Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1189
Views
10
Helpful
3
Replies

Firewall HA issue

i.leridant
Level 1
Level 1

‎06-04-2020 07:39 AM

Hello everyone,

 

I am facing a strange issue that'why I hope someone here will give me a solution, at least a good lead.

 

I have a new customer that called me because he had his VPN KO : anyconnect profile didn't work.

I saw that there was a HA configuration, and a failover occured because the active reloaded. The customer confirmed me there was an electrical issue.

The customer uploaded via ASDM the profile and it worked again, but there is this point : why the profile didn't exist on the standby unit ?

I saw in the failover that 3 interfaces (inside,outside & management) were monitored and 2 of them (management + inside) are in waiting state. For me, while those interfaces aren't monitored, the sync will fail (am I right for this point ?)

Then I search how those interfaces are linked between the two nodes.

I have :

  • managementPrimary => SwitchA => SwitchB => SwitchC => managementSecondary (waiting state)
  • insidePrimary => SwitchA => SwitchB => SwitchC => insideSecondary (waiting state)
  • outsidePrimary => SwitchD => outsideSecondary

Each interface is in access vlan.

I check that each vlan is created in Switch 1,B&C and those vlans are Ok in link between switches : for me there is no L2 issues on switches A,B&C

From a remote workstation, I am able to ping Primary and Secondary IP addresses for management and inside interfaces : for me there is no L3 issue for those interfaces.

 

This is were I need some help : what could be the origin of this issue ? (the customer didn't know interfaces were in waiting state, I cannot tell if they were once monitored)

 

Thank you

Irwin

 

 

 

0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-04-2020 08:20 PM

When you create (or modify) a VPN profile it doesn't automatically sync between the Active and Standby unit in an HA configuration. You need to manually copy the file across - just as you do with new ASA, ASDM or AnyConnect images.

If you neglect to do so, a failover will result in the behavior your customer observed.

i.leridant
Level 1
Level 1
In response to Marvin Rhoads

‎06-05-2020 01:05 AM

Thank you Marvin for your answer.

 

I understand your answer.

 

However when I do a manual failover (the Primary is back in Active role) I see the same issue, and the behaviour seen by the customer is : "Failed to get configuration from secure gateway. Contact your system administrator"

 

Moreover, I have this message when I go in configure terminal :

"**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit
Configurations are no longer synchronized"

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to i.leridant

‎06-05-2020 05:32 AM

You should never enter configure mode on a unit in standby role.

Just make sure the anyconnect profile (xml file) specified in the webvpn config is present on both units, active and standby.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card