Question about Cisco ASA 5510 Firewall

1 Answer

ASA5510 Active/Standby Not Working

Hello All,

initially I have configured this failover quite well, and tested it enough. after that I had to switch off standby unit for some time and now as I have switch on it again my failover is not working anymore..

when i login to secondary ASA while is just reloaded, it shows following messsage:

Cryptochecksum (unchanged): 59e3f12d 768bc119 32070d9b 6acb7029
Type help or '?' for a list of available commands.
ciscoasa> .
Detected an Active mate
Beginning configuration replication from mate.
listen_ch_open: Failed listen on interface inside port 23
listen_ch_open: Failed listen on interface inside port 23
listen_ch_open: Failed listen on interface inside port 22
listen_ch_open: Failed listen on interface inside port 22
listen_ch_open: Failed listen on interface inside port 22
listen_ch_open: Failed listen on interface management port 22
End configuration replication from mate.

I seem to be clueless now as to why it not working anymore..I really appreciate your comments.

following is my asa failover status.

ciscoasa# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: fointerface Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
failover replication http
Version: Ours 8.0(3)19, Mate 8.0(3)19
Last Failover at: 22:07:56 WET Dec 14 2008
This host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(3)19) status (Up Sys)
Interface outside ( Normal (Waiting)
Interface inside ( Normal
Interface BigIPF5 ( Failed (Waiting)
Interface management ( No Link (Not-Monitored)
slot 1: empty
Other host: Primary - Active
Active time: 6133935 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(3)19) status (Up Sys)
Interface outside ( Normal (Waiting)
Interface inside ( Normal
Interface BigIPF5 ( Normal (Waiting)
Interface management ( Normal (Not-Monitored)
slot 1: empty

Stateful Failover Logical Update Statistics
Link : fointerface Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 104 0 1573 9
sys cmd 104 0 104 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 931 9
UDP conn 0 0 481 0
ARP tbl 0 0 42 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 5 0
VPN IPSEC upd 0 0 10 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 19 8418
Xmit Q: 0 1 104

Posted by on

1 Answer

  • Level 1:

    An expert who has achieved level 1.


    An expert that hasĀ over 10 points.


    An expert whose answer gotĀ voted for 2 times.

    Problem Solver:

    An expert who has answered 5 questions.

  • Contributor
  • 12 Answers

This is a old post, have you received and answer yet?

If not, make sure the internal interfaces are connected to one another and both have links. The ASA needs to have a "heartbeat" signal that passes between the 2 devices and this seems to be what's failing.

Posted on Mar 26, 2009

1 Suggested Answer

  • 2 Answers

SOURCE: I have freestanding Series 8 dishwasher. Lately during the filling cycle water hammer is occurring. How can this be resolved

a 6ya expert can help you resolve that issue over the phone in a minute or two.
best thing about this new service is that you are never placed on hold and get to talk to real repairmen in the US.
the service is completely free and covers almost anything you can think of (from cars to computers, handyman, and even drones).
click here to download the app (for users in the US for now) and get all the help you need.

Posted on Jan 02, 2017

Add Your Answer

Uploading: 0%


Complete. Click "Add" to insert your video. Add



Related Questions:

2 Answers

Reversing lights not working on my 1.6 ford escort m reg 1994. ive checked bulbs but still nothing. someone told me about a switch but i cant find it. any help please???

There is a switch attached to the gearbox which activates the reversing lamps when you place the gearbox into reverse. This switch has two wires going to it, one wire is an ignition live feed and the other is the feed to the rear lamps. This switch is usually on the side of the gearbox but quite high up towards the top of the gearbox. You can remove this switch with no danger of losing gearbox oil and replace it. Using a test lamp (which you can buy from any auto parts store), connect the end with the clip to the body on a clean area to ensure a good electrical connection and the pointy end to each of the wires on the switch in turn. With the ignition on but the engine NOT RUNNING, one wire should be active and the other will become active when the gearbox is placed in reverse gear. If neither of the wires are active, check fuses etc. If one wire is active but the other does not become active when reverse is selected, replace the switch. If both wires do what they are supposed too, check the wiring from the switch back to the rear lamps and check for broken or disconnected wires. The switch can be accessed from underneath the vehicle. Remember that these tests are conducted with the ignition turned on but THE ENGINE NOT RUNNING....

