cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4426
Views
1
Helpful
7
Replies

Cisco ASA : HA- Active/Standby. ssh connection problem with 'Standby'

bcr
Level 1
Level 1

Hello,

 

I have a Cisco ASA configuration : HA- Active/Standby.

As soon as I set up standby, I lose the ssh connection. This is because the management interface is overwritten by the synchronization of the configuration with the 'Active'.

Can you help me, please?

1 Accepted Solution

Accepted Solutions

you could be using the default RSA key in ASA. as long as you have ASA connection via SSH it mean you have RSA keys either custom defined or system defined.

 

please do not forget to rate the post as it will help other engineers 

please do not forget to rate.

View solution in original post

7 Replies 7

as soon as you failover to stanby you lost the connection to ssh. if so that is normal behaviour as the mac adresses reason. 

please do not forget to rate.

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

    Once the Active/Standby process is done, you should be able to SSH into both, assuming you generated RSA keys on both, as these are not synchronised. 

   In general, there is no real need to SSH into the second device, you can send commands to the standby ASA via "failover exec" commands.

 

Regards,

Cristian Matei.

As @Cristian Matei mentioned "failover exec" this is very useful. 

 

failover exec interface GigabitEthernet0/1
failover exec active show failover
please do not forget to rate.

Thank you for the answer on the operating principle.
In fact, I would like to work in a lab so that I can fully understand how it works.
I didn't generate any RSA keys. Is there a solution without RSA.


Yours sincerely,
bcr.

you could be using the default RSA key in ASA. as long as you have ASA connection via SSH it mean you have RSA keys either custom defined or system defined.

 

please do not forget to rate the post as it will help other engineers 

please do not forget to rate.

Hello,

Thank you for your response.

I tried using a unique RSA key on ASA1 and ASA2 and it works.

Can you tell me the source of cisco information on this problem.


Cordially,
bcr.

In Active/standby failover the active device uses the primary unit MAC addresses. In the event of failover the secondary appliance becomes active and takes over the primary unit MAC addreses. whereas the active device now standby takes over the standby unit MAC addresses. After the standby appliance become active, it sends out a gratuitous ARP on ther network. A gratuitous ARP is an ARP request that the appliace sends out on the ethernet networks with the source and destination IP Addresses of the active ip addresses. The destination MAC address is the ethernet broadcast address. all devices on ther ethernet segment process this braodcast frmae and update the their arp table with this information. using gratuittous arp the layer 2 devices including switches also updates the content CAM table with the mac address and updated switch port infirmation.

 

hope this will you understad whats happening behind the scene.

please do not forget to rate.
Review Cisco Networking for a $25 gift card