topic ASA 5585 cannot connect to context active in failover group 2 in Network Security

ASA 5585 cannot connect to context active in failover group 2

John Galietta — Mon, 11 Mar 2019 21:47:50 GMT

I am setting up a new pair of ASA 5585's in a multi-context, active/active failover design. I cannot create management SSH connection to the contexts that are assigned to failover group 2. With all the security contexts that are assigned to failover group 1 I can SSH to the inside interface IP and login without a problem. When I try to do that to the group 2 contexts there is no response from the firewall at all, PuTTY just times out.

My firewalls are running version 8.2(4). The contexts seem to be functioning normally in all other respects.

Thanks,

John

ASA 5585 cannot connect to context active in failover group 2

mirober2 — Fri, 11 Nov 2011 14:29:39 GMT

Hi John,

Take a look at this document that provides some additional troubleshooting steps for narrowing down this type of problem:

https://supportforums.cisco.com/docs/DOC-13012#Unable_to_ssh

Hope that helps.

-Mike

ASA 5585 cannot connect to context active in failover group 2

John Galietta — Fri, 11 Nov 2011 15:07:00 GMT

Thanks for the suggestions Mike but I am still stumped. I am running 8.2(4) and it is supposed to have the issues refered to in that doc fixed. I did check the asp sockets and the firewall is listening on port 22. I tried deleting and restoring the SSH config but that had no affect.

I am able to SSH to the standby IP address for the context, but I cannot connect to the active one. On a capture done on the active context I do see the packets coming in from the PC to port 22 of the context IP but I am not seeing any response.

Could this be an rsa key issue between the active and standby context?

Thanks,

John

ASA 5585 cannot connect to context active in failover group 2

mirober2 — Fri, 11 Nov 2011 15:17:40 GMT

Hi John,

To rule that out you can just generate a new key on the problem contexts. You can use the following command:

crypto key generate rsa mod 1024

-Mike

ASA 5585 cannot connect to context active in failover group 2

John Galietta — Fri, 11 Nov 2011 15:35:16 GMT

Mike,

I tried regenerating the key with no luck so I got fed up and just rebooted the pair of firewalls. Lucky for me these are a new deployment and don't go live until this weekend!

Everything is working as expected now. I can SSH into all the active contexts between the two firewalls and failover groups. I am thinking that there may still be a bug with the failover. Everything on this seemed to be working fine until after I tested the failover by forcing the groups back and forth between the two firewalls.

I wish I could find some more in depth documentation on active/active mode and the methodology for sharing keys, etc.

The good thing in all this is that ASDM and console access was working correctly so that I could get into the various contexts.

Thanks,

John

ASA 5585 cannot connect to context active in failover group 2

mirober2 — Fri, 11 Nov 2011 15:38:11 GMT

Hi John,

Interesting. If the issue returns, please open a TAC case for this so it can be investigated. Otherwise, I would suggest trying the latest 8.2.5 image to rule out any known bugs since this isn't live yet.

-Mike