Hi,

I've just found out that the failover is configured as Active/Active. Is it related with the VPN problem? Should it be configured as Active/standby?

Thanks.

That output is from show version on the ASA.  That just shows you the capabilities of the ASA and not what is currently configured.  Basically it says that the license you have installed will allow for Active/Active failover.

What type of VPN connection are we talking about (L2L, Remote Access, IPsec, SSL...etc)?

Are both ASAs the same hardware, and software version? do they have the same licenses installed?

--

Please remember to select a correct answer and rate helpful posts

The VPN is SSL.

Both ASA have a VPN Plus license and the same version: Cisco Adaptive Security Appliance Software Version 8.0(2), Device Manager Version 6.0(2).

could you post a full running configuration of your primary ASA and secondary ASA (remove any passwords or public IPs).

--

Please remember to select a correct answer and rate helpful posts

Hi,

Thanks a lot for your suggestions.

We have been checking the show tech command output to find out that the VPN configuration it's not the same in both ASAs. So my doubt now is, why are the configuration changes made in the active ASA not been transferred to the standby ASA? Apparently, It only affects the VPN configuration as I have added new rules to the ASA today and they also appear in the standby ASA.

That is the secondary ASA, all configuration needs to be done on the primary ASA...but it looks as though you need to configure the stateful failover link.

--

Please remember to select a correct answer and rate helpful posts

Are the two ASAs running the same hardware, software image and licenses?

The image attached is of your primary/Active firewall...indicated by the selected prefered role <primary>? so you are seeing this error on your primary ASA and not your secondary.

I would suggest removing the failover configuration and then re-applying it.  You might also want to consider a reload of the ASA after you have removed the failover configuration...if you are able to do so.

--

Please remember to select a correct answer and rate helpful posts

In looking at the screen shot it seems pretty clear that LAN failover is configured but that State failover is not configured (there is no active IP address, no backup IP address, etc for State Failover). And not having stateful failover would prevent VPN failover.

But as I read the original post I am not clear exactly what the problem is. Perhaps it is that VPN sessions do not fail over. But when it says that VPN was not available I wonder if it really means that new VPN sessions could not be established. Perhaps the original poster can clarify this.

Also I am not clear whether the problem with VPN is for site to site VPN or is for Remote Access VPN. Perhaps we could get clarification for that as well?

On the possibility that it might be about Remote Access VPN and that it is that new sessions can not be established I will add one suggestion. Be sure that the files used for VPN are present on the disk of the standby ASA. Since the config does get replicated it is easy to assume that the files get replicated also. But that is not the case. You need to manually copy the files into disk on both ASA.

HTH

Rick

I agree that the state failover does look to be configured.  Which is the reason I requested for the poster to provide the configuration so that we can fill in the gaps.

Thanks for your suggestions.

We are using Remote Access VPN. The problem is that when the standby ASA takes over it's no possible to connect using VPN. However, We have just found out that the VPN configuration is not the same in our ASAs so that's  the reason why people cannot connect when the standby change to active.

I don't understand your explanation about state failover. I think it is configured. In fact this information is available in the ASDM help: