06-30-2017 03:50 PM
Hi Friends,
We have site-2-site vpn on ASA FW, we used manage all the site2 devices remotely from Site1, problem here is I can manage (SSH & Telnet) Active FW remotely over VPN, but not standby FW IP over VPN from site1 also I am not getting snmp response for standby FW from site1 SNMP server.
If I make standby unit (Fw2) to active then I can manage FW2 remotely not FW1 which is standby mode.
Do we require any addition command that need to configure to take control of standby FW over VPN and to get SNMP response from standby FW over VPN.
Similar like to get syslog message from standby unit we used to configure logging standby on active firewall.
Asp-drop logs captured from standby while doing ssh below.
1: 07:43:50.969996 802.1Q vlan#506 P0 10.10.10.10.39840 > 20.20.20.20.22: S 2731389009:2731389009(0) win 5840 <mss 1366,sackOK,timestamp 2930775758 0,nop,wscale 2> Drop-reason: (no-adjacency) No valid adjacency
2: 07:43:53.968135 802.1Q vlan#506 P0 10.10.10.10.39840 > 20.20.20.20.22: S 2731389009:2731389009(0) win 5840 <mss 1366,sackOK,timestamp 2930778758 0,nop,wscale 2> Drop-reason: (no-adjacency) No valid adjacency
3: 07:43:59.958873 802.1Q vlan#506 P0 10.10.10.10.39840 > 20.20.20.20.22: S 2731389009:2731389009(0) win 5840 <mss 1366,sackOK,timestamp 2930784758 0,nop,wscale 2> Drop-reason: (no-adjacency) No valid adjacency
3 packets shown
ASA-FW/sec/stby#
ASDM logs:
6|Jun 30 2017 07:44:11|110003: Routing failed to locate next hop for TCP from EXT-DMZ-MGMT:20.20.20.20/22 to EXT-DMZ-MGMT:10.10.10.10/39840
6|Jun 30 2017 07:44:35|110003: Routing failed to locate next hop for TCP from EXT-DMZ-MGMT:20.20.20.20/22 to EXT-DMZ-MGMT:10.10.10.10/39840
6|Jun 30 2017 07:45:23|110003: Routing failed to locate next hop for TCP from EXT-DMZ-MGMT:20.20.20.20/22 to EXT-DMZ-MGMT:10.10.10.10/39840
6|Jun 30 2017 07:47:12|110003: Routing failed to locate next hop for TCP from EXT-DMZ-MGMT:20.20.20.20/22 to EXT-DMZ-MGMT:10.10.10.10/39841
ASA-FW/sec/stby#
Thanks & Regards
Sindhukumar
07-01-2017 02:50 PM
Hi
I think the problem you are having is about routing. When the tunnel becomes UP on one of the firewalls it creates a route to your server and through tunnel it starts to send the SNMP but from your standby firewall's perspective the tunnel is not UP. Although I'm not a firewall expert the only solution I can think of is to use management routing table which is not shared or synced with the Active Firewall. And Cisco changed the management routing table to be not synced after 9.5 release. Check out the link below.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html#pgfId-148548
Separate routing table for management-only interfaces |
To segregate and isolate management traffic from data traffic, the ASA now supports a separate routing table for management-only interfaces. We introduced or modified the following commands: backup, clear ipv6 route management-only, clear route management-only, configure http, configure net, copy, enrollment source, name-server, restore, show asp table route-management-only, show ipv6 route management-only show route management-only We did not modify any screens. |
So if you can forward your SNMP through the management interface (or the interface you are going to dedicate as management-only) to the Active Firewall's data routing table I assume you can get your SNMP messages to your server.
Regards
Hüseyin Efe Evyapan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide