ASA active/pasive mode and running-config

Unanswered Question
Nov 6th, 2009


I would like to ask you about ASA in acitve/pasive failover mode and certificate. So, I have a problem with certificate which is in running-config on active ASA, but ceritficate in not on passive node. When I use wr mem or copy runnig-config startup-config nothing happen on passive node. What is wrong? Can you help me.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cco1 Tue, 07/13/2010 - 05:08


same problem here!

I can see that whole certificate block in the primary ASA's running-config, but there's nothing replicated to the standy unit config.

It even gets worse: when i trigger a failover to the standby unit, the certificate is not there, causing an error when e.g. connecting

with a browser to the webvpn portal of the ASA (untrustworthy certificate bla)

We are running the latest firmware relase 8.2.2 ED, and i consider that a huge problem!

By the way, if you have set up the SSL VPN feature with the Anyconnect PKG-files, like that...


svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2


... you will see, that this configuration lines are also NOT replicated to the standby ASA.

So in our case, a failover leads to an incomplete SSL-VPN configuration, no one can connect with the Anyconnect client, till

the admin manually installs the certificate and restores the SSL-VPN config. Great, isn't it?



Jason Gervia Tue, 07/13/2010 - 05:21

Certificates are copied over by default.  Not sure what you're reporting here - I would need more details.

the reason your SVC commands aren't showing up is because the commands are replicated, however, the files they reference aren't in the flash on the secondary (package files are *not* replicated from one device to another), and like all commands, if you reference a file that doesn't exist, then the command gets removed.;jsessionid=5983119DDB1856CAF4DE6BFC29209D09.node0


cco1 Tue, 07/13/2010 - 07:08

Hi Jason,

thanks for the quick answer!

I will then upload the PKG-Files and XML-Profiles to the secondary unit.

But it remains the certificate problem. When i make a "diff" between the config of the primary unit and the secondary unit, the certificate block (trustpoint, certificate and the complete chain) only shows up in the primary config. Theres nothing visible in the standby unit's running config.

And when doing a failover, the certificate is not on the standby unit. I've read a posting in this forum, that confirms you have to install the certificate on both units:

Thanks and regards,


cco1 Wed, 07/14/2010 - 07:37


problem solved. I did the following steps:

1. upload PKG-files (XML-profiles etc.) to the flash of the standby ASA

2. execute "write standby" on the active unit ("write memory" didn't work for me!)

3. execute "write memory" on the active unit to copy the running-config to the startup-config (this time the command worked for standby ASA as well)





This Discussion