I currently have a set of ASA 5510s with security plus, configured with state full active standby fail-over. They have been working for months, running an IPSEC remote access VPN, as well as some OSPF and VLAN stuff etc.
Today I needed to add in webvpn, which is where the problem came.
Once I entered webvpn enable outside, I lost connection to the firewall, and when I went to look at them, both boxes were not active, instead of the secondary being standby, which is why I was unable to get to it. So I powered off the second one, and the primary started working just fine.
I have not been able to figure out why enabling webvpn caused me to loose connection to the firewall for 1, but even if that is normal, why did it make the secondary firewall go active?
I checked the configured on the second firewall, and all configuration is replicated except the webvpn and webvpn sub configuration commands, which is very odd. I am not having a problem getting the secondary firewall re-synced with the primary, and was wondering if anyone has seem similar problems. I ended up clearing the configuration on the secondary and unplugging it, and then only putting the fail-over commands in, and trying to start that one from scratch, but no luck,the configuration wont sync and if I do write standby for manual sync, it says in progress, try again later, but its been that way for hours etc, so not sure what could be wrong there. I am thinking something is just hung and I may need to reboot the primary, but this is a production firewall, so would be the last resort.
Very odd that enabling SSL webvpn on outside interface brakes connectivity , this seems behaviour of a bug. What version code are you running to see if there is any bug resambling this issue, post the output of "show version" from both the active and standby..
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...