Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3465
Views
0
Helpful
1
Replies

ASA local CA and Active/Passive Failover

prowler130
Level 4
Level 4

‎01-31-2012 12:34 PM

Hello,

I am seeing some conflicting information on this topic and I was wondering if I could get some clarification.

This link states that a local CA cannot be configured on an ASA while failover (in general) is configured:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#FailoverCA

This link states that the 'crypto ca server' commands will not be synced, implying that they are at least configurable on the active unit:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.pdf

*The crypto ca server command and related sub-commands are not synchronized to the failover peer

In addition, there are some other miscellaneous resources that state that you can run a local ca server in all cases except Active/Active failover.

I am currently running two ASA's in an Active/Passive failover mode, and whenever I try to enable the local ca server, I get the following error:

ERROR: The local CA server is not supported in a failover

setup. Please disable failover in order to configure the

local CA server

I realize this error pretty much answers my question, but I figured with the information I found, it would be worth it to ask for clarification.  With that said, is it at all possible to run a local ca server on an Active/Passive ASA cluster?

Labels:
0 Helpful
1 Reply 1

jmprats
Level 4
Level 4

‎09-26-2012 01:37 AM

Hi Edaward,

Local CA cannot be configured with Active/ Passive Failover.

It seems is an error in the documentation that only states Active/Active failover that must be updated as you can see in the summary of the Bug ID CSCtt24125:


http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtt24125&from=summary

At the same time there is an enhancement request to have this feature as you can see in this thread:

https://supportforums.cisco.com/thread/2093820

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents