cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
407
Views
0
Helpful
2
Replies

Failover pair, to failover pair - unable to access standby over VPN

RicheeJJJ_2
Level 1
Level 1

Topology.

At the head end there is an ASA failover pair which forms a IPSEC VPN tunnel to a remote ASA failover pair. We manage the remote side by going through the VPN from the head end.

The problem is that I cannot access the standby ASA at the remote side because when my ssh or icmp traffic gets to it, it then thinks the return route is on its outside interface which doesn't have a tunnel to travel on and so it uses the public internet to try to get back which is dropped.

I can access the standby at the remote site going through the public internet, but not through the VPN tunnel.

The question is, how can I get management traffic (icmp,snmp,logging and ssh) to come back over the tunnel from the standby firewall at the remote site.

2 Replies 2

didyap
Level 6
Level 6

Make sure that VPN failover is not supported on units running in multiple context mode. VPN failover available for Active/Standby failover configurations only.

Here is the URL for the ASA failover configuration guide. Follow the guide it may help you

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/failover.html

The firewalls aren't in multiple context mode. They are single contexts, active-standby. And the standby can't ping anything on the other side of the tunnel.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: