×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA local CA and Active/Passive Failover

Unanswered Question
Jan 31st, 2012
User Badges:

Hello,


I am seeing some conflicting information on this topic and I was wondering if I could get some clarification.


This link states that a local CA cannot be configured on an ASA while failover (in general) is configured:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#FailoverCA


This link states that the 'crypto ca server' commands will not be synced, implying that they are at least configurable on the active unit:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.pdf

*The crypto ca server command and related sub-commands are not synchronized to the failover peer


In addition, there are some other miscellaneous resources that state that you can run a local ca server in all cases except Active/Active failover.


I am currently running two ASA's in an Active/Passive failover mode, and whenever I try to enable the local ca server, I get the following error:


ERROR: The local CA server is not supported in a failover

setup. Please disable failover in order to configure the

local CA server


I realize this error pretty much answers my question, but I figured with the information I found, it would be worth it to ask for clarification.  With that said, is it at all possible to run a local ca server on an Active/Passive ASA cluster?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jmprats Wed, 09/26/2012 - 01:37
User Badges:

Hi Edaward,

Local CA cannot be configured with Active/ Passive Failover.


It seems is an error in the documentation that only states Active/Active failover that must be updated as you can see in the summary of the Bug ID CSCtt24125:


http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtt24125&from=summary


At the same time there is an enhancement request to have this feature as you can see in this thread:


https://supportforums.cisco.com/thread/2093820

Actions

This Discussion