ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

291
Views
10
Helpful
3
Replies
Highlighted
Beginner

Firewall HA issue

Hello everyone,

 

I am facing a strange issue that'why I hope someone here will give me a solution, at least a good lead.

 

I have a new customer that called me because he had his VPN KO : anyconnect profile didn't work.

I saw that there was a HA configuration, and a failover occured because the active reloaded. The customer confirmed me there was an electrical issue.

The customer uploaded via ASDM the profile and it worked again, but there is this point : why the profile didn't exist on the standby unit ?

I saw in the failover that 3 interfaces (inside,outside & management) were monitored and 2 of them (management + inside) are in waiting state. For me, while those interfaces aren't monitored, the sync will fail (am I right for this point ?)

Then I search how those interfaces are linked between the two nodes.

I have :

  • managementPrimary => SwitchA => SwitchB => SwitchC => managementSecondary (waiting state)
  • insidePrimary => SwitchA => SwitchB => SwitchC => insideSecondary (waiting state)
  • outsidePrimary => SwitchD => outsideSecondary

Each interface is in access vlan.

I check that each vlan is created in Switch 1,B&C and those vlans are Ok in link between switches : for me there is no L2 issues on switches A,B&C

From a remote workstation, I am able to ping Primary and Secondary IP addresses for management and inside interfaces : for me there is no L3 issue for those interfaces.

 

This is were I need some help : what could be the origin of this issue ? (the customer didn't know interfaces were in waiting state, I cannot tell if they were once monitored)

 

Thank you

Irwin

 

 

 

3 REPLIES 3
Highlighted
Hall of Fame Guru

Re: Firewall HA issue

When you create (or modify) a VPN profile it doesn't automatically sync between the Active and Standby unit in an HA configuration. You need to manually copy the file across - just as you do with new ASA, ASDM or AnyConnect images.

If you neglect to do so, a failover will result in the behavior your customer observed.

Highlighted
Beginner

Re: Firewall HA issue

Thank you Marvin for your answer.

 

I understand your answer.

 

However when I do a manual failover (the Primary is back in Active role) I see the same issue, and the behaviour seen by the customer is : "Failed to get configuration from secure gateway. Contact your system administrator"

 

Moreover, I have this message when I go in configure terminal :

"**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit
Configurations are no longer synchronized"

Highlighted
Hall of Fame Guru

Re: Firewall HA issue

You should never enter configure mode on a unit in standby role.

Just make sure the anyconnect profile (xml file) specified in the webvpn config is present on both units, active and standby.