04-13-2011 02:18 PM
I have a pair of ASA5520s in active/active failover - this works fine. Both primary and secondary ASAs are running 8.2(2) code.
I have a 30-day temp 50 seat SSL license that I applied to the primary. I then started having problems with L2L tunnels.
I noted that if the 'show crypto isakmp sa' state for an L2L was MM_STANDBY, then the remote protected net could not reach my side. However, I could ping across to the other side at which time the state changed to MM_ACTIVE as I would expect and the remote could then reach my side.
I believe this results from the differences between the two licenses. When I applied the 50 seat SSL lic. it disabled failover, but I was willing to risk that for a few days to do show my customer the benifits of SSL connectivity. Note license differences. Is this causing the MM_STANDBY IKE issue and if so can I overcome it and use the 50 SSL VPN Peers lic.
Thanks - Phil
Original Lic | 50 SSL Lic | ||
Maximum Physical Interfaces | Unlimited | Unlimited | |
Maximum VLANs | 150 | 150 | |
Inside Hosts | Unlimited | Unlimited | |
Failover | Active/Active | Active/Active | |
VPN-DES | Enabled | Enabled | |
VPN-3DES-AES | Enabled | Enabled | |
Security Contexts | 2 | 5 | |
GTP/GPRS | Disabled | Disabled | |
SSL VPN Peers | 2 | 50 | |
Total VPN Peers | 750 | 750 | |
Shared License | Disabled | Disabled | |
AnyConnect for Mobile | Disabled | Disabled | |
AnyConnect for Cisco VPN Phone | Disabled | Disabled | |
AnyConnect Essentials | Enabled | Enabled | |
Advanced Endpoint Assessment | Disabled | Disabled | |
UC Phone Proxy Sessions | 2 | 2 | |
Total UC Proxy Sessions | 2 | 2 | |
Botnet Traffic Filter | Disabled | Disabled |
04-13-2011 08:26 PM
I believe that you are running Active/Standby failover, otherwise, you won't be able to run IPSec nor SSL VPN. The license will show "Active/Active" to show you that the ASA platform is licensed and capable to run Active/Active failover.
With version 8.2 and below, you are right. The same SSL license needs to be applied on both firewalls, otherwise, it will disable the failover.
However, with version 8.3 and above, there is no requirement to purchase the same license on both ASA. You can just purchase and activate the license on the Primary ASA, and it will not disable the failover and when it fails over to the standby ASA, the same license will be applied.
To answer your question on MM_STANDBY on your L2L tunnel, I don't believe that having the SSL license on just 1 ASA causes the issue. It might be some other issues that coincide with the time when you activates the license. Unless, the active ASA was the secondary ASA, and you have applied the license on the primary ASA which causes the failover to break, hence the issue you are seeing on L2L tunnel. And I believe that should only be 1 time occurance only. Therefore, if you experience the issue again, it is definitely nothing to do with the license.
Hope that helps.
04-14-2011 04:53 AM
Jennifer,
You are correct - active/standby.
As a note to help with troubleshooting I offer this. The pair has been up for 281 days with 100+ L2L tunnels. During that time it has not failed over. Until I activated the temp SSL lic. there had not been any problems with IKE states - all were MM_ACTIVE.
The lic. was appliled to the primary/active ASA and it did cause failover to be disabled - all failover code remains, but the change seen was 'failover' to 'no failover'. I did not reload the ASA after the change.
I could update to v8.3, but I'm leary since I have a config that is stable etc. Has Cisco offered any conversion tool for 8.2 -> 8.3 like was offered for 6.x PIX to 7.x ASA migration?
Thx
Phil
04-16-2011 11:43 PM
There is built-in migration tool when you upgrade from version 8.2 to 8.3, and it will automatically migrate all the config when you perform the upgrade. I would suggest that you upgrade to the latest version of 8.3 if you decide to upgrade to that version.
Please also kindly be advised that there is major change to the NAT feature, and you might want to take a look prior to upgrade. ACL also changes a little where when you apply ACL on the outside interface, you would need to match on the real IP instead of the translated IP which was the behaviour on version 8.2 and below.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide