EEM support on Active/Active HA pair

sylviosk · ‎03-15-2019

Hi all,

sorry if this has been answered somewhere else, doing a quick search I didn't find anything.

Does anyone know if EEM is supported on Active/Active HA pairs? We run version 9.8(2)17 and I don't see the commands available. I have tried running the "event" command both at system context space as well as on one of the two configured contexts but it seems it is not available.

What I need to do is configure automatic scheduled backup using the "backup" command and an event applet but since the "event manager applet" command set is not available I am unable to do it.

If EEM is not supported on Active/Active pairs, is there any other way I could configure automatic backups?

Below is the CLI logs.

VCT-FW-IN-1/pri/act# sh ver

Cisco Adaptive Security Appliance Software Version 9.8(2)17 <system>
Firepower Extensible Operating System Version 2.2(2.63)
Device Manager Version 7.9(1)

Compiled on Thu 04-Jan-18 10:29 PST by builders
System image file is "disk0:/asa982-17-smp-k8.bin"
Config file at boot was "startup-config"

VCT-FW-IN-1 up 1 year 38 days
failover cluster up 1 year 280 days

Hardware: ASA5585-SSP-20, 12029 MB RAM, CPU Xeon 5500 series 2133 MHz, 1 CPU (8 cores)
Internal ATA Compact Flash, 2048MB
BIOS Flash S25FL032P @ 0x0, 4096KB

Encryption hardware device : Cisco ASA-5585 on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 2

Programmable device : Cisco CPLD revision 0x8

0: Int: Internal-Data0/0 : address is 0000.0001.0001, irq 5
2: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 10
3: Ext: Management0/0 : address is fc5b.394a.c76c, irq 10
4: Ext: Management0/1 : address is fc5b.394a.c76d, irq 5
16: Ext: GigabitEthernet0/0 : address is fc5b.394a.c76e, irq 255
17: Ext: GigabitEthernet0/1 : address is fc5b.394a.c76f, irq 255
18: Ext: GigabitEthernet0/2 : address is fc5b.394a.c770, irq 255
19: Ext: GigabitEthernet0/3 : address is fc5b.394a.c771, irq 255
20: Ext: GigabitEthernet0/4 : address is fc5b.394a.c772, irq 255
21: Ext: GigabitEthernet0/5 : address is fc5b.394a.c773, irq 255
22: Ext: GigabitEthernet0/6 : address is fc5b.394a.c774, irq 255
23: Ext: GigabitEthernet0/7 : address is fc5b.394a.c775, irq 255
24: Ext: TenGigabitEthernet0/8: address is fc5b.394a.c776, irq 255
25: Ext: TenGigabitEthernet0/9: address is fc5b.394a.c777, irq 255
26: Int: Internal-Data0/2 : address is 0000.0100.001b, irq 255
27: Int: Internal-Data0/3 : address is 0000.0100.001c, irq 255
28: Int: Not used : irq 255
29: Int: Not used : irq 255
30: Int: Not used : irq 255
31: Int: Not used : irq 255
32: Int: Not used : irq 255
33: Int: Not used : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 1024 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 10000 perpetual
Other VPN Peers : 10000 perpetual
Total VPN Peers : 10000 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
10GE I/O : Enabled perpetual
Cluster : Disabled perpetual

This platform has an ASA5585-SSP-20 VPN Premium license.

Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 1024 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : 10000 perpetual
Other VPN Peers : 10000 perpetual
Total VPN Peers : 10000 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
10GE I/O : Enabled perpetual
Cluster : Disabled perpetual

This platform has an ASA5585-SSP-20 VPN Premium license.

Serial Number: JAD180600EC
Running Permanent Activation Key: 0x3728ed4b 0x745c5c61 0x1171b5f8 0xdfa4a010 0xcb31e9b5
Configuration register is 0x1

Image type : Release
Key version : A

Configuration last modified by akiropoulos-x at 15:36:24.356 EET Tue Mar 12 2019
VCT-FW-IN-1/pri/act#
VCT-FW-IN-1/pri/act#
VCT-FW-IN-1/pri/act#
VCT-FW-IN-1/pri/act# sh failover state

State Last Failure Reason Date/Time
This host - Primary
Group 1 Active Ifc Failure 15:00:53 EET Nov 7 2018
admin MANAGEMENT: No Link
Group 2 Standby Ready None
Other host - Secondary
Group 1 Standby Ready Ifc Failure 15:00:09 EET Nov 7 2018
admin MANAGEMENT: No Link
Group 2 Active Ifc Failure 16:29:10 EET Mar 7 2018
Ctx2 CTX2-monitor: No Link

====Configuration State===
Sync Done - STANDBY
====Communication State===
Mac set

VCT-FW-IN-1/pri/act# conf t
VCT-FW-IN-1/pri/act(config)# event
^
ERROR: % Invalid input detected at '^' marker.
VCT-FW-IN-1/pri/act(config)# event ?
ERROR: % Unrecognized command
VCT-FW-IN-1/pri/act(config)#

VCT-FW-IN-1/pri/act# sh run event manager
^
ERROR: % Invalid input detected at '^' marker.
VCT-FW-IN-1/pri/act#

Thanks in advance.