11-06-2009 04:28 AM
Hi,
I would like to ask you about ASA in acitve/pasive failover mode and certificate. So, I have a problem with certificate which is in running-config on active ASA, but ceritficate in not on passive node. When I use wr mem or copy runnig-config startup-config nothing happen on passive node. What is wrong? Can you help me.
Thanx
Karel
07-13-2010 05:08 AM
Hi,
same problem here!
I can see that whole certificate block in the primary ASA's running-config, but there's nothing replicated to the standy unit config.
It even gets worse: when i trigger a failover to the standby unit, the certificate is not there, causing an error when e.g. connecting
with a browser to the webvpn portal of the ASA (untrustworthy certificate bla)
We are running the latest firmware relase 8.2.2 ED, and i consider that a huge problem!
By the way, if you have set up the SSL VPN feature with the Anyconnect PKG-files, like that...
(...)
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
(...)
... you will see, that this configuration lines are also NOT replicated to the standby ASA.
So in our case, a failover leads to an incomplete SSL-VPN configuration, no one can connect with the Anyconnect client, till
the admin manually installs the certificate and restores the SSL-VPN config. Great, isn't it?
Regards,
Marco
07-13-2010 05:21 AM
Certificates are copied over by default. Not sure what you're reporting here - I would need more details.
the reason your SVC commands aren't showing up is because the commands are replicated, however, the files they reference aren't in the flash on the secondary (package files are *not* replicated from one device to another), and like all commands, if you reference a file that doesn't exist, then the command gets removed.
https://supportforums.cisco.com/docs/DOC-1291;jsessionid=5983119DDB1856CAF4DE6BFC29209D09.node0
--Jason
07-13-2010 07:08 AM
Hi Jason,
thanks for the quick answer!
I will then upload the PKG-Files and XML-Profiles to the secondary unit.
But it remains the certificate problem. When i make a "diff" between the config of the primary unit and the secondary unit, the certificate block (trustpoint, certificate and the complete chain) only shows up in the primary config. Theres nothing visible in the standby unit's running config.
And when doing a failover, the certificate is not on the standby unit. I've read a posting in this forum, that confirms you have to install the certificate on both units:
https://supportforums.cisco.com/message/3018086#3018086
Thanks and regards,
Marco
07-14-2010 07:37 AM
Hi,
problem solved. I did the following steps:
1. upload PKG-files (XML-profiles etc.) to the flash of the standby ASA
2. execute "write standby" on the active unit ("write memory" didn't work for me!)
3. execute "write memory" on the active unit to copy the running-config to the startup-config (this time the command worked for standby ASA as well)
Done.
Regards,
Marco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide