Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
393
Views
0
Helpful
3
Replies

AnyConnect & ISAKMP1 respond on outside interface of secondary firewall

gchevalley
Level 1
Level 1

‎08-20-2015 11:55 AM - edited ‎02-21-2020 08:24 PM

We have two ASA 5510 firewalls configured for stateful active-standby failover.  During recent external threat scans we noticed vulnerabilities listed for both primary and secondary firewalls.  Usually we only see the primary listed as it should be the only one responding on the outside interface.  Has anyone else encountered this issue.

ASA version is 9.1(5)21

Failover configuration:

failover

failover lan unit primary

failover lan interface FAILOVER Management0/0

failover key *****

failover replication http

failover link FAILOVER Management0/0

failover interface ip FAILOVER 169.254.252.5 255.255.255.252 standby 169.254.252.6

 

Labels:
0 Helpful
3 Replies 3

Richard Bradfield
Level 6
Level 6

‎08-20-2015 10:23 PM

Hi,

I think you will find all the Interfaces of the Standby ASA are up, I definitely see the IP address on my connected routers when I do a "show ip arp"

Why would you bother with a Failover address if the interface was not up?

 

HTH

Richard

0 Helpful

gchevalley
Level 1
Level 1
In response to Richard Bradfield

‎08-21-2015 07:40 AM

The interfaces on both the primary and secondary firewall's are up but only the active firewall should respond to traffic on anything other than the interface designated as management.  In my case we are using the inside interface for management so it should respond on both firewalls.  All of the other interfaces on the secondary non-active firewall shouldn't respond but yet the outside interface is.  Performing a port scan against the outside secondary IP address should show no results; it should be silent.  Instead It is behaving as if they were in an active-active failover pair instead of an active/secondary pair.

0 Helpful

Richard Bradfield
Level 6
Level 6
In response to gchevalley

‎08-21-2015 10:25 PM

I just checked out my ASAs and from the Internet router and I can ping the standby ASA public interface., in the failover configuration I do monitor the outside interfaces.

this is my failover config

failover
failover lan unit primary
failover lan interface Failover Management0/0
failover polltime unit 10 holdtime 30
failover interface-policy 2
failover key *****
failover replication http
failover link Failover Management0/0
failover interface ip Failover 10.250.206.73 255.255.255.252 standby 10.250.206.74

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents