Hello John,

I believe you are talking about the Failover Lan Interface connectivity which can be of two types:

--- Back to Back.

--- With Intermediary Switch

I would say the second option is better as its easy to segment and isolate faults on a Production Network. Consider the below scenario:

Your firewalls are connected back to back with a crossover cable and you have a live firewall and you start experiencing failover related issues on your FO lan port. What would you do to determine if its a cable or a Firewall Interface issue and if an Interface issue which Interface? Cause if one Interface goes down it pulls down the Peer interface as well to line protocol down. This is tricky you would need to manually test all the components seperately using another directly connected device to see which component is faulty or replace all units to restore services.

In case of the second option we can clearly eliminate as the switch is inbetween. I think its also explained in the configuration guide here:

When  you use a crossover cable for the LAN failover link, if the LAN  interface fails, the link is brought down on both peers. This condition  may hamper troubleshooting efforts because you cannot easily determine  which interface failed and caused the link to come down. 

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html

Hope that helps. Have a good day !

Thanks Prashanth for detailed info.

Hello Roberto,

The document is absolutely right the Certificates on the ASA get replicated with Bulk replication only and these are 3rd party certificates only and not the locally generated certificates which i have checked in previous versions. However i have not played around much on 8.4.4 which was just released and i dont have a reason to believe that it works differently on 8.4.4, i can check this up for you once i get into office in the morning.

Can you let me know the license you are on Active/Active or Active/Standby Failover ? Also what are the steps you took to test this and how sure are you that this was not exported to the other firewall ? Just to add i would assume the purpose of Self signed Certificate to be unique to each of the ASA's.

thanks,

Prashanth

Hello Prashanth,

maybe I've not fully understood, please can you indicate me again why the "However, the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated." is correct ?

If the previous sentence is correct why on the following test enviroment both cisco asa active and standby have the same SSL self signed certificate ?

Enviroment:

a cluster of Cisco ASA is Active/Standby firewalls with the SSL AnyConnect certificate auto generated named “SELFSIGNEDCERT” and used for the remote SSL vpn

ON THE ACTIVE:

pri/act/asa# sh run | i SELFSIGNEDCERT

crypto ca trustpoint SELFSIGNEDCERT

keypair SELFSIGNEDCERTKEY

crypto ca certificate chain SELFSIGNEDCERT

ssl trust-point SELFSIGNEDCERT outside vpnlb-ip

ssl trust-point SELFSIGNEDCERT outside

pri/act/asa#

pri/act/asa#sh crypto ca certificates SELFSIGNEDCERT

Certificate

  Status: Available

  Certificate Serial Number: 5406334f

  Certificate Usage: General Purpose

  Public Key Type: RSA (2048 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=asa.cisco.com

    cn=*.cisco.com

  Subject Name:

    hostname=asa.cisco.com

    cn=*.cisco.com

  Validity Date:

    start date: 20:42:41 UTC Feb 20 2012

    end   date: 20:42:41 UTC Feb 17 2022

  Associated Trustpoints: SELFSIGNEDCERT

pri/act/asa#

ON THE STANDBY:

sec/stby/asa# sh crypto ca certificates SELFSIGNEDCERT

Certificate

  Status: Available

  Certificate Serial Number: 5406334f

  Certificate Usage: General Purpose

  Public Key Type: RSA (2048 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=asa.cisco.com

    cn=*.cisco.com

  Subject Name:

    hostname=asa.cisco.com

    cn=*.cisco.com

  Validity Date:

    start date: 20:42:41 UTC Feb 20 2012

    end   date: 20:42:41 UTC Feb 17 2022

  Associated Trustpoints: SELFSIGNEDCERT

sec/stby/asa#

And again if the sentence "However, the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated." is  correct:

Qs:

1) If I activate the standby unit with “failover  active” need to do something for the SSL certificate (needed to copy it from the other unit)  ?!?!

2) If the active firewall unit FAIL is it necessary to reinstall the AUTO GENERATED  SSL certificate on the Standby unit ?!?!

Hello Roberto,

I tried out the configuration on 8.4.4 and observed the same issue as what you have noticed, look below :

CiscoASA(config-ca-trustpoint)# fqdn sslvpn.cisco.com
CiscoASA(config-ca-trustpoint)# subject-name CN=sslvpn.cisco.com
CiscoASA(config-ca-trustpoint)# crypto key generate rsa label sslvpnkeypair
INFO: The name for the keys will be: sslvpnkeypair
Keypair generation process begin. Please wait...
CiscoASA(config)# crypto ca trustpoint SELFSIGNEDCERT
CiscoASA(config-ca-trustpoint)# keypair sslvpnkeypair
CiscoASA(config)# crypto ca enroll SELFSIGNEDCERT noconfirm
% The fully-qualified domain name in the certificate will be: sslvpn.cisco.com

When i try to view it i see the below output on both Active and Standby Firewalls replicated without doing even a write standby:

CiscoASA(config)# show cry ca cert
Certificate
  Status: Available
  Certificate Serial Number: c5d1f44f
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name: 
    hostname=sslvpn.cisco.com
    cn=sslvpn.cisco.com
  Subject Name:
    hostname=sslvpn.cisco.com
    cn=sslvpn.cisco.com
  Validity Date: 
    start date: 16:29:09 GMT Jul 5 2012
    end   date: 16:29:09 GMT Jul 3 2022
  Associated Trustpoints: SELFSIGNEDCERT 

This is exactly matching the output you had provided, however what we both did not figure out earlier is that this is an Identity certificate and not a CA certificate. A typical CA certificate looks like this:

CiscoASA(config)# show crypto ca certificate
CA Certificate
  Status: Available
  Certificate Serial Number: 344ed55720d5edec49f42fce37db2b6d
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name:
    cn=thawte Primary Root CA
    ou=(c) 2006 thawte\, Inc. - For authorized use only
    ou=Certification Services Division
    o=thawte\, Inc.
    c=US
  Subject Name:
    cn=thawte Primary Root CA
    ou=(c) 2006 thawte\, Inc. - For authorized use only
    ou=Certification Services Division
    o=thawte\, Inc.
    c=US
  Validity Date:
    start date: 00:00:00 UTC Nov 17 2006
    end   date: 23:59:59 UTC Jul 16 2036
  Associated Trustpoints: abc

Hence going back to the document you had pointed out, its only speaking about the Local CA Generated certificates and not all locally generated Certificates (identity). Refer to the 8.4 Configuration guide as well which shows that the locally generated

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_standby.html
 Note Standby Failover does not replicate the following files and configuration components: 
 •AnyConnect images 
 •CSD images 
 •ASA images 
 •AnyConnect profiles 
 •Local Certificate Authorities (CA) 
 •ASDM images 

Hope that clarifies the document's wordings

Thanks for the info.

Roberto Taccon

Prashanth Goutham R.

I have set up 4 IPsec VPNs in a ASA 5520. The maximum bandwidth-BW- provided by our ISP is 3 MBPS.

Let's suppose that I want to assign/allocate BW to each IPSEc tunnel as follows:

Tunnel 1: 500 KBps

Tunnel 2: 700 KBps

Tunnel 3: 300 KBps

Tunnel 4: 600 Kbps

1- What is the configuration to make that possible?

2- Does it make any difference if this configuration fo BW assignment is also added on the other VPN peer?

Thanks

John

Hello John,

This session is on Failover Functionality on all Cisco Firewalls, im not a geek on QOS however i have the answer for what you need. The way to limit traffic would be to enable QOS Policing on your Firewalls. The requirement that you have is about limiting 4 different tunnels to be utilizing the set limits and drop any further packets. This is called Traffic Policing. I tried out the following in my lab and it looks good.

access-list tunnel_one extended permit ip 10.1.0.0 255.255.0.0 20.1.0.0 255.255.0.0
access-list tunnel_two extended permit ip 10.2.0.0 255.255.0.0 20.2.0.0 255.255.0.0
access-list tunnel_three extended permit ip 10.3.0.0 255.255.0.0 20.3.0.0 255.255.0.0
access-list tunnel_four extended permit ip 10.4.0.0 255.255.0.0 20.4.0.0 255.255.0.0
    class-map Tunnel_Policy1
     match access-list tunnel_one
   class-map Tunnel_Policy2
     match access-list tunnel_two
   class-map Tunnel_Policy3
     match access-list tunnel_three
   class-map Tunnel_Policy4
     match access-list tunnel_four
  policy-map tunnel_traffic_limit
     class Tunnel_Policy1
      police output 4096000
   policy-map tunnel_traffic_limit
     class Tunnel_Policy2
      police output 5734400
   policy-map tunnel_traffic_limit
     class Tunnel_Policy3
      police output 2457600
    policy-map tunnel_traffic_limit
     class Tunnel_Policy4
      police output 4915200
service-policy tunnel_traffic_limit interface outside

You might want to watch out for the following changes in values:

HTTS-SEC-R2-7-ASA5510-02(config-cmap)#     policy-map tunnel_traffic_limit
HTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy1
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4096000
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limit
HTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy2
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 5734400
WARNING: police rate 5734400 not supported. Rate is changed to 5734000     
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#
HTTS-SEC-R2-7-ASA5510-02(config)#     policy-map tunnel_traffic_limit
HTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy3
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 2457600
WARNING: police rate 2457600 not supported. Rate is changed to 2457500
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limit
HTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy4
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4915200
WARNING: police rate 4915200 not supported. Rate is changed to 4915000
I believe this is because of the software granularity and the way IOS rounds it off in multiples of a certain value, so watch out for the exact values you might get finally. I used this website to calculate your Kilobyte values to Bits: http://www.matisse.net/bitcalc/

The Final outputs of the configured values were :

    Class-map: Tunnel_Policy1
      Output police Interface outside:
        cir 4096000 bps, bc 128000 bytes
        conformed 0 packets, 0 bytes; actions:  transmit
        exceeded 0 packets, 0 bytes; actions:  drop
        conformed 0 bps, exceed 0 bps
 
    Class-map: Tunnel_Policy2
      Output police Interface outside:
        cir 5734000 bps, bc 179187 bytes
        conformed 0 packets, 0 bytes; actions:  transmit
        exceeded 0 packets, 0 bytes; actions:  drop
        conformed 0 bps, exceed 0 bps
    Class-map: Tunnel_Policy3
      Output police Interface outside:
        cir 2457500 bps, bc 76796 bytes
        conformed 0 packets, 0 bytes; actions:  transmit
        exceeded 0 packets, 0 bytes; actions:  drop
        conformed 0 bps, exceed 0 bps
    Class-map: Tunnel_Policy4
      Output police Interface outside:
        cir 4915000 bps, bc 153593 bytes
        conformed 0 packets, 0 bytes; actions:  transmit
        exceeded 0 packets, 0 bytes; actions:  drop
        conformed 0 bps, exceed 0 bps

Please refer to the QOS document on CCO here for further information: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html

Hope that helps..

Prashanth Goutham R.

Thanks for your detailed reply and for allowing this out-of-scope question. Honestly, when I read "ASA" in the subject I ignored the rest.

Two more questions:

1- Which SHOW command you used at the end to verify the bandwidth?

2- If one peer is policing traffic and the other one is not, the one with the smallest bandwidth would set the size limit in the connection ? I am also implying that the Traffic policing does not need to be configured on both ends, correct?

Thanks again

John

John,

1- Which SHOW command you used at the end to verify the bandwidth?

--- Command used is show service-policy police

2-  If one peer is policing traffic and the other one is not, the one with  the smallest bandwidth would set the size limit in the connection ? 
I am  also implying that the Traffic policing does not need to be configured  on both ends, correct?

--- Policing at one end should help control the limits.

Hi this is good opportunity to get good concept..

my Question is..

I am not able to get CA certificate by microsoft CA server.

Hello Gaurav,

Apologies for the delayed response, this is a Failover discussion series on Cisco Firewalls, however ill help you to get started on the Certificate issue.

I am not really sure about what is the actual problem. Based on the fact that you have mentioned the ASA is unable to enroll with Microsoft CA server i would first enable the following debugs:

debug crypto ca 255
debug crypto ca transactions 255

I would actually start with researching on what error messages you had received while you tried to enroll and what was the procedure you used to enroll from the ASA perspective, i would also suggest that you take a packet capture to see if the CA server and the ASA are able to communicate without any network level issues.