11-08-2011 12:30 PM - edited 03-11-2019 02:47 PM
I am setting up a new pair of ASA 5585's in a multi-context, active/active failover design. I cannot create management SSH connection to the contexts that are assigned to failover group 2. With all the security contexts that are assigned to failover group 1 I can SSH to the inside interface IP and login without a problem. When I try to do that to the group 2 contexts there is no response from the firewall at all, PuTTY just times out.
My firewalls are running version 8.2(4). The contexts seem to be functioning normally in all other respects.
Thanks,
John
11-11-2011 06:29 AM
Hi John,
Take a look at this document that provides some additional troubleshooting steps for narrowing down this type of problem:
https://supportforums.cisco.com/docs/DOC-13012#Unable_to_ssh
Hope that helps.
-Mike
11-11-2011 07:07 AM
Thanks for the suggestions Mike but I am still stumped. I am running 8.2(4) and it is supposed to have the issues refered to in that doc fixed. I did check the asp sockets and the firewall is listening on port 22. I tried deleting and restoring the SSH config but that had no affect.
I am able to SSH to the standby IP address for the context, but I cannot connect to the active one. On a capture done on the active context I do see the packets coming in from the PC to port 22 of the context IP but I am not seeing any response.
Could this be an rsa key issue between the active and standby context?
Thanks,
John
11-11-2011 07:17 AM
Hi John,
To rule that out you can just generate a new key on the problem contexts. You can use the following command:
crypto key generate rsa mod 1024
-Mike
11-11-2011 07:35 AM
Mike,
I tried regenerating the key with no luck so I got fed up and just rebooted the pair of firewalls. Lucky for me these are a new deployment and don't go live until this weekend!
Everything is working as expected now. I can SSH into all the active contexts between the two firewalls and failover groups. I am thinking that there may still be a bug with the failover. Everything on this seemed to be working fine until after I tested the failover by forcing the groups back and forth between the two firewalls.
I wish I could find some more in depth documentation on active/active mode and the methodology for sharing keys, etc.
The good thing in all this is that ASDM and console access was working correctly so that I could get into the various contexts.
Thanks,
John
11-11-2011 07:38 AM
Hi John,
Interesting. If the issue returns, please open a TAC case for this so it can be investigated. Otherwise, I would suggest trying the latest 8.2.5 image to rule out any known bugs since this isn't live yet.
-Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide