Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
886
Views
5
Helpful
4
Replies

ASA 5520: adding failover broke SSL VPN and ASDM

murray-davis
Level 1
Level 1

‎08-26-2009 07:54 AM

I had a 5520 running for about 2 months and then successfully added a second 5520 in failover mode. I tested the active/standby feature and everything works as advertised. But, I just discovered that I can no longer connect via SSL-VPN or via the ASDM applet. Would this be related to the failover config?

This IOS is 8.2(1), the ASDM is 6.2(1) on both. I also can still SSH into the box.

Labels:
0 Helpful
4 Replies 4

drolemc
Level 6
Level 6

‎09-01-2009 02:43 PM

I think it is not related to the failover configuration. It seem to be SSL VPN tunnel issues.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html

0 Helpful

Paul Carco
Level 1
Level 1

‎09-03-2009 06:14 AM

Comparing the 'sho version" on both boxes are these ASA's identicle ?

""Prerequisites for Active/Standby Failover

Active/Standby failover has the following prerequisites:

•Both units must be identical security appliances that are connected to each other through a dedicated failover link and, optionally, a Stateful Failover link.

•Both units must have the same software configuration and the proper license.

•Both units must be in the same mode (single or multiple, transparent or routed). ""

0 Helpful

rafaelpetter
Level 1
Level 1
In response to Paul Carco

‎10-27-2009 11:06 AM

I had the same issue with two ASA 5520 in Active/Standby. When the primary firewall goes down, only telnet/ssh access is allowed to the secondary unit. When i try to connect with ASDM applet to the secondary unit, the applet doesnt respond.

I discovered that disabling the web server "no http server enable" and then enabling "http server enable" we can connect to the secondary unit again like the primary unit before.

This is a bug, maybe?

0 Helpful

murray-davis
Level 1
Level 1
In response to rafaelpetter

‎10-27-2009 12:00 PM

Thank you, Rafael

I forgot to update my post when I solved the problem. Thank you for your response. My solution was different. Here is what happened. In order to connect via ssh or ASDM, you need to have the "anyconnect" pkg installed on your box. I had this image on the primary unit, but not on the secondary. So, when the secondary fired up by itself and then took over the primary role and then the old primary fired up, the new primary removed "anyconnect" from the old primary. Solution, add "anyconnect" back onto both units.

Cheers,

Customers Also Viewed These Support Documents