Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3998
Views
0
Helpful
3
Replies

IKE State: MM_STANDBY

Phil Williamson
Level 1
Level 1

‎04-13-2011 02:18 PM

I have a pair of ASA5520s in active/active failover - this works fine.  Both primary and secondary ASAs are running 8.2(2) code.

I  have a 30-day temp 50 seat SSL license that I applied to the primary.  I then started having problems with L2L tunnels.

I noted that if the 'show crypto isakmp sa' state for an L2L was MM_STANDBY, then the remote protected net could not reach my side.  However, I could ping across to the other side at which time the state changed to MM_ACTIVE as I would expect and the remote could then reach my side.

I believe this results from the differences between the two licenses.  When I applied the 50 seat SSL lic. it disabled failover, but I was willing to risk that for a few days to do show my customer the benifits of SSL connectivity.  Note license differences.  Is this causing the MM_STANDBY IKE issue and if so can I overcome it and use the 50 SSL VPN Peers lic.

Thanks - Phil

Original Lic50 SSL Lic
Maximum Physical Interfaces    Unlimited Unlimited
Maximum VLANs                  150150
Inside Hosts                   Unlimited Unlimited
Failover                       Active/Active Active/Active
VPN-DES                        Enabled Enabled
VPN-3DES-AES                   Enabled Enabled
Security Contexts              25
GTP/GPRS                       Disabled Disabled
SSL VPN Peers                  250
Total VPN Peers                750750
Shared License                 Disabled Disabled
AnyConnect for Mobile          Disabled Disabled
AnyConnect for Cisco VPN Phone Disabled Disabled
AnyConnect Essentials          Enabled Enabled
Advanced Endpoint Assessment   Disabled Disabled
UC Phone Proxy Sessions        22
Total UC Proxy Sessions        22
Botnet Traffic Filter          Disabled Disabled

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎04-13-2011 08:26 PM

I believe that you are running Active/Standby failover, otherwise, you won't be able to run IPSec nor SSL VPN. The license will show "Active/Active" to show you that the ASA platform is licensed and capable to run Active/Active failover.

With version 8.2 and below, you are right. The same SSL license needs to be applied on both firewalls, otherwise, it will disable the failover.

However, with version 8.3 and above, there is no requirement to purchase the same license on both ASA. You can just purchase and activate the license on the Primary ASA, and it will not disable the failover and when it fails over to the standby ASA, the same license will be applied.

To answer your question on MM_STANDBY on your L2L tunnel, I don't believe that having the SSL license on just 1 ASA causes the issue. It might be some other issues that coincide with the time when you activates the license. Unless, the active ASA was the secondary ASA, and you have applied the license on the primary ASA which causes the failover to break, hence the issue you are seeing on L2L tunnel. And I believe that should only be 1 time occurance only. Therefore, if you experience the issue again, it is definitely nothing to do with the license.

Hope that helps.

0 Helpful

Phil Williamson
Level 1
Level 1
In response to Jennifer Halim

‎04-14-2011 04:53 AM

Jennifer,

You are correct - active/standby.

As a note to help with troubleshooting I offer this.  The pair has been up for 281 days with 100+ L2L tunnels.  During that time it has not failed over.  Until I activated the temp SSL lic. there had not been any problems with IKE states - all were MM_ACTIVE.

The lic. was appliled to the primary/active ASA and it did cause failover to be disabled - all failover code remains, but the change seen was 'failover' to 'no failover'.  I did not reload the ASA after the change.

I could update to v8.3, but I'm leary since I have a config that is stable etc.  Has Cisco offered any conversion tool for 8.2 -> 8.3 like was offered for 6.x PIX  to 7.x ASA migration?

Thx

Phil

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Phil Williamson

‎04-16-2011 11:43 PM

There is built-in migration tool when you upgrade from version 8.2 to 8.3, and it will automatically migrate all the config when you perform the upgrade. I would suggest that you upgrade to the latest version of 8.3 if you decide to upgrade to that version.

Please also kindly be advised that there is major change to the NAT feature, and you might want to take a look prior to upgrade. ACL also changes a little where when you apply ACL on the outside interface, you would need to match on the real IP instead of the translated IP which was the behaviour on version 8.2 and below.

0 Helpful
Customers Also Viewed These Support Documents