Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1037
Views
0
Helpful
3
Replies

Cannot Access AIP-SSM in Secondary ASA

Go to solution
paul_murphy
Level 1
Level 1

‎09-29-2010 04:36 PM - edited ‎03-11-2019 11:47 AM

Hello all,

I have a customer with a failover pair of ASAs 8.0, each with an AIP-SSM.  The AIP in the secondary ASA is not accessible via its IP address, so cannot be accessed using IDM or ASDM, or ssh.  It can be accessed by sessioning into the module, and it cannot ping anything outside of it.  The access-list for the relavent interface on the ASA is "any any".

The secondary ASA itself is accessible with ssh and ASDM.

Nearby devices don't get an arp response for the AIP IP address. The access-list in the AIP permits the IP address we are coming from.


Any ideas why we cannot get in?

Thanks,

Paul

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-29-2010 05:30 PM

Sorry to ask basic question, but I am assuming that the secondary AIP-SSM port is cabled and connected to the right VLAN (same as what is assigned to the primary AIP-SSM vlan)?

Also, the IP Address assigned to the secondary AIP-SSM module is in the same subnet as the one assigned to the primary AIP-SSM module?

What do you see on the switchport connected to the secondary AIP-SSM module compared to the primary module?

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-29-2010 05:30 PM

Sorry to ask basic question, but I am assuming that the secondary AIP-SSM port is cabled and connected to the right VLAN (same as what is assigned to the primary AIP-SSM vlan)?

Also, the IP Address assigned to the secondary AIP-SSM module is in the same subnet as the one assigned to the primary AIP-SSM module?

What do you see on the switchport connected to the secondary AIP-SSM module compared to the primary module?

0 Helpful

Go to solution
wromsait
Level 1
Level 1

‎09-29-2010 05:41 PM

Hi Paul,

I would check to to see what vlan the SSM management port is connected to on the switch side.  If a local device in the same subnet as the SSM is not seeing the arp then it could be a vlan issue. Perhaps the SSM is not in the correct vlan.   Try to trace the SSM management port and see which switch it is connected to.  From the switch, see what vlan the management port is connected to.  From the switch, see if the SSM's mac address is learned on the switch port.  You can get the SSM's mac from the ASA by doing "show module 1 detail".  You can also connect a pc in the same switch and same vlan as the SSM and see if the pc can ping and arp for the SSM.   You can also use the switch SVI to do this ping and arp test.   You can also connect a pc directly to the SSM management port via the cross over cable.  This will rule out if there could be an issue with the management port of the SSM. 

Hope this helps.

0 Helpful

Go to solution
paul_murphy
Level 1
Level 1

‎09-30-2010 05:43 AM

Thanks for the replies.

You know how when you get a project handed over to you and it is nearly finished and just few last things to do?  So you make the assumption that all the obvious things are right so any problem found must be complex?

Don't do that.  Check the cable is actually plugged into the management port.

It wasn't.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card