06-29-2012
10:22 AM
- last edited on
02-13-2020
12:58 PM
by
Kelli Glass
With Prashanth Goutham R.
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham.
Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.
Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.
Remember to use the rating system to let Prashanth know if you have received an adequate response.
Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
07-03-2012 09:13 PM
Hello Prashanth,
I have a quick question for you. Why it is recommended to have a switch in-between the Firewall pairs and not connect them directly though its going to work fine anyway?
thanks a lot,
- John
07-04-2012 12:10 AM
Hello John,
I believe you are talking about the Failover Lan Interface connectivity which can be of two types:
--- Back to Back.
--- With Intermediary Switch
I would say the second option is better as its easy to segment and isolate faults on a Production Network. Consider the below scenario:
Your firewalls are connected back to back with a crossover cable and you have a live firewall and you start experiencing failover related issues on your FO lan port. What would you do to determine if its a cable or a Firewall Interface issue and if an Interface issue which Interface? Cause if one Interface goes down it pulls down the Peer interface as well to line protocol down. This is tricky you would need to manually test all the components seperately using another directly connected device to see which component is faulty or replace all units to restore services.
In case of the second option we can clearly eliminate as the switch is inbetween. I think its also explained in the configuration guide here:
When you use a crossover cable for the LAN failover link, if the LAN interface fails, the link is brought down on both peers. This condition may hamper troubleshooting efforts because you cannot easily determine which interface failed and caused the link to come down.http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html
Hope that helps. Have a good day !
07-04-2012 09:43 PM
Thanks Prashanth for detailed info.
07-04-2012 10:20 AM
Hello Prashanth,
please can you check/confirm if using a Cisco ASA Active/Standby clustering enviroment the SELF SIGNED GENERATED certificate used for SSL VPN remote access are replicated or NOT on the STANDBY unit ?
On the following doc there's indicate "the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated but testing on lab with version 8.4.4 the result is different: the self signed certificate of the active asa is replicated on the standby.
https://supportforums.cisco.com/docs/DOC-12969
Q. Are digital certificates replicated in a Active/Standby configuration?
A. Yes. Third-party digital certificates (ie. from Entrust, Verisign, Microdoft,etc) that are installed on the Active ASA are replicated to the Standby ASA in an active/standby config.
However, the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated.
07-04-2012 01:00 PM
Hello Roberto,
The document is absolutely right the Certificates on the ASA get replicated with Bulk replication only and these are 3rd party certificates only and not the locally generated certificates which i have checked in previous versions. However i have not played around much on 8.4.4 which was just released and i dont have a reason to believe that it works differently on 8.4.4, i can check this up for you once i get into office in the morning.
Can you let me know the license you are on Active/Active or Active/Standby Failover ? Also what are the steps you took to test this and how sure are you that this was not exported to the other firewall ? Just to add i would assume the purpose of Self signed Certificate to be unique to each of the ASA's.
thanks,
Prashanth
07-04-2012 01:32 PM
Hello Prashanth,
maybe I've not fully understood, please can you indicate me again why the "However, the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated." is correct ?
If the previous sentence is correct why on the following test enviroment both cisco asa active and standby have the same SSL self signed certificate ?
Enviroment:
a cluster of Cisco ASA is Active/Standby firewalls with the SSL AnyConnect certificate auto generated named “SELFSIGNEDCERT” and used for the remote SSL vpn
ON THE ACTIVE:
pri/act/asa# sh run | i SELFSIGNEDCERT
crypto ca trustpoint SELFSIGNEDCERT
keypair SELFSIGNEDCERTKEY
crypto ca certificate chain SELFSIGNEDCERT
ssl trust-point SELFSIGNEDCERT outside vpnlb-ip
ssl trust-point SELFSIGNEDCERT outside
pri/act/asa#
pri/act/asa#sh crypto ca certificates SELFSIGNEDCERT
Certificate
Status: Available
Certificate Serial Number: 5406334f
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
hostname=asa.cisco.com
cn=*.cisco.com
Subject Name:
hostname=asa.cisco.com
cn=*.cisco.com
Validity Date:
start date: 20:42:41 UTC Feb 20 2012
end date: 20:42:41 UTC Feb 17 2022
Associated Trustpoints: SELFSIGNEDCERT
pri/act/asa#
ON THE STANDBY:
sec/stby/asa# sh crypto ca certificates SELFSIGNEDCERT
Certificate
Status: Available
Certificate Serial Number: 5406334f
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
hostname=asa.cisco.com
cn=*.cisco.com
Subject Name:
hostname=asa.cisco.com
cn=*.cisco.com
Validity Date:
start date: 20:42:41 UTC Feb 20 2012
end date: 20:42:41 UTC Feb 17 2022
Associated Trustpoints: SELFSIGNEDCERT
sec/stby/asa#
And again if the sentence "However, the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated." is correct:
Qs:
1) If I activate the standby unit with “failover active” need to do something for the SSL certificate (needed to copy it from the other unit) ?!?!
