Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
432
Views
0
Helpful
1
Replies

Cisco ASA HA Management Access Issue

gc227s001
Level 1
Level 1

‎07-19-2016 04:59 AM - edited ‎03-12-2019 01:02 AM

Hello,

I have a strange problem where the active FW in a HA pair (5585X-SSP40 ASA 9.4.2) is passing through traffic okay but SSH is not getting to the FW.

The SSH config is setup to accept from any source (0.0.0.0/0) and this works to the secondary standby.

The management routes point to the correct destinations as the secondary/standby is reachable using the synced config from remote SSH terminals.  I can ping the secondary management IP but not the primary.

For a few hours I could SSH directly from the management switch in the same VLAN as the ASA management IP but this has stopped now also.  When on the primary SSH'd from the local switch I can ping out beyond the VLAN.

Fail over state shows the affected device for management access is primary and the peer is standby ready.

Before I go and raise a Cisco TAC and cause myself a realm of grief with our client I wondered if anyone out there has had similar issues and can recommend anything to look at.

Regards

Grant

Labels:
0 Helpful
1 Reply 1

Kornelia Gutierrez
Level 1
Level 1

‎07-19-2016 10:10 AM

Hi Grant,

I hope you are fine, one thing could you please post  the following:

-Show failover history

-Show failover state

-Show failover

-Show arp | in x.x.x.x   ---> where x.x.x.x is the ip address of the primary ASA that you are trying to reach.

-From the secondary ASA, try to ping the primary ASA using the ip address that you are trying to ssh to.

-Place captures in the interface of the secondary ASA for the ping.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card