When the ASAs with AIP-SSM modules are configured as failover pair the AIP-SSM configuration from the Active ASA does not get replicated to the Standby ASA when the failover takes place. Why this happens and how can we solve this issue?
User needs to get few clarification on ASA active/standby failover, involving CSC SSM module. Current status there is production firewall running in ASA8.3.1, along with CSC module 6.3. Recently purchased another identical unit of firewall, so these will do in Active/Standby failover mode.
Question 1 The new purchase ASA unit CSC module license was not acitviate and installed yet (customer misplace the PAK paper license). User questions that is it possible to set up the failover in the condition of one CSC SSM in operation mode, whilst another CSC status down because no license install on it?
Question 2 New firewall will the standby unit, beside configure on the failover, do he need to load AnyConnect image to the new firewall as well?
Question 3: Can he just update the ASA version of the production firewall from 8.3.1 to 8.4.2? Would this cause any syntax error?
If you have two ASAs in a failover configuration and each has an AIP-SSM, you must manually replicate the configuration of the AIP-SSMs. Only the configuration of the ASA is replicated by the failover mechanism. The AIP-SSM is not included in the failover.
First, the AIP-SSM operates independently of the ASA in terms of failover. For failover, all that is needed from an ASA perspective is that the AIP modules be of the same hardware type. Beyond that, as with any other portion of failover, the configuration of the ASA between the active and standby must be in sync.
As for the set up of the AIPs, they are effectively independent sensors. There is no failover between the two, and they have no awareness of each other. They can run independent versions of code. That is, they do not have to match, and the ASA does not care about the version of code on the AIP with respect to failover.
As long as the hardware is exactly the same you should be able to HA pair them however I'd strong suggest licensing both CSC modules.
Yes, you need to have the same versions of the AnyConnect image on both units since the version is listed in the running config under the webvpn section.
Going from 8.3.1 to 8.4.2 will be fine, the syntax is similar.
I have been struggling to establish route based IPSEC VPN on Cisco ASA. I have a requirement to establish route based vpn but towards a dynamic peer. I have followed all steps correctly and was able to bring up the tunnel with static pe...
Hi, We have a small office, about 20 clients on LAN.I need to allow outbound (internet) traffic from:Some (Group A / Guest PCs) clients to few websites / IP addresses only.Some (Group B) clients to all outbound traffic (unrestricted access to interne...
We have three AnyConnect Profiles (3 of Tunnel Groups - i.e A, B, C). A and B AnyConnect Tunnel Group are tied to backend RADIUS servers for authentication. I just followed below AnyConnect doc with MFA. Now Azure MFA works fine for Tunnel Group C (SAML) ...
Hi, I have installed Cisco AnyConnect Secure Mobility Client 4.10.00093 on macOS Monterey 12.4. I still getting error - No valid certificates available for authentication. I have uploaded my client certificate to login and system keychain. Is th...
I have a Cisco Asa 5506 and two interfaces ethernet, the domain https://xxxx.com.br is opening with the ip 186.xxx of the first interface, i i need it to open with the ip 177.xxx of the second interface. I have acl and nat created for domain.