cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17599
Views
25
Helpful
40
Replies

Ask the Expert:Configuring, Troubleshooting & Best Practices on ASA & FWSM Failover

ciscomoderator
Community Manager
Community Manager

Read the bioWith Prashanth Goutham R.

 

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham. 

 

Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.

 

Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.

Remember to use the rating system to let Prashanth know if you have received an adequate response. 

 

Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

 
40 Replies 40

John Ventura
Level 1
Level 1

Hello Prashanth,

I have a quick question for you. Why it is recommended to have a switch in-between the Firewall pairs and not connect them directly though its going to work fine anyway?

thanks a lot,

- John

Hello John,

I believe you are talking about the Failover Lan Interface connectivity which can be of two types:

--- Back to Back.

--- With Intermediary Switch

I would say the second option is better as its easy to segment and isolate faults on a Production Network. Consider the below scenario:

Your firewalls are connected back to back with a crossover cable and you have a live firewall and you start experiencing failover related issues on your FO lan port. What would you do to determine if its a cable or a Firewall Interface issue and if an Interface issue which Interface? Cause if one Interface goes down it pulls down the Peer interface as well to line protocol down. This is tricky you would need to manually test all the components seperately using another directly connected device to see which component is faulty or replace all units to restore services.

In case of the second option we can clearly eliminate as the switch is inbetween. I think its also explained in the configuration guide here:


When  you use a crossover cable for the LAN failover link, if the LAN  interface fails, the link is brought down on both peers. This condition  may hamper troubleshooting efforts because you cannot easily determine  which interface failed and caused the link to come down. 

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html

Hope that helps. Have a good day !

Thanks Prashanth for detailed info.

ROBERTO TACCON
Level 4
Level 4

Hello Prashanth,

please can you check/confirm if using a Cisco ASA Active/Standby clustering enviroment the SELF SIGNED GENERATED certificate used for SSL VPN remote access are replicated or NOT on the STANDBY unit ?

On the following doc there's indicate "the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated but testing on lab with version 8.4.4 the result is different: the self signed certificate of the active asa is replicated on the standby.

https://supportforums.cisco.com/docs/DOC-12969

Q. Are digital certificates replicated in a  Active/Standby configuration?

A. Yes. Third-party digital certificates (ie. from Entrust, Verisign, Microdoft,etc)  that are installed on the Active ASA are replicated to the Standby ASA in an active/standby config.

However, the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated.

Hello Roberto,

The document is absolutely right the Certificates on the ASA get replicated with Bulk replication only and these are 3rd party certificates only and not the locally generated certificates which i have checked in previous versions. However i have not played around much on 8.4.4 which was just released and i dont have a reason to believe that it works differently on 8.4.4, i can check this up for you once i get into office in the morning.

Can you let me know the license you are on Active/Active or Active/Standby Failover ? Also what are the steps you took to test this and how sure are you that this was not exported to the other firewall ? Just to add i would assume the purpose of Self signed Certificate to be unique to each of the ASA's.

thanks,

Prashanth

Hello Prashanth,

maybe I've not fully understood, please can you indicate me again why the "However, the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated." is correct ?

If the previous sentence is correct why on the following test enviroment both cisco asa active and standby have the same SSL self signed certificate ?

Enviroment:

a cluster of Cisco ASA is Active/Standby firewalls with the SSL AnyConnect certificate auto generated named “SELFSIGNEDCERT” and used for the remote SSL vpn

ON THE ACTIVE:

pri/act/asa# sh run | i SELFSIGNEDCERT

crypto ca trustpoint SELFSIGNEDCERT

keypair SELFSIGNEDCERTKEY

crypto ca certificate chain SELFSIGNEDCERT

ssl trust-point SELFSIGNEDCERT outside vpnlb-ip

ssl trust-point SELFSIGNEDCERT outside

pri/act/asa#

pri/act/asa#sh crypto ca certificates SELFSIGNEDCERT

Certificate

  Status: Available

  Certificate Serial Number: 5406334f

  Certificate Usage: General Purpose

  Public Key Type: RSA (2048 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=asa.cisco.com

    cn=*.cisco.com

  Subject Name:

    hostname=asa.cisco.com

    cn=*.cisco.com

  Validity Date:

    start date: 20:42:41 UTC Feb 20 2012

    end   date: 20:42:41 UTC Feb 17 2022

  Associated Trustpoints: SELFSIGNEDCERT

pri/act/asa#

ON THE STANDBY:

sec/stby/asa# sh crypto ca certificates SELFSIGNEDCERT

Certificate

  Status: Available

  Certificate Serial Number: 5406334f

  Certificate Usage: General Purpose

  Public Key Type: RSA (2048 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=asa.cisco.com

    cn=*.cisco.com

  Subject Name:

    hostname=asa.cisco.com

    cn=*.cisco.com

  Validity Date:

    start date: 20:42:41 UTC Feb 20 2012

    end   date: 20:42:41 UTC Feb 17 2022

  Associated Trustpoints: SELFSIGNEDCERT

sec/stby/asa#

And again if the sentence "However, the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated." is  correct:

Qs:

1) If I activate the standby unit with “failover  active” need to do something for the SSL certificate (needed to copy it from the other unit)  ?!?!

2) If the active firewall unit FAIL is it necessary to reinstall the AUTO GENERATED  SSL certificate on the Standby unit ?!?!

Hello Roberto,

I tried out the configuration on 8.4.4 and observed the same issue as what you have noticed, look below :

CiscoASA(config-ca-trustpoint)# fqdn sslvpn.cisco.com

CiscoASA(config-ca-trustpoint)# subject-name CN=sslvpn.cisco.com

CiscoASA(config-ca-trustpoint)# crypto key generate rsa label sslvpnkeypair

INFO: The name for the keys will be: sslvpnkeypair

Keypair generation process begin. Please wait...

CiscoASA(config)# crypto ca trustpoint SELFSIGNEDCERT

CiscoASA(config-ca-trustpoint)# keypair sslvpnkeypair

CiscoASA(config)# crypto ca enroll SELFSIGNEDCERT noconfirm

% The fully-qualified domain name in the certificate will be: sslvpn.cisco.com

When i try to view it i see the below output on both Active and Standby Firewalls replicated without doing even a write standby:

CiscoASA(config)# show cry ca cert

Certificate

  Status: Available

  Certificate Serial Number: c5d1f44f

  Certificate Usage: General Purpose

  Public Key Type: RSA (1024 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=sslvpn.cisco.com

    cn=sslvpn.cisco.com

  Subject Name:

    hostname=sslvpn.cisco.com

    cn=sslvpn.cisco.com

  Validity Date:

    start date: 16:29:09 GMT Jul 5 2012

    end   date: 16:29:09 GMT Jul 3 2022

  Associated Trustpoints: SELFSIGNEDCERT

This is exactly matching the output you had provided, however what we both did not figure out earlier is that this is an Identity certificate and not a CA certificate. A typical CA certificate looks like this:

CiscoASA(config)# show crypto ca certificate

CA Certificate

  Status: Available

  Certificate Serial Number: 344ed55720d5edec49f42fce37db2b6d

  Certificate Usage: General Purpose

  Public Key Type: RSA (2048 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    cn=thawte Primary Root CA

    ou=(c) 2006 thawte\, Inc. - For authorized use only

    ou=Certification Services Division

    o=thawte\, Inc.

    c=US

  Subject Name:

    cn=thawte Primary Root CA

    ou=(c) 2006 thawte\, Inc. - For authorized use only

    ou=Certification Services Division

    o=thawte\, Inc.

    c=US

  Validity Date:

    start date: 00:00:00 UTC Nov 17 2006

    end   date: 23:59:59 UTC Jul 16 2036

  Associated Trustpoints: abc

Hence going back to the document you had pointed out, its only speaking about the Local CA Generated certificates and not all locally generated Certificates (identity). Refer to the 8.4 Configuration guide as well which shows that the locally generated

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_standby.html

Note Standby Failover does not replicate the following files and configuration components:

AnyConnect images

CSD images

ASA images

AnyConnect profiles

Local Certificate Authorities (CA)

ASDM images

Hope that clarifies the document's wordings

Thanks for the info.

Roberto Taccon

Prashanth Goutham R.

I have set up 4 IPsec VPNs in a ASA 5520. The maximum bandwidth-BW- provided by our ISP is 3 MBPS.

Let's suppose that I want to assign/allocate BW to each IPSEc tunnel as follows:

Tunnel 1: 500 KBps

Tunnel 2: 700 KBps

Tunnel 3: 300 KBps

Tunnel 4: 600 Kbps

1- What is the configuration to make that possible?

2- Does it make any difference if this configuration fo BW assignment is also added on the other VPN peer?

Thanks

John

Hello John,

This session is on Failover Functionality on all Cisco Firewalls, im not a geek on QOS however i have the answer for what you need. The way to limit traffic would be to enable QOS Policing on your Firewalls. The requirement that you have is about limiting 4 different tunnels to be utilizing the set limits and drop any further packets. This is called Traffic Policing. I tried out the following in my lab and it looks good.

access-list tunnel_one extended permit ip 10.1.0.0 255.255.0.0 20.1.0.0 255.255.0.0

access-list tunnel_two extended permit ip 10.2.0.0 255.255.0.0 20.2.0.0 255.255.0.0

access-list tunnel_three extended permit ip 10.3.0.0 255.255.0.0 20.3.0.0 255.255.0.0

access-list tunnel_four extended permit ip 10.4.0.0 255.255.0.0 20.4.0.0 255.255.0.0

    class-map Tunnel_Policy1

     match access-list tunnel_one

  class-map Tunnel_Policy2

     match access-list tunnel_two

  class-map Tunnel_Policy3

     match access-list tunnel_three

  class-map Tunnel_Policy4

     match access-list tunnel_four

  policy-map tunnel_traffic_limit

     class Tunnel_Policy1

      police output 4096000

  policy-map tunnel_traffic_limit

     class Tunnel_Policy2

      police output 5734400

  policy-map tunnel_traffic_limit

     class Tunnel_Policy3

      police output 2457600

   policy-map tunnel_traffic_limit

     class Tunnel_Policy4

      police output 4915200

service-policy tunnel_traffic_limit interface outside

You might want to watch out for the following changes in values:

HTTS-SEC-R2-7-ASA5510-02(config-cmap)#     policy-map tunnel_traffic_limit

HTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy1

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4096000

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limit

HTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy2

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 5734400

WARNING: police rate 5734400 not supported. Rate is changed to 5734000    

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#

HTTS-SEC-R2-7-ASA5510-02(config)#     policy-map tunnel_traffic_limit

HTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy3

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 2457600

WARNING: police rate 2457600 not supported. Rate is changed to 2457500

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limit

HTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy4

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4915200

WARNING: police rate 4915200 not supported. Rate is changed to 4915000

I believe this is because of the software granularity and the way IOS rounds it off in multiples of a certain value, so watch out for the exact values you might get finally. I used this website to calculate your Kilobyte values to Bits: http://www.matisse.net/bitcalc/

The Final outputs of the configured values were :

    Class-map: Tunnel_Policy1

      Output police Interface outside:

        cir 4096000 bps, bc 128000 bytes

        conformed 0 packets, 0 bytes; actions:  transmit

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 0 bps, exceed 0 bps

    Class-map: Tunnel_Policy2

      Output police Interface outside:

        cir 5734000 bps, bc 179187 bytes

        conformed 0 packets, 0 bytes; actions:  transmit

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 0 bps, exceed 0 bps

    Class-map: Tunnel_Policy3

      Output police Interface outside:

        cir 2457500 bps, bc 76796 bytes

        conformed 0 packets, 0 bytes; actions:  transmit

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 0 bps, exceed 0 bps

    Class-map: Tunnel_Policy4

      Output police Interface outside:

        cir 4915000 bps, bc 153593 bytes

        conformed 0 packets, 0 bytes; actions:  transmit

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 0 bps, exceed 0 bps

Please refer to the QOS document on CCO here for further information: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html


Hope that helps..

Prashanth Goutham R.

Thanks for your detailed reply and for allowing this out-of-scope question. Honestly, when I read "ASA" in the subject I ignored the rest.

Two more questions:

1- Which SHOW command you used at the end to verify the bandwidth?

2- If one peer is policing traffic and the other one is not, the one with the smallest bandwidth would set the size limit in the connection ? I am also implying that the Traffic policing does not need to be configured on both ends, correct?

Thanks again

John

John,

1- Which SHOW command you used at the end to verify the bandwidth?

--- Command used is show service-policy police

2-  If one peer is policing traffic and the other one is not, the one with  the smallest bandwidth would set the size limit in the connection ?

I am  also implying that the Traffic policing does not need to be configured  on both ends, correct?

--- Policing at one end should help control the limits.

Hi this is good opportunity to get good concept..

my Question is..

I am not able to get CA certificate by microsoft CA server.

Hello Gaurav,

Apologies for the delayed response, this is a Failover discussion series on Cisco Firewalls, however ill help you to get started on the Certificate issue.

I am not really sure about what is the actual problem. Based on the fact that you have mentioned the ASA is unable to enroll with Microsoft CA server i would first enable the following debugs:

debug crypto ca 255
debug crypto ca transactions 255

I would actually start with researching on what error messages you had received while you tried to enroll and what was the procedure you used to enroll from the ASA perspective, i would also suggest that you take a packet capture to see if the CA server and the ASA are able to communicate without any network level issues.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: