Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
32709
Views
10
Helpful
5
Comments

ASA Active/Standby Failover handling of Digital Certificates

Nelson Rodrigues
Cisco Employee
Cisco Employee

‎09-13-2010 08:06 AM - edited ‎08-27-2017 10:51 PM

 

 

Introduction

 

The document briefly describes  in an FAQ format the Failover requirements for the ASA 55xx VPN/Firewall appliance  in handling digital certificates .

 

Q. What are the general Failover  capabilities and requirements of the ASA 55xx aplicance?

 

 

 

A. The general Failover requirements are found  in the High Availability (HA) chapter of the Configuration Guide  .

 

 

 

 

Q. Are digital certificates replicated in a  Active/Standby configuration?

 

A. Yes. Third-party digital certificates (ie. from Entrust, Verisign, Microdoft,etc)  that are installed on the Active ASA are replicated to the Standby ASA in an active/standby config. However, the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated to the standby ASA.

 

Q.  Are there specific procedures in order to carry out the 3rd-party  digital certificates replication in a Active/Standby configuration?

 

 

A. Digital Certificate replication across an Active/Standby Failover pair of ASA's only occurs during bulk replication processes.

Bulk replication processes are defined as :

1.Power cycling the ASA device

2.Performing a "write standby" operation on the active ASA

 

There is an enhancement request to be considered to able to replicate certificates at the time the certificate is imported into the ASA (no specific timeline has been defined).

CSCsr71150-certificates from imported pkcs12 are not replicated to standby

 

 

 

 

 

Q. With Active/Standby  will one certificate  installed in Active ASA be all that is needed  to use it for SSL VPN  remote access, or do I need one certificate installed on each ASA?

 

 

A. Only one certificate installed on on the Active AS is required, since the failover functionality wil handle the replication of same certificate and keys to the standdby ASA.

Labels:
Comments
Dale Wood
Level 1
Level 1
‎01-30-2014 03:40 PM

Does the Certficate replicate for 8.2?

Bojan Lackanovic
Level 1
Level 1
‎03-14-2014 02:55 AM

No, you must perform a "write standby" operation on the active ASA.

zbigniew.dziobek
Level 1
Level 1
‎10-14-2016 02:41 PM

I'm buy certyficate ssl from anohter compony.  i'm do exactly: performing a "write standby" operation on the active ASA. I see certificete on both ASA,  but when I"m open https or open AnyConnect I'm see certificate generated on ASA, not uploaded certificate (wich I bouth).

I've resttart the both ASA, but it did not help.

What i do wrong ??

zbigniew.dziobek
Level 1
Level 1
‎10-14-2016 02:53 PM

TTTTT# sh ru ssl
ssl trust-point ASDM_TrustPoint2 outside
ssl certificate-authentication interface outside port 443

csawest.dc
Level 3
Level 3
‎12-11-2017 10:19 PM

Hi all,

 

we have installed CA certificate on Primary ASA but we are accessing both HA-ASA(primery/sec) with different host name(inp44fw01a / inp44fw01b) and its working now only in primary. 

question : how to bind both ASA in one CA certificate? 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents