Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1859
Views
0
Helpful
3
Replies

Management access to remote ASA standby VPN peer

bbrunette
Level 1
Level 1

‎07-09-2013 03:14 PM

I have a L2L VPN with a pair of 5515's running 9.1.1 in Active/Standby as the remote VPN peer.  I can get management traffic (ssh, snmp, radius, tacacs+, syslog) for the Active ASA to go through the VPN by using the "management-access inside" command, but I cannot get the Standby ASA to do the same.  My guess is that it receives traffic sent to it just fine but then sends traffic via its outside interface, since that's what the default route points to.  Since the Standby ASA doesn't have any active SA's, the traffic just goes out unencrypted and gets dropped.

Is there some trick to get the Standby ASA to send its management traffic via the inside interface so that the Active ASA picks it up and puts it on the VPN?

Thanks,

Bob

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-09-2013 03:26 PM

I use the Management interface for this function when I can. f I can't, I assign a standby IP to the secondary unit's inside interface and direct my management traffic that I explicitly want to go to the standby unit to that address. Your VPN clients should have private addresses that are located inside via a "route inside " command.

I seldom use it however, as one can see most of the occasional things needed from the standby from the active unit using the "failover exec standby ..." command.

0 Helpful

bbrunette
Level 1
Level 1
In response to Marvin Rhoads

‎07-09-2013 08:13 PM

Thanks Marvin.  Please note that this is strictly a L2L VPN; there are no clients.  And unfortunately even "failover exec" commands don't work, because we TACACS+ command authorization and the ASA has to talk to the TACACS+ server over--you guessed it--the VPN.

I could try using the Management 0/0 interface, but I think it would have the same issue with the traffic being sent by the Standby ASA.  What do you think?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to bbrunette

‎07-09-2013 08:54 PM

Hmmm, OK.

How about M0/0 as the access IP with a static for the /32 host address of the TACACS server(s) on the Management interface pointing to a gateway on a management VLAN address that is on a device (like a L3 switch) also off the inside interface? The more specific static route beats everything but a connected interface as far as routing goes so that should force the AAA out that path.

What is it you want to access the standby unit for anyhow?

0 Helpful
Customers Also Viewed These Support Documents