187 255.255.255.248 standby 132.35.110.188
!
banner motd "This is a private system. If you are not supposed to be here.Please leave immediately."
ftp mode passive
failover
failover lan unit primary
failover lan interface dxx-fo GigabitEthernet0/3
failover key *****
failover link dxx-link GigabitEthernet0/2
failover interface ip dxx-fo 192.168.254.1 255.255.255.252 standby 192.168.254.2
failover interface ip dxx-link 192.168.253.1 255.255.255.252 standby 192.168.253.2
备ASA
ciscoasa(config)# SH VER
Cisco Adaptive Security Appliance Software Version 8.4(1)
Device Manager Version 6.4(1)
Compiled on Mon 31-Jan-11 02:11 by builders
System image file is "disk0:/asa841-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 26 mins 58 secs
failover cluster up 26 mins 58 secs
Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: GigabitEthernet0/0 : address is 6400.f181.0968, irq 9
1: Ext: GigabitEthernet0/1 : address is 6400.f181.0969, irq 9
2: Ext: GigabitEthernet0/2 : address is 6400.f181.096a, irq 9
3: Ext: GigabitEthernet0/3 : address is 6400.f181.096b, irq 9
4: Ext: Management0/0 : address is 6400.f181.0967, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Not used : irq 5
7: Ext: GigabitEthernet1/0 : address is 6400.f123.b103, irq 255
8: Ext: GigabitEthernet1/1 : address is 6400.f123.b104, irq 255
9: Ext: GigabitEthernet1/2 : address is 6400.f123.b105, irq 255
10: Ext: GigabitEthernet1/3 : address is 6400.f123.b106, irq 255
11: Int: Internal-Data1/0 : address is 0000.0003.0002, irq 255
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 400 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 5000 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5550 VPN Premium license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 400 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 5000 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 4 perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5550 VPN Premium license.
Serial Number: JMX1521L094
Running Permanent Activation Key: 0x293df840 0xcc69c314 0xe8227520 0x86e01028 0x0a3a0587
Configuration register is 0x1
Configuration last modified by enable_15 at 03:34:03.619 UTC Wed Oct 5 2016
ciscoasa(config)# SH RUN
: Saved
:
ASA Version 8.4(1)
!
hostname ciscoasa
enable password 4a3Z4yHOKFNIIUsp level 1 encrypted
enable password /KbeuIiBFlhuuCbk level 3 encrypted
enable password XmjzaIqqMJppx7SC encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description STATE Failover Interface
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
interface GigabitEthernet1/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
pager lines 24
failover
failover lan unit primary
failover lan interface dxx-fo GigabitEthernet0/3
failover key *****
failover link dxx-link GigabitEthernet0/2
failover interface ip dxx-fo 192.168.254.1 255.255.255.252 standby 192.168.254.2
failover interface ip dxx-link 192.168.253.1 255.255.255.252 standby 192.168.253.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:70a8b8a6acc8b8e63a7460f0c4530773
: end
1 个已接受解答

已接受的解答

yingnxu
Cisco Employee
Cisco Employee
您好,如果您两台ASA想做一台active 一台standby,那需要按照楼上说的更改备用ASA配置为failover lan unit secondary;如果您想两台ASA做双active,那必须每个ASA都是多墙的模式,每个ASA至少虚拟出两个墙,然后交叉做active/standby, 具体如果不会操作,建议联系思科TAC开case处理。

在原帖中查看解决方案

6 条回复6

yingnxu
Cisco Employee
Cisco Employee
您好,如果您两台ASA想做一台active 一台standby,那需要按照楼上说的更改备用ASA配置为failover lan unit secondary;如果您想两台ASA做双active,那必须每个ASA都是多墙的模式,每个ASA至少虚拟出两个墙,然后交叉做active/standby, 具体如果不会操作,建议联系思科TAC开case处理。

H122610517
Community Member
slave備机 是不是打錯
failover
failover lan unit secondary

Xin Lei
Spotlight
Spotlight
FW不熟,坐看答案:lol

ilay
VIP
VIP
本帖最后由 gengchunlin 于 2016-10-9 09:40 编辑
看你的配置中两台asa都配置了failover lan unit primary,这样会出问题的。
你可以做如下测试,
将两台asa的failover停掉,然后将其中一台改为failover lan unit secondary,或者直接no failover lan unit primary ,然后再启用failover
我之前做A/S模式的failover 备机的配置如下:
ciscoasa(config-if)# failover lan interface LiGink GigabitEthernet0/5
INFO: Non-failover interface config is cleared on GigabitEthernet0/5 and its sub-interfaces
ciscoasa(config)# failover link Stmt GigabitEthernet0/6
INFO: Non-failover interface config is cleared on GigabitEthernet0/6 and its sub-interfaces
ciscoasa(config)# failover interface ip LiGink 1.1.1.1 255.255.255.252 standby 1.1.1.2
ciscoasa(config)# failover interface ip Stmt 2.2.2.1 255.255.255.252 standby 2.2.2.2
ciscoasa(config)# failover key InfoShare
ciscoasa(config)# failover //先在主用设备上启用failover 然后在备用设备上启用failover 敲完之后两台ASA开始选举,然后failover启动完成。
附同步过程中slave设备部分输出
******
ciscoasa(config)#
Detected an Active mate

Beginning configuration replication from mate.
WARNING: Disabling auto import may affect Smart Licensing
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...
Trustpoint CA certificate accepted.
WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.
End configuration replication from mate.
******

stoneyeye
Level 1
Level 1
看你的配置像是做H/A,而不是A/A。

savi_bj
Level 1
Level 1
感谢大家,有你们真好!问题已经解决了
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接