topic Re: Cisco ASA : HA- Active/Standby. ssh connection problem with 'Standby' in Network Security

Cisco ASA : HA- Active/Standby. ssh connection problem with 'Standby'

bcr — Wed, 01 Apr 2020 09:42:50 GMT

Hello,

I have a Cisco ASA configuration : HA- Active/Standby.

As soon as I set up standby, I lose the ssh connection. This is because the management interface is overwritten by the synchronization of the configuration with the 'Active'.

Can you help me, please?

Re: Cisco ASA : HA- Active/Standby. ssh connection problem with 'Standby'

Sheraz.Salim — Wed, 01 Apr 2020 10:04:59 GMT

as soon as you failover to stanby you lost the connection to ssh. if so that is normal behaviour as the mac adresses reason.

Re: Cisco ASA : HA- Active/Standby. ssh connection problem with 'Standby'

Cristian Matei — Wed, 01 Apr 2020 10:17:14 GMT

Hi,

Once the Active/Standby process is done, you should be able to SSH into both, assuming you generated RSA keys on both, as these are not synchronised.

In general, there is no real need to SSH into the second device, you can send commands to the standby ASA via "failover exec" commands.

Regards,

Cristian Matei.

Re: Cisco ASA : HA- Active/Standby. ssh connection problem with 'Standby'

Sheraz.Salim — Wed, 01 Apr 2020 10:24:44 GMT

In Active/standby failover the active device uses the primary unit MAC addresses. In the event of failover the secondary appliance becomes active and takes over the primary unit MAC addreses. whereas the active device now standby takes over the standby unit MAC addresses. After the standby appliance become active, it sends out a gratuitous ARP on ther network. A gratuitous ARP is an ARP request that the appliace sends out on the ethernet networks with the source and destination IP Addresses of the active ip addresses. The destination MAC address is the ethernet broadcast address. all devices on ther ethernet segment process this braodcast frmae and update the their arp table with this information. using gratuittous arp the layer 2 devices including switches also updates the content CAM table with the mac address and updated switch port infirmation.

hope this will you understad whats happening behind the scene.

Re: Cisco ASA : HA- Active/Standby. ssh connection problem with 'Standby'

Sheraz.Salim — Wed, 01 Apr 2020 10:29:46 GMT

As @Cristian Matei mentioned "failover exec" this is very useful.

failover exec interface GigabitEthernet0/1

failover exec active show failover

Re: Cisco ASA : HA- Active/Standby. ssh connection problem with 'Standby'

bcr — Wed, 01 Apr 2020 10:33:55 GMT

Thank you for the answer on the operating principle.
In fact, I would like to work in a lab so that I can fully understand how it works.
I didn't generate any RSA keys. Is there a solution without RSA.

Yours sincerely,
bcr.

Re: Cisco ASA : HA- Active/Standby. ssh connection problem with 'Standby'

Sheraz.Salim — Wed, 01 Apr 2020 10:43:43 GMT

you could be using the default RSA key in ASA. as long as you have ASA connection via SSH it mean you have RSA keys either custom defined or system defined.

please do not forget to rate the post as it will help other engineers

Re: Cisco ASA : HA- Active/Standby. ssh connection problem with 'Standby'

bcr — Wed, 01 Apr 2020 18:34:39 GMT

Hello,

Thank you for your response.

I tried using a unique RSA key on ASA1 and ASA2 and it works.

Can you tell me the source of cisco information on this problem.

Cordially,
bcr.