2) If the active firewall unit FAIL is it necessary to reinstall the AUTO GENERATED SSL certificate on the Standby unit ?!?!
07-05-2012 05:05 AM
Hello Roberto,
I tried out the configuration on 8.4.4 and observed the same issue as what you have noticed, look below :
CiscoASA(config-ca-trustpoint)# fqdn sslvpn.cisco.com
CiscoASA(config-ca-trustpoint)# subject-name CN=sslvpn.cisco.com
CiscoASA(config-ca-trustpoint)# crypto key generate rsa label sslvpnkeypair
INFO: The name for the keys will be: sslvpnkeypair
Keypair generation process begin. Please wait...
CiscoASA(config)# crypto ca trustpoint SELFSIGNEDCERT
CiscoASA(config-ca-trustpoint)# keypair sslvpnkeypair
CiscoASA(config)# crypto ca enroll SELFSIGNEDCERT noconfirm
% The fully-qualified domain name in the certificate will be: sslvpn.cisco.com
When i try to view it i see the below output on both Active and Standby Firewalls replicated without doing even a write standby:
CiscoASA(config)# show cry ca cert
Certificate
Status: Available
Certificate Serial Number: c5d1f44f
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
hostname=sslvpn.cisco.com
cn=sslvpn.cisco.com
Subject Name:
hostname=sslvpn.cisco.com
cn=sslvpn.cisco.com
Validity Date:
start date: 16:29:09 GMT Jul 5 2012
end date: 16:29:09 GMT Jul 3 2022
Associated Trustpoints: SELFSIGNEDCERT
This is exactly matching the output you had provided, however what we both did not figure out earlier is that this is an Identity certificate and not a CA certificate. A typical CA certificate looks like this:
CiscoASA(config)# show crypto ca certificateCA Certificate
Status: Available
Certificate Serial Number: 344ed55720d5edec49f42fce37db2b6d
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=thawte Primary Root CA
ou=(c) 2006 thawte\, Inc. - For authorized use only
ou=Certification Services Division
o=thawte\, Inc.
c=US
Subject Name:
cn=thawte Primary Root CA
ou=(c) 2006 thawte\, Inc. - For authorized use only
ou=Certification Services Division
o=thawte\, Inc.
c=US
Validity Date:
start date: 00:00:00 UTC Nov 17 2006
end date: 23:59:59 UTC Jul 16 2036
Associated Trustpoints: abc
Hence going back to the document you had pointed out, its only speaking about the Local CA Generated certificates and not all locally generated Certificates (identity). Refer to the 8.4 Configuration guide as well which shows that the locally generated
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_standby.html
Note
Standby Failover does not replicate the following files and configuration components:
•
AnyConnect images
•
CSD images
•
ASA images
•
AnyConnect profiles
•
Local Certificate Authorities (CA)
•
ASDM images
Hope that clarifies the document's wordings
07-05-2012 05:38 AM
Thanks for the info.
Roberto Taccon
07-06-2012 08:09 AM
Prashanth Goutham R.
I have set up 4 IPsec VPNs in a ASA 5520. The maximum bandwidth-BW- provided by our ISP is 3 MBPS.
Let's suppose that I want to assign/allocate BW to each IPSEc tunnel as follows:
Tunnel 1: 500 KBps
Tunnel 2: 700 KBps
Tunnel 3: 300 KBps
Tunnel 4: 600 Kbps
1- What is the configuration to make that possible?
2- Does it make any difference if this configuration fo BW assignment is also added on the other VPN peer?
