Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1613
Views
0
Helpful
8
Replies

ASA 8.3 : shared licence server and failover

Jerome BERTHIER
Level 1
Level 1

‎10-28-2010 07:15 AM

Hi,

I've got a question about ASA configuration with shared licence server and failover.

The topology is composed by two clusters (active/standby) separated by a WAN :

- first cluster : ASA1 (192.168.0.1) is the shared license server and ASA2 is its standby unit

- second cluster : ASA3 (192.168.0.2) is the shared license server backup and ASA4 is its standby unit.

Licensing features are configured as it :

* cluster ASA1/ASA2 :

license-server secret mysecret
license-server refresh-interval 100
license-server backup 192.168.0.2 backup-id SN_ASA3_unit ha-backup-id SN_ASA4_unit
license-server enable interface_used_by_licensing_request
license-server port 50554

* cluster ASA3/ASA4 :

license-server address 192.168.0.1 secret mysecret port 50554
license-server backup enable interface_used_by_licensing_request

ASA1 and ASA3 are synchronized and shared license features is working. The commands (show shared license client and show shared license backup) executed from ASA1 show that ASA3 is a client and the backup license server :

ASA1/pri/act# show shared license backup
Backup License Server Info:
Device ID : SN_ASA3_unit
Address : 192.168.0.2
Registered : YES
HA peer ID : SN_ASA4_unit
Registered : NO

...

ASA1/pri/act# show shared license client
Client Info:
Hostname : ASA3
Device ID : SN_ASA3_unit

When ASA1 failed (powered off), ASA2 become active unit. Its interfaces IP addresses switch to ASA1 values. Platform works correctly.

I still have a trouble about the result of command : show shared license client.

ASA1/sec/act# show shared license client
Client Info:
Hostname : ASA1
Device ID : SN_ASA1_unit
...
Hostname : ASA3
Device ID : SN_ASA3_unit
....

From ASA2, I can see that ASA1 become a client as ASA3. Is it normal ?

Thanks

J.B.

Labels:
0 Helpful
8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-28-2010 08:30 AM

Yes, that is absolutely normal. That is how failover works. If your primary ASA1 is the active unit, and it fails over to the secondary ASA2, ASA2 will resume the IP Address of the active unit (which initially was ASA1).

0 Helpful

Jerome BERTHIER
Level 1
Level 1
In response to Jennifer Halim

‎10-28-2010 08:37 AM

I know that standby unit should resume the IP Address of the active unit when it fails.

However, is it normal that the secondary unit (ASA2 which became active) saw the first unit (ASA1 which failed) as a client ?

show shared license client.

ASA1/sec/act#  show shared license client
Client Info:
Hostname : ASA1
Device  ID : SN_ASA1_unit
...
Hostname : ASA3
Device ID : SN_ASA3_unit
....

Thanks

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-29-2010 06:09 AM

Yes, the reason why it is showing the hostname of ASA1 is because hostname is in the running configuration, and when the unit fails over to the secondary unit, the configuration synchronization will show ASA1 hostname, hence the shared license output is showing as if it's ASA1, however, it is just the hostname which is the same for both ASA1 and ASA2 due to the ASA configuration synchronization (exactly the same running config between the 2 Active/Standby firewall).

[Added] If you perform "sh run hostname" on the secondary ASA (ASA2) now, it will show that the hostname is ASA1.

Message was edited by: Jennifer Halim

0 Helpful

Jerome BERTHIER
Level 1
Level 1
In response to Jennifer Halim

‎10-29-2010 08:38 AM

Hi

I still dont't understand why the primary unit is shown as a client of the secondary unit.

Let's try to resume the topology :

Two devices are configured with failover : the first unit named ASA1 is the active unit and the shared license server. The second unit named ASA2 is its standby unit. These tow devices share the same hostname eq cluster1.

Two other devices are configured with failover : the first unit named ASA3 is the active unit and the shared license backup server. The second unit named ASA4 is its standby unit. These tow devices shares the same hostname eq cluster2.

On normal situation (all four devices up), the "show shared license client" command run on ASA1 shows that only ASA3 is a client :

cluster1/pri/act# show shared license client
Client Info:
Hostname :  ASA3
Device ID : SN_ASA3_unit
...

First test on cluster1, the two units switch their role after rebooting ASA1. So, ASA2 become active and ASA1 become standby unit. At this moment,  the "show shared license client" command run on ASA2 shows that only  ASA3 is a client :

cluster1/sec/act# show shared license client
Client Info:
Hostname :  ASA3
Device ID : SN_ASA3_unit
...

Final test on cluster1, ASA1 is stopped and power off. So, ASA2 become active. At this point,  the "show shared license client" command run on ASA2 shows that ASA1 and  ASA3 are client :

cluster1/sec/act# show shared license client
Client Info:
Hostname : ASA1
Device ID : SN_ASA1_unit
...
Hostname :  ASA3
Device ID : SN_ASA3_unit
...

I really don't understand why a dead unit is shown as a client. Maybe the reason is that ASA2 is not the primary unit on failover configuration.

Thanks

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jerome BERTHIER

‎10-29-2010 09:24 AM

Can you please check the hostname of ASA1 and ASA2, as well as ASA3 and ASA4. On each failover cluster, there will only be 1 hostname. If ASA1 is the hostname, then when ASA2 is in the failover cluster, the hostname is also the same (ie: ASA1). Hostname is only for the active unit. Same goes for ASA3 and ASA4 (there won't be any hostname for ASA4 if ASA3 is the primary unit and is the active unit).


Naming the unit ASA1 or ASA2 will only make it confusing as there will only be 1 hostname per failover cluster. Hence you might want to name it differently as there will never be ASA1 hostname for your ASA1 and ASA2 hostname for your ASA2.

You can confirm the hostname on each failover cluster by checking the output of "sh run hostname" on each physical ASA.


If ASA3 and ASA4 are currently in failover cluster and you check the output of "sh run hostname" on ASA3 --> it will be "hostname ASA3", also check the output of "sh run hostname" on ASA4 --> it will also be "hostname ASA3".

0 Helpful

Jerome BERTHIER
Level 1
Level 1
In response to Jennifer Halim

‎10-29-2010 11:06 AM

I know that there is only one hostname for two devices in a failover cluster. That's not my question. I'm using ASA1 to ASA4 names in order to specify which device I am talking about.

In my examples, return values are not real values and I made a mistake (sorry for the convenience).

There are correct values :

On normal situation (all four devices up), the "show shared license client" command run on ASA1 (first device on first cluster) shows that only ASA3 (first device on second cluster) is a client :

cluster1/pri/act# show shared license client
Client Info:
Hostname :  cluster2
Device ID : SN_ASA3_unit
...

First test on cluster1, the two units switch their role after rebooting ASA1. So, ASA2 become active and ASA1 become standby unit. At this moment,  the "show shared license client" command run on ASA2 shows that only  ASA3 is a client :

cluster1/sec/act# show shared license client
Client Info:
Hostname :  cluster2
Device ID : SN_ASA3_unit
...

Final test on cluster1, ASA1 is stopped and power off. So, ASA2 become active. At this point,  the "show shared license client" command run on ASA2 shows that ASA1 and  ASA3 are client :

cluster1/sec/act# show shared license client
Client Info:
Hostname : cluster1
Device ID : SN_ASA1_unit <--- this is what I'm talking about
...
Hostname :  cluster2
Device ID : SN_ASA3_unit
...

So, I really don't understand why a dead unit is shown as a client. Maybe the reason is that ASA2 is not the primary unit on failover configuration.

Thanks

0 Helpful

Jerome BERTHIER
Level 1
Level 1

‎11-02-2010 02:13 AM

Hi,

I've got the answer.

On failover situation, it's normal to see the ASA1 unit as a client. The commands "show shared license client" and "show shared license backup" allow to get informations about licensing without taking care on server state. So, when ASA1 failed, ASA2 became master and resumed its IP address. However, in licensing process, when ASA1 fails, ASA2 still see it as a potential client because its ID (ASA1) is registred as primary server but doesn't answer. ASA2 as new cluster master (failover) recognize ASA1 as a client. ASA1 will become primary license server when it will come back.

Thansk

J.B.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Jerome BERTHIER

‎11-02-2010 03:22 PM

J.B.

Thanks for working through this and posting your results. This is a logical and reasonable explanation of the behavior which was not obvious at first sight.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents