ASA 5525x active actulive issues

Tarik Admani · ‎10-01-2012

Hi

I am working on a mass licensing project where I have to upgrade activation keys on over 2000 asas in active active mode. When disabling failover on the active I have noticed 2 issues.

The first issue is that the "pseudo-standby" asa destroys its current contexts after I re-enable failover on the primary. This causes all the secondary contexts to recalculate their virtual macs which causes arp issues and with my luck the uplink is a bvi with the default arp timeout set to 4 hours.

The second issue is that all the rsa keys are destroyed when the xontexts are regenerated and I have to re issue the crypto key gen......

Are these two bugs and should the contexts be updated and not dropped and recreated?

Thanks,

Tarik Admani

Sent from Cisco Technical Support Android App

Kureli Sankar · ‎10-08-2012

What license is this? Does it require reload or not?

http://www.cisco.com/en/US/docs/security/asa/asa81/license/license81.html#wp51459

Pls. check if this procedure will work for you.

-Kureli

Tarik Admani · ‎10-08-2012

Hi,

This is for the security ela license for 2000 firewalls, that enables the ips modules and other features.

We found two issues but worked through them, both involved the standby asa: first issue was with the ssh keys dissappearing, second was in the method your provided, when re-enabling failover the standby asa would recalculate its virtual mac address and not send a garp to update to the upstream router.

We ended up finding out that the activation key command is not replicated, so we activated the pair through the active asa, "activation-key", then "failover exec mate activation key" to update the standby. We ran a script and it worked on all the asas.

Sent from Cisco Technical Support Android App