08-26-2009 07:54 AM
I had a 5520 running for about 2 months and then successfully added a second 5520 in failover mode. I tested the active/standby feature and everything works as advertised. But, I just discovered that I can no longer connect via SSL-VPN or via the ASDM applet. Would this be related to the failover config?
This IOS is 8.2(1), the ASDM is 6.2(1) on both. I also can still SSH into the box.
09-01-2009 02:43 PM
I think it is not related to the failover configuration. It seem to be SSL VPN tunnel issues.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html
09-03-2009 06:14 AM
Comparing the 'sho version" on both boxes are these ASA's identicle ?
""Prerequisites for Active/Standby Failover
Active/Standby failover has the following prerequisites:
â¢Both units must be identical security appliances that are connected to each other through a dedicated failover link and, optionally, a Stateful Failover link.
â¢Both units must have the same software configuration and the proper license.
â¢Both units must be in the same mode (single or multiple, transparent or routed). ""
10-27-2009 11:06 AM
I had the same issue with two ASA 5520 in Active/Standby. When the primary firewall goes down, only telnet/ssh access is allowed to the secondary unit. When i try to connect with ASDM applet to the secondary unit, the applet doesnt respond.
I discovered that disabling the web server "no http server enable" and then enabling "http server enable" we can connect to the secondary unit again like the primary unit before.
This is a bug, maybe?
10-27-2009 12:00 PM
Thank you, Rafael
I forgot to update my post when I solved the problem. Thank you for your response. My solution was different. Here is what happened. In order to connect via ssh or ASDM, you need to have the "anyconnect" pkg installed on your box. I had this image on the primary unit, but not on the secondary. So, when the secondary fired up by itself and then took over the primary role and then the old primary fired up, the new primary removed "anyconnect" from the old primary. Solution, add "anyconnect" back onto both units.
Cheers,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide