cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
634
Views
0
Helpful
4
Replies

ASA active/pasive mode and running-config

svarc1977
Level 1
Level 1

Hi,

I would like to ask you about ASA in acitve/pasive failover mode and certificate. So, I have a problem with certificate which is in running-config on active ASA, but ceritficate in not on passive node. When I use wr mem or copy runnig-config startup-config nothing happen on passive node. What is wrong? Can you help me.

Thanx

Karel

4 Replies 4

cco1
Level 1
Level 1

Hi,

same problem here!

I can see that whole certificate block in the primary ASA's running-config, but there's nothing replicated to the standy unit config.

It even gets worse: when i trigger a failover to the standby unit, the certificate is not there, causing an error when e.g. connecting

with a browser to the webvpn portal of the ASA (untrustworthy certificate bla)

We are running the latest firmware relase 8.2.2 ED, and i consider that a huge problem!

By the way, if you have set up the SSL VPN feature with the Anyconnect PKG-files, like that...

(...)

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2

(...)

... you will see, that this configuration lines are also NOT replicated to the standby ASA.

So in our case, a failover leads to an incomplete SSL-VPN configuration, no one can connect with the Anyconnect client, till

the admin manually installs the certificate and restores the SSL-VPN config. Great, isn't it?

Regards,

Marco

Certificates are copied over by default.  Not sure what you're reporting here - I would need more details.

the reason your SVC commands aren't showing up is because the commands are replicated, however, the files they reference aren't in the flash on the secondary (package files are *not* replicated from one device to another), and like all commands, if you reference a file that doesn't exist, then the command gets removed.

https://supportforums.cisco.com/docs/DOC-1291;jsessionid=5983119DDB1856CAF4DE6BFC29209D09.node0

--Jason

Hi Jason,

thanks for the quick answer!

I will then upload the PKG-Files and XML-Profiles to the secondary unit.

But it remains the certificate problem. When i make a "diff" between the config of the primary unit and the secondary unit, the certificate block (trustpoint, certificate and the complete chain) only shows up in the primary config. Theres nothing visible in the standby unit's running config.

And when doing a failover, the certificate is not on the standby unit. I've read a posting in this forum, that confirms you have to install the certificate on both units:

https://supportforums.cisco.com/message/3018086#3018086

Thanks and regards,

Marco

Hi,

problem solved. I did the following steps:

1. upload PKG-files (XML-profiles etc.) to the flash of the standby ASA

2. execute "write standby" on the active unit ("write memory" didn't work for me!)

3. execute "write memory" on the active unit to copy the running-config to the startup-config (this time the command worked for standby ASA as well)

Done.

Regards,

Marco

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: