Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2626
Views
10
Helpful
14
Replies

Standby ASA can't login by SSH

Sudqi
Level 1
Level 1

‎10-17-2021 01:03 AM

we can't log in to a standby ASA by SSH, noted that it is have the same routs and RSA Key

anyone has an idea?

thanks

Labels:
14 Replies 14

marce1000
VIP
VIP

‎10-17-2021 02:42 AM

 

 - Check this thread :

            https://community.cisco.com/t5/network-security/cisco-asa-ha-active-standby-ssh-connection-problem-with-standby/td-p/4056609

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Sudqi
Level 1
Level 1
In response to marce1000

‎10-17-2021 03:12 AM

Hi Marce,

thanks for your reply, I see this article it is almost the same problem with me but the solution was to generate RSA on the STB, but I already have the RSA key generated on my STB, is there any other suggestion

thank you

0 Helpful

paul driver
VIP
VIP

‎10-17-2021 03:10 AM

Hello
By default you will always connect to the active FW in that Active/standby HA cluster as both FWs are running as a single logical FW and apart from their designated roles the configuration of both FW are the same?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Sudqi
Level 1
Level 1
In response to paul driver

‎10-17-2021 03:14 AM

Hi Paul,

thanks for your reply, but we can access the STB because we have two management IPs

I already have another cluster with deferrent region and I can access both main and STB

0 Helpful

marce1000
VIP
VIP
In response to Sudqi

‎10-17-2021 03:40 AM

 

 - Note that these provided (example) commands can be used as a workaround , use according to your needs:

    

failover exec interface GigabitEthernet0/1
failover exec active show failover

M. 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Sudqi
Level 1
Level 1
In response to marce1000

‎10-17-2021 03:55 AM

Hi Marce,

There is no need for a workaround in this case, we can log in locally to the STB and we don't need to be at risk of failover

Thanks

 

0 Helpful

marce1000
VIP
VIP
In response to Sudqi

‎10-17-2021 04:14 AM

 

   - The commands do not induce a failover but are intended to be able to execute commands on the stand-by.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎10-17-2021 04:17 AM

as long as they Active sync with mate you should be able to ssh to standby management I ( you can not do any changes - but you should able to SSH to box)

 

in your case looks for me RSA Keys.

 

a couple of questions :

 

1. is the new HA or working one not working?

2. Try to Active ASA to standby management IP - telnet x.x.x.x 22  ( x.x.x.x is management IP)

3. from what device you trying SSH ?

4. try to connect console see the Logs ?

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Sudqi
Level 1
Level 1
In response to balaji.bandi

‎10-17-2021 04:57 AM

Hi Balaji,

Thanks for your reply,

please find below the answers for your questions:

1. is the new HA or working one not working? (HA working fine)

2. Try to Active ASA to standby management IP - telnet x.x.x.x 22  ( x.x.x.x is management IP) ((we can't telnet on port 22 but we can ping the MGT IP for the STB))

3. from what device you trying SSH ? ((from end user laptop and the access is for sure allowed))

4. try to connect console see the Logs ? ((will be provided when available))

 

thank you

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Sudqi

‎10-17-2021 05:30 AM

1. is the new HA or working one not working? (HA working fine)  - May this question main focussing, have this SSH worked before ?

 

When you get access console you see what is wrong ? i am thinking zeroing RSA keys and adding back should fx the issue ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Sudqi
Level 1
Level 1
In response to balaji.bandi

‎10-17-2021 06:21 AM

Hi Balaji,

I don't know if the SSH worked before, but most probably not

I will send the console log ASAP I get it

Thanks

0 Helpful

Sudqi
Level 1
Level 1
In response to balaji.bandi

‎11-07-2021 04:17 AM

Hi Balaji,

Please note that I try to take logs after logging by ssh but no logs appear

note: the IP is reachable by ping

is there any idea?

thanks

0 Helpful

Elliot Dierksen
VIP
VIP

‎11-07-2021 06:47 AM

I think newer version of the ASA software are smarter than the old ones. I have a distant recollection of having to generate RSA key on each member of the HA cluster separately, but it has been some some time. I would do this during initial configuration at the console. Generate keys on the primary, write, and then reboot. Switch cable to console of the now active secondary, generate keys, write, and reboot to make the primary active again.If you are running a version that requires a key for each HA member, be aware that you will get warning messages from your SSH client when the active unit switches.

0 Helpful

Sudqi
Level 1
Level 1
In response to Elliot Dierksen

‎11-08-2021 02:15 AM

Thanks Elliot,

I tried this solution but not work

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card