Dec 25, 2009 | 1994 Ford Escort

1 Answer

Failover best option required..

You can only do active/active if you're using multiple contexts. Active/active can give you some extra performance for your $ since you can pass traffic through both ASAs. Compare this to active/standby where the standby unit passes no traffic.

If you're pushing the 5510's to 80% capacity each in active/active mode, then you have one fail, now the one single ASA is oversubscribed. The oversubscription could cause connectivity issues that defeat the purpose of failover in the first place.

In the spirit of reliability go with active/standby. Seeing that you have two active core switches that would be pushing all of their traffic through a single 5510 in this may be too much active/active may be the better solution.

Mar 31, 2009 | Cisco ASA 5510 Firewall

1 Answer

ASA LAN failover Problem


The crossover cable should work fine for sure.

Best Regards,

Mar 17, 2009 | Nokia IP 350 Firewall

1 Answer

Dear Sir, I am ubable to connect the another leased line for the internet backup. I want to keep the backup of internet so tell me, how is that possible? I have no router, it is working on simple network.

If you want some kind of failover option so that if one Internet connection fails, the other one will take over, the best solution is to purchase a router that supports dual WAN connections and failover.

Starter list of ideas here:

Jan 30, 2009 | Microsoft Windows Server Standard 2003 for...

1 Answer

Export and import all configuration in Cisco ASA 5510

Hello ,
the Steps which u want to export and import configuration in Cisco ASA5510
1- connect yourself to your Cisco gateway by IP
2- Get TFTP server to your PC like( solarwind , Tftp server , ... ) any tftp download and upload program
3- now u need to copy running configuration to your pc by order
#copy run tftp , then follow the steps
NOTE: u should be in the same network or u need your pc and cisco box both have publick IP

4- if u want to put prepair config files to your gateway , you will need to type order
#copy tftp run , then foloow the steps

If u need anything else please let us know by leave your completely request or join us with


Dec 17, 2008 | Cisco ASA 5510 Firewall

1 Answer

Asa 5505 firewall problem

PPPoE is not supported when failover is configured on the security appliance, or in multiple context or transparent mode. PPPoE is only supported in single, routed mode, without failover.

Jun 06, 2008 | Cisco ASA 5500 Firewall

1 Answer

Wireles conection problem

I've run into this issue with USB wireless network cards from DLink, Linksys, and Netgear. For me, the issue was with the USB ports on the PC and not having enough power for the device, the connection would stay live for a random amount of time and then all of a sudden it would die (same thing would happen when resuming from hibernation or standby). I added a PCI card with a powered USB hub in it and it solved my problem.

Hope this info helps!

Jan 15, 2008 | D-Link DI 514 Wireless Router (DI-514)

1 Answer

ASA 5510 sec - bun k9

Basic Commands pixfirewall(config)#hostname PIX !--- Naming the PIX is optional. PIX(config)#nameif ethernet2 fo security20 !--- Naming the interface is optional. It is recommended that you !--- hardcode the speed/duplex. PIX(config)#interface ethernet2 100full !--- Bring up the interface. PIX(config)#ip address fo !--- Assign an IP address. Failover Commands PIX(config)#failover ip address fo !--- IP address for the failover link. PIX(config)#failover lan unit primary !--- This unit is primary . PIX(config)#failover lan interface fo !--- The 'fo' interface is used for LAN failover. PIX(config)#failover lan key cisco !--- The Pre-shared key. PIX(config)#failover lan enable !--- Enables failover. PIX(config)#failover !--- Start the failover process. This message appears on the console:
LAN-based Failover: trying to contact peer failover_01.gifLAN-based Failover: Send hello msg and start failover monitoring

Nov 27, 2007 | Cisco ASA 5510 Firewall

Not finding what you are looking for?
Cisco ASA 5510 Firewall Logo

1,793 people viewed this question

Ask a Question

Usually answered in minutes!

Top Cisco Computers & Internet Experts

Prashant M
Prashant M

Level 3 Expert

2260 Answers

brian soufane

Level 3 Expert

693 Answers

Les Dickinson
Les Dickinson

Level 3 Expert

18384 Answers

Are you a Cisco Computer and Internet Expert? Answer questions, earn points and help others

Answer questions

Manuals & User Guides