Thanks
John
07-06-2012 11:45 AM
Hello John,
This session is on Failover Functionality on all Cisco Firewalls, im not a geek on QOS however i have the answer for what you need. The way to limit traffic would be to enable QOS Policing on your Firewalls. The requirement that you have is about limiting 4 different tunnels to be utilizing the set limits and drop any further packets. This is called Traffic Policing. I tried out the following in my lab and it looks good.
access-list tunnel_one extended permit ip 10.1.0.0 255.255.0.0 20.1.0.0 255.255.0.0
access-list tunnel_two extended permit ip 10.2.0.0 255.255.0.0 20.2.0.0 255.255.0.0
access-list tunnel_three extended permit ip 10.3.0.0 255.255.0.0 20.3.0.0 255.255.0.0
access-list tunnel_four extended permit ip 10.4.0.0 255.255.0.0 20.4.0.0 255.255.0.0
class-map Tunnel_Policy1
match access-list tunnel_one
class-map Tunnel_Policy2
match access-list tunnel_two
class-map Tunnel_Policy3
match access-list tunnel_three
class-map Tunnel_Policy4
match access-list tunnel_four
policy-map tunnel_traffic_limit
class Tunnel_Policy1
police output 4096000
policy-map tunnel_traffic_limit
class Tunnel_Policy2
police output 5734400
policy-map tunnel_traffic_limit
class Tunnel_Policy3
police output 2457600
policy-map tunnel_traffic_limit
class Tunnel_Policy4
police output 4915200
service-policy tunnel_traffic_limit interface outside
You might want to watch out for the following changes in values:
HTTS-SEC-R2-7-ASA5510-02(config-cmap)# policy-map tunnel_traffic_limit
HTTS-SEC-R2-7-ASA5510-02(config-pmap)# class Tunnel_Policy1
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)# police output 4096000
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)# policy-map tunnel_traffic_limit
HTTS-SEC-R2-7-ASA5510-02(config-pmap)# class Tunnel_Policy2
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)# police output 5734400
WARNING: police rate 5734400 not supported. Rate is changed to 5734000
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#
HTTS-SEC-R2-7-ASA5510-02(config)# policy-map tunnel_traffic_limit
HTTS-SEC-R2-7-ASA5510-02(config-pmap)# class Tunnel_Policy3
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)# police output 2457600
WARNING: police rate 2457600 not supported. Rate is changed to 2457500
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)# policy-map tunnel_traffic_limit
HTTS-SEC-R2-7-ASA5510-02(config-pmap)# class Tunnel_Policy4
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)# police output 4915200
WARNING: police rate 4915200 not supported. Rate is changed to 4915000
I believe this is because of the software granularity and the way IOS rounds it off in multiples of a certain value, so watch out for the exact values you might get finally. I used this website to calculate your Kilobyte values to Bits: http://www.matisse.net/bitcalc/
The Final outputs of the configured values were :
Class-map: Tunnel_Policy1
Output police Interface outside:
cir 4096000 bps, bc 128000 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Class-map: Tunnel_Policy2
Output police Interface outside:
cir 5734000 bps, bc 179187 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Class-map: Tunnel_Policy3
Output police Interface outside:
cir 2457500 bps, bc 76796 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Class-map: Tunnel_Policy4
Output police Interface outside:
cir 4915000 bps, bc 153593 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Please refer to the QOS document on CCO here for further information: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html
Hope that helps..
07-06-2012 12:11 PM
Prashanth Goutham R.
Thanks for your detailed reply and for allowing this out-of-scope question. Honestly, when I read "ASA" in the subject I ignored the rest.
Two more questions:
1- Which SHOW command you used at the end to verify the bandwidth?
2- If one peer is policing traffic and the other one is not, the one with the smallest bandwidth would set the size limit in the connection ? I am also implying that the Traffic policing does not need to be configured on both ends, correct?
Thanks again
John
07-06-2012 05:12 PM
John,
1- Which SHOW command you used at the end to verify the bandwidth?
--- Command used is show service-policy police
2- If one peer is policing traffic and the other one is not, the one with the smallest bandwidth would set the size limit in the connection ?
I am also implying that the Traffic policing does not need to be configured on both ends, correct?
--- Policing at one end should help control the limits.
07-07-2012 01:11 AM
Hi this is good opportunity to get good concept..
my Question is..
I am not able to get CA certificate by microsoft CA server.
07-09-2012 11:30 PM
Hello Gaurav,
Apologies for the delayed response, this is a Failover discussion series on Cisco Firewalls, however ill help you to get started on the Certificate issue.
I am not really sure about what is the actual problem. Based on the fact that you have mentioned the ASA is unable to enroll with Microsoft CA server i would first enable the following debugs:
debug crypto ca 255debug crypto ca transactions 255
I would actually start with researching on what error messages you had received while you tried to enroll and what was the procedure you used to enroll from the ASA perspective, i would also suggest that you take a packet capture to see if the CA server and the ASA are able to communicate without any network level issues.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide