Solved: Cisco ASA failover Active/Passive with Certificate authentication

abdelkhalek-benhima · ‎09-02-2020

Hello everyone,

I am upgrading a single ASA firewall to a dual-ASA firewall. the deployment to consider is active/passive with state failover.

My question is regarding the sync flows between the 2 ASA firewall, in my understanding, there are 2 ways to protect these flows : failover password or IPSec tunnel for failover.

Question : Is there anyway how we can use certificates (from my company's CA) for primary ASA to authenticate secondary ASA and encrypt replication flows between both of them ?

That's becayse I think that password protection is weak, and IPSec tunnel seem to me difficult to throubleshoot by our network operators.

Thanks you so much for you quick answers and feedbacks :)

Best regards,

Abdel.

Karsten Iwen · ‎09-02-2020

I have not seen any option to authenticate the two ASAs HA-link with certificates. But don't be afraid about the IPsec troubleshooting. Once the config is complete and the FO-link is operational, there is nothing to troubleshoot. It will just "be there" and you don't have to take care of it.

And if it would be possible to use certificates, it still would be IPsec and be even more complex to operate.

View solution in original post

Karsten Iwen · ‎09-02-2020

I have not seen any option to authenticate the two ASAs HA-link with certificates. But don't be afraid about the IPsec troubleshooting. Once the config is complete and the FO-link is operational, there is nothing to troubleshoot. It will just "be there" and you don't have to take care of it.

And if it would be possible to use certificates, it still would be IPsec and be even more complex to operate.