Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
617
Views
0
Helpful
4
Replies

ASA5525 : Configure Active/Active

Danny Cheng Chee Wah
Level 1
Level 1

‎08-21-2013 09:29 PM - edited ‎03-11-2019 07:29 PM

Hi All,

I'm trying to configure Active/Active in 2 new ASA5525 using the Wizard. Just to begin, both ASA5525 G0/3 is connected to a dumb switch and configured with LAN IP 10.1.1.1/24 & 10.1.1.2/24 respectively. ASDM has been enabled on that LAN interface and both unit can reach each other.

When I tried to use the HA Wizard, it failed at Step 2 of 7, as shown in the attached screenshot.

Appreciate your kind advise on this. What other initial configurations need to be done?

Thank you.

-----

Regards,

Danny

Labels:
Preview file
148 KB
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-22-2013 05:16 AM

Can the PC you are running ASDM on reach the peer firewall directly (apart from the HA wizard process) at 172.16.1.2?

If not, and that IP is otherwise reachable, we often see new out of the box ASA 5500-X series needing to have strong encryption enabled.

Check "show version" for 3DES-AES key activation and also set "ssl encryption aes256-sha1" for ASDM to work properly.

0 Helpful

Danny Cheng Chee Wah
Level 1
Level 1
In response to Marvin Rhoads

‎08-22-2013 05:57 PM

Hi Marvin,

From my PC, I can reach both firewall and connect via ASDM directly. So, you're saying I need to add 'ssl encryption aes256-sha1' for the ASDM peer testing to work properly? Cause for my PC to connect to firewall ASDM, I've changed the encryption to rc4-sha1. So, will it be best if I enable all the encryption?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Danny Cheng Chee Wah

‎08-23-2013 07:08 AM

Well if your PC can reach the secondary firewall with ASDM, that should be OK encryption-wise.

Can you confirm you are able to use 172.16.1.2 for its reachability? Can the priamary firewall (172.16.1.1 I assume) also reach that address (ping)?

0 Helpful

Danny Cheng Chee Wah
Level 1
Level 1
In response to Marvin Rhoads

‎08-25-2013 07:00 PM

Hi Marvin,

Yes, primary firewall can reach secondary firewall via ping. I've also tested the HA setup using CLI and is working fine. Just want to solve the problem why wizard is not working.

Anyway, before starting the wizard, I only connect port 1 of primary firewall to port 1 of secondary firewall. Configure an IP and both able to ping to each other. Then, I just connect to ASDM via management port of primary firewall to start the wizard.

Is this correct?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card