Re: Cisco ASA - Certificate Failover

donovan.chetty · ‎02-03-2014

Hello,

I have an ASA pair (8.4.2) configured for failover; it hosts a SSL VPN server using 3^rd-party signed certificates.

We need to swop out the primary ASA (the one loaded with the certificate) with another unit as the “PRIMARY” unit is faulty. I understand the certificate gets replicated to the standby unit in any event.

I need to replace the primary unit with "ANOTHER" unit as the primary unit is faulty. I want to do this as follows:

1. Promote standby unit to primary

2. Disable failover on the faulty unit.

3. Make the NEWLY promoted primary unit, PRIMARY (failover lan unit primary)

4. Add the NEW unit to failover cluster and replicate the configuration.

Question:

--------------

How will this affect the certificate? Will the certificate from this newly promoted primary unit replicate to the new replacement unit?

Thanks.

Jan Rolny · ‎02-03-2014

Hi,

just to clarify what you posted.

1. Your PRIMARY unit is faulty and Standby is now Active unit correct? So everything works well and certifiates are replicated on Standby(now Active) unit. So you don't need to promote it to Active right?

2. If your PRIMARY unit is faulty you cannot acces this box anyway correct?

---------------------------------------------

BEFORE you start doing anything BACKUP your config with all keys and certificates.

I recommend to read this

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_standby.html

and this

https://supportforums.cisco.com/docs/DOC-12969

3. Now your Standby is Active so leave this state as it is.

4. Configure new unit as standby unit and connect it with your Active one (originally SECONDARY).

5. Then I would replicate configuration to Standby unit (write standy) so it will replicate configuration and certificates.

6. Check configuration on Standby.

7. Promote Standby unit as Active.

Finally you should have it like before.

Jan

donovan.chetty · ‎02-03-2014

I will clarify:

1. Your PRIMARY unit is faulty and Standby is now Active unit correct? So everything works well and certifiates are1. replicated on Standby(now Active) unit. So you don't need to promote it to Active right?

- When we switch over to secondary all works fine, even certificates.

2. If your PRIMARY unit is faulty you cannot acces this box anyway correct?

- The primary unit is not completely down, we are just recieving intermittent connection issues. When we switch over to standby, this issue is not experienced. All layer 1 issues were were ruled out. Plus, the ASA 5540 boxes are gig interfaces with very low memory and CPU utilization. We have a standing call with Cisco who cannot pin-point the issue, hence the decision to replace the unit.

My only concern was whether the certificate from the NEWLY promoted secondary be replicated to the NEW secondary unit.

Marius Gunnerud · ‎02-03-2014

My only concern was whether the certificate from the NEWLY promoted secondary be replicated to the NEW secondary unit

Yes all config and certificates are replicated from the active to the standby. Even though the current active ASA used to be the standby has nothing to do with the matter. It is now the active ASA and will perform all tasks as an active ASA should perform.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

donovan.chetty · ‎02-03-2014

Thanks all.

Marius Gunnerud · ‎02-03-2014

Any time

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts