ASA- Transition from local CA to the hosted one... local VPN users

lkovar · ‎12-04-2018

Hello, as we need to make a failover Active/Standby cluster from our ASA, used as an Anyconnect users harbour, local CA is not allowed. I am basically fine as to how to generate certs for users on the Windows server, but cannot imagine, what about the users.Can they stay on ASA local DB as before or should they be defined any other way or site? What else no-go’s can we expect ? All was ready before we tried the first failover definition command.

Many thanks.

Both ASA are new and updated to 9.9

Rob Ingram · ‎12-04-2018

Hi,
I don't see any information stating that the local users database is or isn't sync'd between an ASA HA pair, I assume it is though.

You would need to create a Trustpoint on the ASA with a certificate from the new CA (the CA that the windows users/computers will be using), as the ASA needs to trust the certificate being used by the VPN users for authentication to be sucessful.
HTH

JP Miranda Z · ‎12-04-2018

lkovar,

If you are concerned about the local database of the ASA this is going to continue working only as local DB without affecting or causing any issue, in regards the CA being a Windows Server you only need to make sure the CA is installed on the ASA and each of your users gets the certificate to authenticate, considering you are going to work with a pair of ASAs in failover please make sure you do write standby on the ASA so the certificates are going to be replicated between the Active and Standby ASA.

Hope this info helps!!

Rate if helps you!!

-JP-