07-09-2013 09:09 AM
Hi
I have just brought ACE module back online after it lost its configurations but some ft groups have ended up in cold state after primary
ACE failed to replicate the configs. I understand ft groups go into cold state when keys and certificates are not replicated.
I have checked the certificates and keys on both modules using "sh crypto files" under ADMIN context and they are identical.
One thing I have noticed however is that when I check crypto files on primary ACE on USER contexts that have replicated correctly
I CANNOT see any certificate files held locally but when I check certificates on affected (cold state) contexts,
they have local certificates which are only visible only on primary ACE user contexts. It seems as though the context that have not
replicated correctly are ones with local certificates where as other context are using global certificates ...
I have tried to export local certificate from primary ACE from user context to tftp server so I can import it locally on a context
on secondary ACE but it seems as though I can only tftp from admin context not user context.. is that normal ?
I have also tried to reload the ACE but same contexts seem to end up in cold state.
Could anyone advise why certain ft groups are in cold state please when ADMIN certificates are identical on both ACEs ?
could the local certificates on the user context be the issue ?
ADMIN context certificates
Primary/Admin# sh crypto file
Filename File File Expor Key/
Size Type table Cert
-----------------------------------------------------------------------
cisco-sample-cert 1082 PEM Yes CERT
cisco-sample-key 887 PEM Yes KEY
secondary/Admin# sh crypto files
Filename File File Expor Key/
Size Type table Cert
-----------------------------------------------------------------------
cisco-sample-cert 1082 PEM Yes CERT
cisco-sample-key 887 PEM Yes KEY
USER context (cold state) certificates
I can see local Crypto files on primary ACE on effected USER CONTEXT (COLD STATE) but I cannot see any local files on secondary user context.
These local crypto files are only held on the contexts that are in cold state for some reason...
Primary/07-xxx# sh crypto files
Filename File File Expor Key/
Size Type table Cert
-----------------------------------------------------------------------
*****-CERT 2801 PEM Yes CERT
******-KEY 1708 PEM Yes KEY
VerisignCA 834 PEM Yes CERT
VerisignIntermediate 1728 PEM Yes CERT
secondary/07-xxx#
sh crypto files
Filename File File Expor Key/
Size Type table Cert
-----------------------------------------------------------------------
07-10-2013 08:01 PM
Hi,
Every user context must have indentical SSL files to be in sync or FT hot state [not only Admin]. So you have to import missing files in desired user context.
Also you can transfer file from every user context, if its not working on your ACE try to check connectivity between user context interface to TFTP server.
07-15-2013 04:52 AM
Hi Gaurav,
Sorry for late, yes I worked it last week and it was the missing ssl files on the 3 contexts that were causing it to go into cold state. The person who designed has left the company so i am not sure why only these 3 context are configured for seperate certificates under user contexts. Its strange because all the other context are using the Admin certificate.
I transferred the certificates between user contexts by using crypto import / export terminal.. then copy pasted it. I don't think it is possible to tftp directly to or from user context.. the connectivity to tftp is ok as I can copy from admin context.
Anyway its all up now, so I need to switch traffic back to primary. I am planning to do this by increasing the peer value, once the value has been increased would the traffic switch over automatically or would I need to disable and re-enable auto synch..
07-15-2013 05:03 PM
If your state is Standby_HOT then there is no need for re-enable auto-sync.
Also I am sure that you can download files using tftp from user context, but anyways you have done that.
07-22-2013 04:26 PM
Surfraz,
Next time you need to import/export certs you can do the following:
How to export a cert/key:
#crypto export xxxx-CERT terminal
#crypto export xxxx-KEY terminal
You should see the certificates/keys there then you can just copy them from the screen
How to import a cert/key:
You can just do the following, type the command below and paste the certificate which you previously have changed to .txt format so you can copy and paste it on the CLI, pretty easier and faster and TFTP/FTP, etc
# crypto import terminal xxxx-CERT
Please enter PEM formatted data. End with "quit" on a new line.
-----BEGIN CERTIFICATE-----
MIIFOzCCBCOgAwIBAgIQX9yPyHR0J29xwzSU7adXpDANBgkqhkiG9w0BAQUFADCB
yzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTAwLgYDVQQL
EydGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiAgTm8gYXNzdXJhbmNlcy4xQjBABgNV
BAsTOVRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz
L3Rlc3RjYSAoYykwOTEtMCsGA1UEAxMkVmVyaVNpZ24gVHJpYWwgU2VjdXJlIFNl
cnZlciBDQSAtIEcyMB4XDTA5MTAxNjAwMDAwMFoXDTA5MTAzMDIzNTk1OVowgZMx
CzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMRAwDgYDVQQHFAdPcmxhbmRv
MQ4wDAYDVQQKFAVDaXNjbzE6MDgGA1UECxQxVGVybXMgb2YgdXNlIGF0IHd3dy52
ZXJpc2lnbi5jb20vY3BzL3Rlc3RjYSAoYykwNTEUMBIGA1UEAxQLbnNzc2l0ZS5j
b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKc1XpSuUXra5VWQlgmF0d/G
HcbmcyiOEEI7V2w7QzAoMIGvKrxi8AqTIDkLrMHus/4dIO8RcpU1boQ3aTj7CelH
aFufJWVAooQvrc5RvEVE/CXaI3YJXEVJoj7+Duid1mREoII5ckLFFoMLeT+UMYQ1
JTA0vj7A/y+wzt+a1npVAgMBAAGjggHTMIIBzzAJBgNVHRMEAjAAMAsGA1UdDwQE
AwIFoDBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vU1ZSVHJpYWwtRzItY3JsLnZl
cmlzaWduLmNvbS9TVlJUcmlhbEcyLmNybDBKBgNVHSAEQzBBMD8GCmCGSAGG+EUB
BxUwMTAvBggrBgEFBQcCARYjaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nwcy90
ZXN0Y2EwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaA
FCgXE4q91qK13AYst7aO2hBmYG7lMHQGCCsGAQUFBwEBBGgwZjAkBggrBgEFBQcw
AYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMD4GCCsGAQUFBzAChjJodHRwOi8v
U1ZSVHJpYWwtRzItYWlhLnZlcmlzaWduLmNvbS9TVlJUcmlhbEcyLmNlcjBuBggr
BgEFBQcBDARiMGChXqBcMFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRL
a7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20v
dnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQADggEBABcxsKhLMZvRapQllMtlklWm
RFGbAq2BWPwAvJdDOshHSPO03QLyxRv5wLFCnoE8a354ViydGQeZCxcx8751qJ8v
DxMpB9PXjrT97yRQCHuoLI79AVQQcQBBzxYLDRsC15SByYkvByfK7DKqQR1qG4DS
qzBRFWXuHQU5/SsB5P6LmP3ZWFKvASJuWp/i1qrwpMo/oMtEIrKRqDlEk0SNgTVn
tKwUrbgknkFPZhNwSaaFVgxvuNTxOlSMDU5gi+MLqwGn1GCeDajLyO1tR8AKZk1p
Gg3D7AhDgdE0opMwsetzoS0jX4tFJ7JawdPfVRpNUplY9GRRqbzoTZBpedm4Kcs=
-----END CERTIFICATE-----
quit
#
For HA in the ACEs is required to make sure you match:
-certificates, keys.
-licenses
-remove any existing core dump/ crash file ( ACE can detect this as a difference)
-make sure both devices run the same version
Then you can disable/enable FT and that should do the trick!
Hope this helps!
Jorge
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: