https://community.cisco.com/t5/network-security/firewall-ha-issue/m-p/4097647#M1070758 <P>Hello everyone,</P><P>&nbsp;</P><P>I am facing a strange issue that'why I hope someone here will give me a solution, at least a good lead.</P><P>&nbsp;</P><P>I have a new customer that called me because he had his VPN KO : anyconnect profile didn't work.</P><P>I saw that there was a HA configuration, and a failover occured because the active reloaded. The customer confirmed me there was an electrical issue.</P><P>The customer uploaded via ASDM the profile and it worked again, but there is this point : why the profile didn't exist on the standby unit ?</P><P>I saw in the failover that 3 interfaces (inside,outside &amp; management) were monitored and 2 of them (management + inside) are in waiting state. For me, while those interfaces aren't monitored, the sync will fail (am I right for this point ?)</P><P>Then I search how those interfaces are linked between the two nodes.</P><P>I have :</P><UL><LI>managementPrimary =&gt; SwitchA =&gt; SwitchB =&gt; SwitchC =&gt; managementSecondary (waiting state)</LI><LI>insidePrimary =&gt; SwitchA =&gt; SwitchB =&gt; SwitchC =&gt; insideSecondary (waiting state)</LI><LI>outsidePrimary =&gt; SwitchD =&gt; outsideSecondary</LI></UL><P>Each interface is in access vlan.</P><P>I check that each vlan is created in Switch 1,B&amp;C and those vlans are Ok in link between switches : for me there is no L2 issues on switches A,B&amp;C</P><P>From a remote workstation, I am able to ping Primary and Secondary IP addresses for management and inside interfaces : for me there is no L3 issue for those interfaces.</P><P>&nbsp;</P><P>This is were I need some help : what could be the origin of this issue ? (the customer didn't know interfaces were in waiting state, I cannot tell if they were once monitored)</P><P>&nbsp;</P><P>Thank you</P><P>Irwin</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 04 Jun 2020 14:39:44 GMT i.leridant 2020-06-04T14:39:44Z https://community.cisco.com/t5/network-security/firewall-ha-issue/m-p/4097647#M1070758 <P>Hello everyone,</P><P>&nbsp;</P><P>I am facing a strange issue that'why I hope someone here will give me a solution, at least a good lead.</P><P>&nbsp;</P><P>I have a new customer that called me because he had his VPN KO : anyconnect profile didn't work.</P><P>I saw that there was a HA configuration, and a failover occured because the active reloaded. The customer confirmed me there was an electrical issue.</P><P>The customer uploaded via ASDM the profile and it worked again, but there is this point : why the profile didn't exist on the standby unit ?</P><P>I saw in the failover that 3 interfaces (inside,outside &amp; management) were monitored and 2 of them (management + inside) are in waiting state. For me, while those interfaces aren't monitored, the sync will fail (am I right for this point ?)</P><P>Then I search how those interfaces are linked between the two nodes.</P><P>I have :</P><UL><LI>managementPrimary =&gt; SwitchA =&gt; SwitchB =&gt; SwitchC =&gt; managementSecondary (waiting state)</LI><LI>insidePrimary =&gt; SwitchA =&gt; SwitchB =&gt; SwitchC =&gt; insideSecondary (waiting state)</LI><LI>outsidePrimary =&gt; SwitchD =&gt; outsideSecondary</LI></UL><P>Each interface is in access vlan.</P><P>I check that each vlan is created in Switch 1,B&amp;C and those vlans are Ok in link between switches : for me there is no L2 issues on switches A,B&amp;C</P><P>From a remote workstation, I am able to ping Primary and Secondary IP addresses for management and inside interfaces : for me there is no L3 issue for those interfaces.</P><P>&nbsp;</P><P>This is were I need some help : what could be the origin of this issue ? (the customer didn't know interfaces were in waiting state, I cannot tell if they were once monitored)</P><P>&nbsp;</P><P>Thank you</P><P>Irwin</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 04 Jun 2020 14:39:44 GMT https://community.cisco.com/t5/network-security/firewall-ha-issue/m-p/4097647#M1070758 i.leridant 2020-06-04T14:39:44Z https://community.cisco.com/t5/network-security/firewall-ha-issue/m-p/4098009#M1070784 <P>When you create (or modify) a VPN profile it doesn't automatically sync between the Active and Standby unit in an HA configuration. You need to manually copy the file across - just as you do with new ASA, ASDM or AnyConnect images.</P> <P>If you neglect to do so, a failover will result in the behavior your customer observed.</P> Fri, 05 Jun 2020 03:20:19 GMT https://community.cisco.com/t5/network-security/firewall-ha-issue/m-p/4098009#M1070784 Marvin Rhoads 2020-06-05T03:20:19Z https://community.cisco.com/t5/network-security/firewall-ha-issue/m-p/4098089#M1070787 <P>Thank you Marvin for your answer.</P><P>&nbsp;</P><P>I understand your answer.</P><P>&nbsp;</P><P>However when I do a manual failover (the Primary is back in Active role) I see the same issue, and the behaviour seen by the customer is : "Failed to get configuration from secure gateway. Contact your system administrator"</P><P>&nbsp;</P><P>Moreover, I have this message when I go in configure terminal :</P><P>"**** WARNING ****<BR />Configuration Replication is NOT performed from Standby unit to Active unit<BR />Configurations are no longer synchronized"</P> Fri, 05 Jun 2020 08:05:38 GMT https://community.cisco.com/t5/network-security/firewall-ha-issue/m-p/4098089#M1070787 i.leridant 2020-06-05T08:05:38Z https://community.cisco.com/t5/network-security/firewall-ha-issue/m-p/4098195#M1070798 <P>You should never enter configure mode on a unit in standby role.</P> <P>Just make sure the anyconnect profile (xml file) specified in the webvpn config is present on both units, active and standby.</P> Fri, 05 Jun 2020 12:32:42 GMT https://community.cisco.com/t5/network-security/firewall-ha-issue/m-p/4098195#M1070798 Marvin Rhoads 2020-06-05T12:32:42Z