09-02-2011 12:12 AM - edited 03-11-2019 02:20 PM
I Upgraded Same IOS(asa804-k8.bin) on both the ASA and configure Failover its working fine.But when we checked vpn client authentication its working on Primary ASA but for secendory ASA its giving Authentication error.
When I down primary ASA its switching to Secendory ASA its giving the below error on Secendory ASA-
ASA(config)# Failover LAN Failed
ERROR: The specified SSL VPN Client image does not exist.
WARNING: No 'svc image' commands have been issued
Switching to Active
I also attaced Config file of Primary and Secondry ASA
09-02-2011 12:31 AM
Hi Sunil,
From the "sh run", the Primary ASA is running version 8.0(2) and the secondary is at 8.0(4). Also, the secondary ASA is missing the svc image file. Please upgrade the version on the primary ASA and do a "wr mem" followed by a "wr standby" and then test.
Let me know.
Regards,
Anu
P.S. Please mark this question as resolved if it has been answered. Do rate helpful posts.
09-02-2011 12:39 AM
Hi Anu
I also upgrade with the 8.0(4). on primary asa and also done commeand "wr mem" followed by a "wr standby" and then test its giving the same error
Regards
Sunil
09-02-2011 12:45 AM
Hi Sunil,
Can you attach the updated "sh run" from both the ASAs?
Regards,
Anu
09-02-2011 01:40 AM
fiatasA# show run
: Saved
:
ASA Version 8.0(4)
!
hostname fiatasA
domain-name FTPINRJCS01
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.16.177.71 255.255.255.192 standby 10.16.177.72
!
interface Ethernet0/1
nameif DMZ1
security-level 90
ip address 10.10.10.1 255.0.0.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
<--- More --->
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif manage
security-level 99
ip address 192.168.0.1 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name FTPINRJCS01
same-security-traffic permit intra-interface
pager lines 24
mtu outside 1500
mtu DMZ1 1500
mtu manage 1500
ip local pool vpn_employee 10.16.191.65-10.16.191.94 mask 255.255.255.224
ip local pool vpn_suppliers 10.16.191.97-10.16.191.126 mask 255.255.255.224
failover
failover lan unit primary
failover lan interface asa-lf0-sf0 Ethernet0/3
failover polltime unit 3 holdtime 9
<--- More --->
failover link asa-lf0-sf0 Ethernet0/3
failover interface ip asa-lf0-sf0 192.168.1.1 255.255.255.0 standby 192.168.1.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 10.16.177.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server FIAT_RADIUS protocol radius
aaa-server FIAT_RADIUS (outside) host 10.16.178.29
key c1sc0123
http server enable
http 192.168.0.2 255.255.255.255 manage
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
<--- More --->
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc enable
tunnel-group-list enable
group-policy SUPPLIERS internal
group-policy SUPPLIERS attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelall
address-pools value vpn_suppliers
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
group-policy EMPLOYEE internal
group-policy EMPLOYEE attributes
vpn-tunnel-protocol svc
<--- More --->
split-tunnel-policy tunnelall
address-pools value vpn_employee
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group fiat_webvpn type remote-access
tunnel-group fiat_webvpn general-attributes
authentication-server-group FIAT_RADIUS
tunnel-group fiat_webvpn webvpn-attributes
group-alias fiat_webvpn enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
<--- More --->
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a55d5b2036478778d0ad886b356984a0
: end
fiatasA#
Hi I find one command is not there on secondry after saying wr stanby that is
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
09-02-2011 01:57 AM
Hi Sunil,
This is from the Primary ASA right? Please post the "sh run" from the secondary ASA as well. Are you able to use vpn now on both ASAs?
Regards,
Anu
09-02-2011 02:19 AM
Primary ASA Show Run
: Saved
:
ASA Version 8.0(4)
!
hostname fiatasA
domain-name FTPINRJCS01
enable password
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.16.177.71 255.255.255.192 standby 10.16.177.72
<--- More --->
!
interface Ethernet0/1
nameif DMZ1
security-level 90
ip address 10.10.10.1 255.0.0.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif manage
security-level 99
ip address 192.168.0.1 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name FTPINRJCS01
<--- More --->
same-security-traffic permit intra-interface
pager lines 24
mtu outside 1500
mtu DMZ1 1500
mtu manage 1500
ip local pool vpn_employee 10.16.191.65-10.16.191.94 mask 255.255.255.224
ip local pool vpn_suppliers 10.16.191.97-10.16.191.126 mask 255.255.255.224
failover
failover lan unit primary
failover lan interface asa-lf0-sf0 Ethernet0/3
failover polltime unit 3 holdtime 9
failover link asa-lf0-sf0 Ethernet0/3
failover interface ip asa-lf0-sf0 192.168.1.1 255.255.255.0 standby 192.168.1.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 10.16.177.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
<--- More --->
aaa-server FIAT_RADIUS protocol radius
aaa-server FIAT_RADIUS (outside) host 10.16.178.29
key c1sc0123
http server enable
http 192.168.0.2 255.255.255.255 manage
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
<--- More --->
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SUPPLIERS internal
group-policy SUPPLIERS attributes
<--- More --->
vpn-tunnel-protocol svc
split-tunnel-policy tunnelall
address-pools value vpn_suppliers
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
group-policy EMPLOYEE internal
group-policy EMPLOYEE attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelall
address-pools value vpn_employee
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
username cisco password
tunnel-group fiat_webvpn type remote-access
tunnel-group fiat_webvpn general-attributes
authentication-server-group FIAT_RADIUS
tunnel-group fiat_webvpn webvpn-attributes
group-alias fiat_webvpn enable
<--- More --->
prompt hostname context
Cryptochecksum:6c5746384ab93f5360e813c8eb08cad6
: end
Secondry ASA
sho
fiatasA# show run
: Saved
:
ASA Version 8.0(4)
!
hostname fiatasA
domain-name FTPINRJCS01
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.16.177.71 255.255.255.192 standby 10.16.177.72
!
interface Ethernet0/1
nameif DMZ1
security-level 90
ip address 10.10.10.1 255.0.0.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
<--- More --->
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif manage
security-level 99
ip address 192.168.0.1 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name FTPINRJCS01
same-security-traffic permit intra-interface
pager lines 24
mtu outside 1500
mtu DMZ1 1500
mtu manage 1500
ip local pool vpn_employee 10.16.191.65-10.16.191.94 mask 255.255.255.224
ip local pool vpn_suppliers 10.16.191.97-10.16.191.126 mask 255.255.255.224
failover
failover lan unit secondry
failover lan interface asa-lf0-sf0 Ethernet0/3
failover polltime unit 3 holdtime 9
<--- More --->
failover link asa-lf0-sf0 Ethernet0/3
failover interface ip asa-lf0-sf0 192.168.1.1 255.255.255.0 standby 192.168.1.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 10.16.177.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server FIAT_RADIUS protocol radius
aaa-server FIAT_RADIUS (outside) host 10.16.178.29
key c1sc0123
http server enable
http 192.168.0.2 255.255.255.255 manage
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
<--- More --->
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc enable
tunnel-group-list enable
group-policy SUPPLIERS internal
group-policy SUPPLIERS attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelall
address-pools value vpn_suppliers
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
group-policy EMPLOYEE internal
group-policy EMPLOYEE attributes
vpn-tunnel-protocol svc
<--- More --->
split-tunnel-policy tunnelall
address-pools value vpn_employee
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group fiat_webvpn type remote-access
tunnel-group fiat_webvpn general-attributes
authentication-server-group FIAT_RADIUS
tunnel-group fiat_webvpn webvpn-attributes
group-alias fiat_webvpn enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
<--- More --->
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a55d5b2036478778d0ad886b356984a0
: end
fiatasA#
Hi should i have to upload any file on secondry except IOS image or it will autometically upload on secondry ASA from primary ASA
09-02-2011 03:43 AM
Hi Sunil,
Anyconnect images are not replicated to standby ASA, if you've upgraded its version. Here is very useful document:
https://supportforums.cisco.com/docs/DOC-1291
also, verify if the licenses are same on both the devices("sh ver" on the ASA).
Hope this helps!
Regards,
Anu
09-02-2011 04:28 AM
09-02-2011 06:45 AM
Hi Sunil,
Are you looking at implementing webvpn or anyconnect? You have 50 peers licensed for webvpn. However, if you're looking at implementing anyconnect, you need to get the licenses for it, for which i suggest you get in touch with TAC.
Hope this helps!
Regards,
Anu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide