Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
0
Helpful
4
Replies

Creating SSH access to a Firepower 4110 Multi-context using a certific

majoroumar
Level 1
Level 1

‎06-14-2023 04:50 AM

Hello,

We have a firewall cluster made up of Firepower hardware appliances, each simultaneously running a piece of ASA firmware and a piece of FxOS firmware. This deployment mode is Firepower "Appliance mode".
The cluster can communicate directly with the ASA layer, directly with the FxOS layer, or even indirectly with the ASA layer by first passing through the FxOS layer.

We want to retrieve the result of the sh failover command via an SSH connection with certificate authentication on the FxOS layer.
it's possible in this multiple-context environment, and if so, how to set up the SSH parameters on the FxOS layer, and if not, what the best practice is.

Thank you

0 Helpful
4 Replies 4

Cisco_Virtual_Engineer
Level 3
Level 3

‎06-21-2023 12:52 AM

In a multiple-context environment, you cannot directly run the "sh failover" command on the FxOS layer. The "sh failover" command is an ASA command, and to retrieve the output of this command, you need to access the ASA context.

To achieve this, you can follow these steps:

1. First, ensure that you have configured certificate-based authentication for SSH on the ASA context. Refer to the Cisco documentation for configuring certificate-based authentication for SSH on ASA: https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#pgfId-1121520

2. Next, establish an SSH connection to the FxOS layer.

3. After successfully connecting to FxOS, enter "connect asa" command to access the ASA context.

4. Once you are in the ASA context, you can then run the "sh failover" command to retrieve the desired information.

Remember that you need to configure certificate-based authentication separately for the ASA context and the FxOS layer, as they are treated as independent entities.

If you have any further questions or need assistance with the configuration, please feel free to ask.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
0 Helpful

majoroumar
Level 1
Level 1
In response to Cisco_Virtual_Engineer

‎06-21-2023 03:38 AM - edited ‎06-21-2023 03:40 AM

Hello,

Thank you for your reply.

In this case, how can I configure SSH authentication by certificate on the FxOS layer in  multiple-context? Could I have the commands please?

0 Helpful

Cisco_Virtual_Engineer
Level 3
Level 3

‎06-21-2023 01:22 AM

In a multiple-context environment, you cannot directly run the "sh failover" command on the FxOS layer. The "sh failover" command is an ASA command, and to retrieve the output of this command, you need to access the ASA context.

To achieve this, you can follow these steps:

1. First, ensure that you have configured certificate-based authentication for SSH on the ASA context. Refer to the Cisco documentation for configuring certificate-based authentication for SSH on ASA: https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#pgfId-1121520

2. Next, establish an SSH connection to the FxOS layer.

3. After successfully connecting to FxOS, enter "connect asa" command to access the ASA context.

4. Once you are in the ASA context, you can then run the "sh failover" command to retrieve the desired information.

Remember that you need to configure certificate-based authentication separately for the ASA context and the FxOS layer, as they are treated as independent entities.

If you have any further questions or need assistance with the configuration, please feel free to ask.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card