Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

ASA local CA and Active/Passive Failover


I am seeing some conflicting information on this topic and I was wondering if I could get some clarification.

This link states that a local CA cannot be configured on an ASA while failover (in general) is configured:

This link states that the 'crypto ca server' commands will not be synced, implying that they are at least configurable on the active unit:

*The crypto ca server command and related sub-commands are not synchronized to the failover peer

In addition, there are some other miscellaneous resources that state that you can run a local ca server in all cases except Active/Active failover.

I am currently running two ASA's in an Active/Passive failover mode, and whenever I try to enable the local ca server, I get the following error:

ERROR: The local CA server is not supported in a failover

setup. Please disable failover in order to configure the

local CA server

I realize this error pretty much answers my question, but I figured with the information I found, it would be worth it to ask for clarification.  With that said, is it at all possible to run a local ca server on an Active/Passive ASA cluster?

Everyone's tags (3)
New Member

ASA local CA and Active/Passive Failover

Hi Edaward,

Local CA cannot be configured with Active/ Passive Failover.

It seems is an error in the documentation that only states Active/Active failover that must be updated as you can see in the summary of the Bug ID CSCtt24125:

At the same time there is an enhancement request to have this feature as you can see in this thread:

CreatePlease to create content