Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5585 cannot connect to context active in failover group 2

I am setting up a new pair of ASA 5585's in a multi-context, active/active failover design.  I cannot create management SSH connection to the contexts that are assigned to failover group 2.  With all the security contexts that are assigned to failover group 1 I can SSH to the inside interface IP and login without a problem.  When I try to do that to the group 2 contexts there is no response from the firewall at all, PuTTY just times out.

My firewalls are running version 8.2(4).  The contexts seem to be functioning normally in all other respects.

Thanks,

John

5 REPLIES
Gold

ASA 5585 cannot connect to context active in failover group 2

Hi John,

Take a look at this document that provides some additional troubleshooting steps for narrowing down this type of problem:

https://supportforums.cisco.com/docs/DOC-13012#Unable_to_ssh

Hope that helps.

-Mike

New Member

ASA 5585 cannot connect to context active in failover group 2

Thanks for the suggestions Mike but I am still stumped.  I am running 8.2(4) and it is supposed to have the issues refered to in that doc fixed.  I did check the asp sockets and the firewall is listening on port 22.  I tried deleting and restoring the SSH config but that had no affect.

I am able to SSH to the standby IP address for the context, but I cannot connect to the active one.  On a capture done on the active context I do see the packets coming in from the PC to port 22 of the context IP but I am not seeing any response.

Could this be an rsa key issue between the active and standby context? 

Thanks,

John

Gold

ASA 5585 cannot connect to context active in failover group 2

Hi John,

To rule that out you can just generate a new key on the problem contexts. You can use the following command:

crypto key generate rsa mod 1024

-Mike

New Member

ASA 5585 cannot connect to context active in failover group 2

Mike,

I tried regenerating the key with no luck so I got fed up and just rebooted the pair of firewalls.  Lucky for me these are a new deployment and don't go live until this weekend! 

Everything is working as expected now.  I can SSH into all the active contexts between the two firewalls and failover groups.  I am thinking that there may still be a bug with the failover.  Everything on this seemed to be working fine until after I tested the failover by forcing the groups back and forth between the two firewalls.

I wish I could find some more in depth documentation on active/active mode and the methodology for sharing keys, etc.

The good thing in all this is that ASDM and console access was working correctly so that I could get into the various contexts.

Thanks,

John

Gold

ASA 5585 cannot connect to context active in failover group 2

Hi John,

Interesting. If the issue returns, please open a TAC case for this so it can be investigated. Otherwise, I would suggest trying the latest 8.2.5 image to rule out any known bugs since this isn't live yet.

-Mike

878
Views
6
Helpful
5
Replies