cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2818
Views
0
Helpful
7
Replies

ASA Failover Pair - Access Second Unit via VPN

sebastianwagner
Level 1
Level 1

Hi,

we are running two failover pairs of asa (5510, 5505) in two different locations in active/standby configurations.

Is it possible to access the inside ip of the standby unit via vpn terminated by the active unit? It's only for monitoring.

With our configuration here it is not.

Is that possible in general?

Rgds

Sebastian

7 Replies 7

srue
Level 7
Level 7

without testing it, i can't think of a way to get around the issues with routing over to the standby asa through the vpn tunnel directly. a better approach would be to telnet/ssh to another piece of network gear through the tunnel, and from there telnet/ssh to the standby asa.

Thanks for the reply.

Unfortunately the remote site is too important to require a failover and too small to require a local monitoring instance.

We will take a hop via ssh to get to the second unit or just trigger the active asa for failover events.

Hi Sebastian,

I know this is quite old but wondered if you received any resolution to this.  We have a failover pair and I'm trying to access the failover for monitoring, network configuration management, etc.

Thanks.

Hi,

the customer decided to monitor only the active unit. As per "show failover" you may also monitor the second unit and it's interfaces via the active unit. Please note you cannot edit the second unit's configuration (I assume you're trying to do so following your description).

There might be others with more in-depth knowledge of ASA as I'm doing UC most of my time.

Also there might be new software-versions i'm not aware of. I did all my testing with version 8.0.x

Regards

Sebastian

Thank you for the reply.  I have opened a TAC case and got a reply that it is a known bug.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte84561


Thanks again.

Very Very and Very useful link.

Thanks a lot

My experience with this issue has shown me that the issue is due to the standby unit responding to the remote IP does not get routed correctly.  Our fix was to use NAT with the standby IP.  Translating the remote IP to a local IP that the standby IP could return packets to.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: