Standby ASA access

Answered Question
Mar 17th, 2009

HI there,


I have pair of ASA's configured as Active/Standby, I can access active ASA thro' ssh and ASDM, but not standby ASA, What we have to do to get hold of standby ASA access?


Many thanks,

Raj

Correct Answer by vikram_anumukonda about 7 years 11 months ago

Rajesh, try telnetting to the any of the interfaces of active & standby devices , if telnet works to both active & standby ip-address then it's an issue with the rsa keys.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
rajeshk200_2 Thu, 03/19/2009 - 06:09

Hi,


Tried with standby ASA IP , I can ping the IP , I am getting the message


"ssh_exchange_identification: Connection closed by remote host" whilst we do ssh,


I found the difference while we do telnet with port 22 on primary and secondary ASA, Primary session won't disconnect immediately where as secondaty ASA terminate the session immmediatelly as shown below.


Primary ASA response,


# telnet xxxxxx 22

Trying xxxxx...

Connected to xxxxxxxxxx.

Escape character is '^]'.

SSH-1.99-Cisco-1.25


Secondary ASA response


# telnet yyyyyyyyy 22

Trying yyyyyyyyyyy...

Connected to yyyyyyyyyy

Escape character is '^]'.

Connection closed by foreign host.


Any guess on reason why as configs on primary and secondary ASA are same?


Many thanks,


Rajesh




solpandor Tue, 03/17/2009 - 05:26

hi,

if they are working in active and standy mode then the config should copy across from the primary to the seconday.


please post your config from the primary ASA.


Pravin Phadte Thu, 03/19/2009 - 06:15

Simple solution...


Configure ssh for oustide or wan ip address on active...


SSH to active ... Then try standby should work


Hope this helps

rajeshk200_2 Thu, 03/19/2009 - 07:31

I can ssh primary ASA successfully and it's fine,While attempting ssh to secondary ASA I am getting error message below, I don't see any relevant logs on active.

"ssh_exchange_identification: Connection closed by remote host"


Thanks,


Raj

Correct Answer
vikram_anumukonda Thu, 03/19/2009 - 08:57

Rajesh, try telnetting to the any of the interfaces of active & standby devices , if telnet works to both active & standby ip-address then it's an issue with the rsa keys.

rajeshk200_2 Fri, 03/20/2009 - 05:58

Telnet works fine for both active and standby ASA's, Is it possible to clear RSA keys for just secondary ASA ?,as I have no issues with primary one, If yes how do we do that?


Thanks,


Rajesh

rajeshk200_2 Fri, 03/20/2009 - 06:17

Yes, you are correct, it works after adding crypto keys on secondary ASA.


Many thanks,


Rajesh



Actions

This Discussion