I have a pair of ASA5520s in active/active failover - this works fine. Both primary and secondary ASAs are running 8.2(2) code.
I have a 30-day temp 50 seat SSL license that I applied to the primary. I then started having problems with L2L tunnels.
I noted that if the 'show crypto isakmp sa' state for an L2L was MM_STANDBY, then the remote protected net could not reach my side. However, I could ping across to the other side at which time the state changed to MM_ACTIVE as I would expect and the remote could then reach my side.
I believe this results from the differences between the two licenses. When I applied the 50 seat SSL lic. it disabled failover, but I was willing to risk that for a few days to do show my customer the benifits of SSL connectivity. Note license differences. Is this causing the MM_STANDBY IKE issue and if so can I overcome it and use the 50 SSL VPN Peers lic.
I believe that you are running Active/Standby failover, otherwise, you won't be able to run IPSec nor SSL VPN. The license will show "Active/Active" to show you that the ASA platform is licensed and capable to run Active/Active failover.
With version 8.2 and below, you are right. The same SSL license needs to be applied on both firewalls, otherwise, it will disable the failover.
However, with version 8.3 and above, there is no requirement to purchase the same license on both ASA. You can just purchase and activate the license on the Primary ASA, and it will not disable the failover and when it fails over to the standby ASA, the same license will be applied.
To answer your question on MM_STANDBY on your L2L tunnel, I don't believe that having the SSL license on just 1 ASA causes the issue. It might be some other issues that coincide with the time when you activates the license. Unless, the active ASA was the secondary ASA, and you have applied the license on the primary ASA which causes the failover to break, hence the issue you are seeing on L2L tunnel. And I believe that should only be 1 time occurance only. Therefore, if you experience the issue again, it is definitely nothing to do with the license.
As a note to help with troubleshooting I offer this. The pair has been up for 281 days with 100+ L2L tunnels. During that time it has not failed over. Until I activated the temp SSL lic. there had not been any problems with IKE states - all were MM_ACTIVE.
The lic. was appliled to the primary/active ASA and it did cause failover to be disabled - all failover code remains, but the change seen was 'failover' to 'no failover'. I did not reload the ASA after the change.
I could update to v8.3, but I'm leary since I have a config that is stable etc. Has Cisco offered any conversion tool for 8.2 -> 8.3 like was offered for 6.x PIX to 7.x ASA migration?
There is built-in migration tool when you upgrade from version 8.2 to 8.3, and it will automatically migrate all the config when you perform the upgrade. I would suggest that you upgrade to the latest version of 8.3 if you decide to upgrade to that version.
Please also kindly be advised that there is major change to the NAT feature, and you might want to take a look prior to upgrade. ACL also changes a little where when you apply ACL on the outside interface, you would need to match on the real IP instead of the translated IP which was the behaviour on version 8.2 and below.
Hi all,I cannot understand why is something working very well they create a way to complicate things in Cisco ASA OS. I have a rule :object network LOCAL_ADRESS1 host 192.168.20.12 nat (VLAN20,outside) source static LOCAL_ADRESS1 interface&...
It is our pleasure to officially announce the finalists in the 2021 IT Blog Awards. We are now looking to our amazing tech community to check out the amazing line up of bloggers, vloggers and podcasters. Make sure to vote for your favorites...
Community Live Event Slides
This event talks about Cisco SecureX, its benefits, features, and usage. The session includes sample use cases and live demonstrations.
Cisco expert Luis Silva talks about how this solution can integrate Cisco technology and ...
Hello All, Recently I got an opportunity to perform POC with Cisco ISE (2.7 Patch 4) and Aruba Wireless AP (IAP) to perform 802.1x EAP-FAST (machine + user) authentication followed by Posture Assessment on Windows 10 Machines (installed with AnyConnect 4....
Hello All, Recently I got an opportunity to perform POC with Cisco ISE (2.7 Patch 4) and Juniper EX 2300 switch to perform 802.1x EAP-FAST (machine + user) authentication followed by Posture Assessment on Windows 10 Machines (installed with AnyConnec...