Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
798
Views
0
Helpful
1
Replies

Unable to manage standby ASA FW over VPN

Sindhu_kumar
Level 1
Level 1

‎06-30-2017 03:50 PM

Hi Friends,

           We have site-2-site vpn on ASA FW, we used manage all the site2 devices remotely from Site1, problem here is I can manage (SSH & Telnet) Active FW remotely over VPN, but not standby FW IP over VPN from site1 also I am not getting snmp response for standby FW from site1 SNMP server.

If I make standby unit (Fw2) to active then I can manage FW2 remotely not FW1 which is standby mode.

Do we require any addition command that need to configure to take control of standby FW over VPN and to get SNMP response from standby FW over VPN.

Similar like to get syslog message from standby unit we used to configure logging standby on active firewall.

Asp-drop logs captured from standby while doing ssh below.

   1: 07:43:50.969996       802.1Q vlan#506 P0 10.10.10.10.39840 > 20.20.20.20.22: S 2731389009:2731389009(0) win 5840 <mss 1366,sackOK,timestamp 2930775758 0,nop,wscale 2> Drop-reason: (no-adjacency) No valid adjacency

   2: 07:43:53.968135       802.1Q vlan#506 P0 10.10.10.10.39840 > 20.20.20.20.22: S 2731389009:2731389009(0) win 5840 <mss 1366,sackOK,timestamp 2930778758 0,nop,wscale 2> Drop-reason: (no-adjacency) No valid adjacency

   3: 07:43:59.958873       802.1Q vlan#506 P0 10.10.10.10.39840 > 20.20.20.20.22: S 2731389009:2731389009(0) win 5840 <mss 1366,sackOK,timestamp 2930784758 0,nop,wscale 2> Drop-reason: (no-adjacency) No valid adjacency

3 packets shown

ASA-FW/sec/stby#  

ASDM logs:

6|Jun 30 2017 07:44:11|110003: Routing failed to locate next hop for TCP from EXT-DMZ-MGMT:20.20.20.20/22 to EXT-DMZ-MGMT:10.10.10.10/39840

6|Jun 30 2017 07:44:35|110003: Routing failed to locate next hop for TCP from EXT-DMZ-MGMT:20.20.20.20/22 to EXT-DMZ-MGMT:10.10.10.10/39840

6|Jun 30 2017 07:45:23|110003: Routing failed to locate next hop for TCP from EXT-DMZ-MGMT:20.20.20.20/22 to EXT-DMZ-MGMT:10.10.10.10/39840

6|Jun 30 2017 07:47:12|110003: Routing failed to locate next hop for TCP from EXT-DMZ-MGMT:20.20.20.20/22 to EXT-DMZ-MGMT:10.10.10.10/39841

ASA-FW/sec/stby#  

Thanks & Regards

Sindhukumar

Labels:
Preview file
62 KB
0 Helpful
1 Reply 1

huseyinefeevyapan
Level 1
Level 1

‎07-01-2017 02:50 PM

Hi

I think the problem you are having is about routing. When the tunnel becomes UP on one of the firewalls it creates a route to your server and through tunnel it starts to send the SNMP but from your standby firewall's perspective the tunnel is not UP. Although I'm not a firewall expert the only solution I can think of is to use management routing table which is not shared or synced with the Active Firewall. And Cisco changed the management routing table to be not synced after 9.5 release. Check out the link below.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html#pgfId-148548

Separate routing table for management-only interfaces

To segregate and isolate management traffic from data traffic, the ASA now supports a separate routing table for management-only interfaces.

We introduced or modified the following commands: backup, clear ipv6 route management-only, clear route management-only, configure http, configure net, copy, enrollment source, name-server, restore, show asp table route-management-only, show ipv6 route management-only show route management-only

We did not modify any screens.

So if you can forward your SNMP through the management interface (or the interface you are going to dedicate as management-only) to the Active Firewall's data routing table I assume you can get your SNMP messages to your server.

Regards

Hüseyin Efe Evyapan

0 Helpful
Customers Also Viewed These Support Documents