ASA 5520's active / standby, do not sync AnyConnect Profles

Similar Questions

• ASA 5520 to 5510 VPN is not the creation of the IPSEC Security Association

  I have an L2L built between a 5520 and 5510 ipsec tunnel. I'm sure I configured everything that I need to but when I do a show ipsec cry his it is nothing.  I do not know the inbetween firewall are open to allow connections as well. also whenever I set up a part of the cryptomap as a command: crypto outside_map 10 card game peers 6.7.0.13 he would come back with this error

  [IKEv1]: ignoring msg SA brand with the specified coordinates dead.

  any ideas?

  Hello

  Could you please paste the output of the command "show following run crypto" since both the ASAs. Also, what do you see when you give "cry isa to show her.

  Also if your ACL crypto for the tunnel have something like this "access-list extended ACL permit tcp host 192.168.11.11 host 10.1.100.105 eq ftp.

  Change the ACL for ip that is "access-list extended ACL permit ip 192.168.11.11 host 10.1.100.105" Let me know if that helps

  Thank you

  Delvallée

• ASA 5520 Active standby and ssl vpn loadbalancing

  I have a pair of Asa 5520 failover active rescue running. Can I use these two machines in a cluster of ssl vpn load balancing?

  N ° when a couple active / standby is part of a cluster of VPN, the rescue unit is still pending - she will not be actively terminate user sessions. Only the active cluster members (and non-failover) will do.

• Cisco ASA CX active / standby

  Hello friends

  One of my clients has a couple of ASA 5545 work quite well as active / standby failover. But the configuration that is not copied to the secondary unit is CX. Do you know how to get it? Please, do not hesitate to request further information, comment or document will be appreciated.

  Kind regards!

  The CX configurations are not part of the active reserve ASA replication.

  How to synchronize the configurations of CX is to use PRSM (first Security Manager - product under separate license, not the one provided with the CX) running on a virtual machine in device mode.

  Reference.

  Once you find out what pair CX with a PRSM "out of area", all configuration changes are deployed both to the pair.

• Cisco ASA 8.4 Active Failover / standby with anyconnect local CA

  Hi Friend´s

  I hope you do well! I ve got a question, hope you can help me. I ve got an ASA 5550 with version 8.4 (6), it s focusing anyconnect VPN remote access who authenticate through certificate locally generated in ASA. We´ve got an another 5550 with the same hardware and same version, and we focus on the configuration of the failover. I ve heard of network other than it s engineers may not failover configuration when the ASA doing this local. Then I ve read full failover for version 8.4 operating guide (6) and I didn t find any restrictions on the local failover and CA working together. I m tests over the next weekend, but I would like to know from your experience, if I'm having problems on VPN connections or failover configuration.

  Please, do not hesitate to ask as much as necessary information. All comment and documentation will be appreciated.

  Best regards!

  It's the n: documentatio

   Does not support Active/Active or Active/Standby failover

  And on top of that, ASDM shows that "Local CA cannot be configured when failover is activated".

• ASA (Active standby) site-to-Site VPN Question

  Hello

  I had the question as below

  Site A - 1 unit of VPN Netscreen firewall

  Site B - 2 units of ASA VPN firewall

  

  I'm trying to set up a VPN from Site to Site, but a problem with the configuration of the active standby.

  Initially, I tried Site A 1 unit Netscreen and Site B 1 unit ASA vpn site-to-site. There's no problem.

  but joins another ASA at site B and configure it as active / standby then I saw a few questions that I need help from here

  Things that confuse me.

  (1) do I need to use 2 public IP address on the SAA? (public IP for assets and the other a public IP ensures IP. it seems like a waste of the public IP address.)

  (2) link failover and dynamic failover can be configured on the same interface?

  Please help in this case, configuring VPN from Site to Site with active configuration / standby.

  just to add to this,

  just be careful when you dedicate an interface for dynamic failover, make sure that it is the highest capacity, or at least the same ability as an interface offers th

  so if you use concert for passing traffic interface uses a concert for dynamic failover port, several times we saw people using the management for steful interface when they ports of concert and they run into issues where the dynamic function does not work as expected

  You can read more here

  https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/failover.html#wp1051759

• Procedure to upgrade (Active-Standby) ASA

  Hi all

  I just want to check if our upgrade scheduled SAA causes no problems during the procedure.

  Material: ASA5525-X

  Existing IOS: 9.1.2

  Update to: 9.4.2 (11)

  Setup: Active standby

  We intend to be upgraded the first start, after that, is the day before still will to resume after we force a failover him so that we can then pass the main firewall.

  Thank you very much!

  Yes, it's the process. I did it several times it it works perfectly when you follow the documented procedure.

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

• ASA active / standby after failover

  ASA 5520 tipping very well. My problem is I want the ASA elementary school to become active after returning to the line. I can't find all the commands that provide the primary unit back to active after a failure, I know I can get it back manually, but to be really dynamic. Thanks for your help.

  Jake,

  You must configure a failover pre-emption group to accomplish this kind of behavior.

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/failover.html#wp1002608

  HTH

  Rgds

  Jorge

  Any useful message rate

• ASA 5520 8.0 (4) port depending on the ACLs vpn works not

  Hi all

  I have a problem with an ASA (5520 8.0 (4)) for lack of working with a port based acl for remote clients. I have a simple acl from a single line to split traffic, if I allowed the tunnel IP works fine, if I lock it up to TCP 3389 rdp will not work. I don't see anything in the logs and debug output, I did have a problem with a similar configuration (5510 8.0 (4) and I'm at a loss to explain it.)

  Everyone knows about this problem before? I have nat exclusions etc and as I said, the tunnel only works if the acl permits all IP traffic between client and server.

  THX in advance

  Split-tunnel list cannot IP, if you want to restrict which ports are are sent via the tunnel vpn for your clients vpn, you need to use VPN filters under Group Policy:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

• Cisco ASA active / standby Mac addresses

  Hi all

  Please advise on the underside.

  Say that I have to active / standby. I have two interfaces on each firewall configured as below

  For the primary (active)

  interface GigabitEthernet1 / 0--> Say burned in mac address is 6c41.6bb0.1111
  nameif test1
  security-level 0
  10.1.1.1 IP address 255.255.255.0 ensures 10.1.1.2

  im int 2/0

  Test2 nameif--> Say burned in mac address is 6c41.6aa0.1111
  security-level 0
  10.2.1.1 IP address 255.255.255.0 ensures 10.2.1.2

  For secondary school (currently idle)

  interface GigabitEthernet1 / 0--> Say burned in mac address is 6c41.6bb0.2222
  nameif test1
  security-level 0
  10.1.1.1 IP address 255.255.255.0 ensures 10.1.1.2

  im int 2/0

  Test2 nameif--> Say burned in mac address is 6c41.6aa0.2222
  security-level 0
  10.2.1.1 IP address 255.255.255.0 ensures 10.2.1.2

  According to my understanding of the DOC.

  To transfer traffic, other devices will use the main unit mac address and IP addresses.

  Please consider under the scenario:

  My primary unit has failed and secondary took over as active unit.

  Primary (standby)

  Secondary (active)

  secondary Q1) so now will use the IP address and Mac address as below? Please confirm

  10.1.1.1 & 6c41.6bb0.1111

  10.2.1.1 & 6c41.6aa0.1111

  Q2) I believe that the ip address of the primary (Standby) in aid will be

  10.1.1.2

  10.2.1.2

  It will use what mac addresses? What is the BIA of the secondary unit? Please notify

  Thanks in advance.

  Q1 Yes), IP address and the MAC will be moving to the new active unit so no matter who the network except the switch will notice failover event

  Q2) Yes, primary (watch now) will use IP addresses and MAC addresses available for secondary:

  6C41.6bb0.2222

  6C41.6aa0.2222

  Kind regards.

• SSL VPN using ASA 5520 mode cluster - several problems

  I configured 2 ASA 5520 s in the load balancing cluster mode. I connect using anyconnect and I download the customer the first time and everything works well except outlook. I don't know why outlook does not work.

  The second problem is after the anyconnect client is installed on your machine, he remembers that ASA (say ASA2) he first connected and the GUI shows the address IP of ASA2 instead of the virtual IP address of the cluster. I want users always connect using the virtual IP address.

  The third problem I have is there is a default group of SSL VPN and I want all users to use this group. In the initial web page, there is a drop down menu which shows that this group, but I still want to disable this menu drop-down.

  Any suggestions?

  To disable the drop-down menu, you can turn it off with the command

  WebVPN

  no activation of tunnel-group-list

  This will take care of your last issue.

  ***************************

  You can create a profile of the Anyconnect client with the name of the server you want to connect with and that make the ASA that will solve your problem of virtual IP.

  **************************

  Regarding Outlook, do you use specific ports which allows inspection of the ASA. Take a look at the list of inspection on the SAA and perhaps try to disable inspection and see if it works.

  *****************************

• Failover of VPN for data/VoIP through ASA 5520 or 7204 VXR

  I would like to install a VPN failover for my remote sites using broadband 3dn/1up.  They are mainly 2800 routers.    I like options for end hub a pair of Cisco ASA active / standby and a 7204 VXR.  Voice and data will travel down the VPN failover and I intend to have QOS/Traffic shaping in place to better meet the needs for VoIP as possible.  I need to do it on about 150 sites. My questions are:

  1. What is the best why the ASA or the 7204

  2 Will VoIP packets pass through the two in the same way

  3 as far as redistributing routes can I use GRE on an ASA or should I keep all static. NH on the SAA is an L3 switch.

  4. an ASA with 100 mg of bandwithd through metro E supports 150 tunnels making VoIP and data. 1 to 3 calls per site max.

  Thank you

  J R

  To answer your questions: -.

  1. who is better for this, the ASA or the 7204 - ASA, is what is designed to do.

  2 packages VoIP Will cross both the same way - Yes

  3 as far as redistributing routes can I use GRE on an ASA or should I keep all static. NH on the SAA is an L3 switch. -l'ASA does not support GRE tunnels.

  4. an ASA with 100 mg of bandwithd through metro E supports 150 tunnels making VoIP and data. 1 to 3 calls per site max. -It depends on the model of the SAA, see the below matrix for thru-put http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

  HTH >

• ASA 5520 - SSL VPN (Anyconnect) licenses

  Hello

  Can someone clarify for me the SSL VPN/AnyConnect for the ASA 5520 license?  Specifically, the differences between the AnyConnect Essentials and AnyConnect Premium.  Our current license looks like this:

  The devices allowed for this platform:
  The maximum physical Interfaces: unlimited
  VLAN maximum: 150
  Internal hosts: unlimited
  Failover: Active/active
  VPN - A: enabled
  VPN-3DES-AES: enabled
  Security contexts: 2
  GTP/GPRS: disabled
  SSL VPN peers: 2
  Total of the VPN peers: 750
  Sharing license: disabled
  AnyConnect for Mobile: disabled
  AnyConnect Cisco VPN phone: disabled
  AnyConnect Essentials: disabled
  Assessment of Advanced endpoint: disabled
  Proxy sessions for the UC phone: 2
  Total number of Sessions of Proxy UC: 2
  Botnet traffic filter: disabled

  This platform includes an ASA 5520 VPN Plus license.

  I guess that means that we have just the 2 'free trial' SSL VPN licenses and nothing else.

  I would like to add 25 or maybe 50 SSL VPN licenses and be able to use a combination of full free client, thin client and groups client AnyConnect.  The 'ASA5500-SSL-25' (or 50) would be the correct license I need to buy?

  Thank you

  Rob

  Hello

  The essentials license is per device and does not allow full-tunnel.

  If you need other features like Secure Desktop, without client SSL and other optional features such as shared licenses, you must go to the Premium license.

  http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494_ps10884_Products_Data_Sheet.html

  Federico.

• ASA 5520 VPN licenses

  Community support,

  I want to run this question by you guys to avoid the sales of our partner CISCO and similar pitch more to the best solution that would give us what we want.

  We currently have a VPN from CISCO 3020 hub to terminate the Lan-to-Lan tunnels and have our mobile workers to connect through the client VPN CISCO (300 users-employees and contractors).

  Given that this device is coming to an end of LIFE this year, we bought a CISCO 5520 (here is the current licenses in this topic)

  Licensing seems quite complicated, so here's my question:

  -What VPN do you recommend for our users and entrepreneurs? I understand that the CISCO VPN client does not work with ASA 5500 Series devices

  Is there a license needed to deploy a VPN solution for our remote users(employees/contractors)?

  Thank you

  John

  The devices allowed for this platform:
  The maximum physical Interfaces: unlimited perpetual
  VLAN maximum: 150 perpetual
  Guests of the Interior: perpetual unlimited
  Failover: Active/active perpetual
  VPN - A: enabled perpetual
  VPN-3DES-AES: activated perpetual
  Security contexts: 2 perpetual
  GTP/GPRS: Disabled perpetual
  AnyConnect Premium peers: 2 perpetual
  AnyConnect Essentials: Disabled perpetual
  Counterparts in other VPNS: 750 perpetual
  Total VPN counterparts: 750 perpetual
  Shared license: disabled perpetual
  AnyConnect for Mobile: disabled perpetual
  AnyConnect Cisco VPN phone: disabled perpetual
  Assessment of Advanced endpoint: disabled perpetual
  Proxy UC phone sessions: 2 perpetual
  Proxy total UC sessions: 2 perpetual
  Botnet traffic filter: disabled perpetual
  Intercompany Media Engine: Disabled perpetual

  This platform includes an ASA 5520 VPN Plus license.

  Your understanding that the Cisco VPN client does not work with ASA is wrong. Maybe it's the version of Cisco VPN client that you use currently does not work with ASA. But these (and so not very new indeed) versions of VPN client work with the ASA. I installed for several clients who use the traditional IPSec VPN client with ASA ASAs and they work well.

  You are right that the granting of licenses for the SAA is complicated. Your tunnels IPSec VPN site-to-site will work on the SAA and pose much challenge in terms of licenses. But there are problems and alternative solutions to consider for remote access VPN clients. At this point, there are two major variants: you can use the classic IPSec VPN client or you can use the new AnyConnect client. From a licensing perspective there is a Hugh difference between them. It is not special license that applies to the traditional IPSec client and they are just against your license for peers Total VPN (for which you have 750 in your license). For the AnyConect there is a condition of licence. There is a premium for AnyConnect license and there are licensed AnyConnect Essentials. The Essentials license price is much lower than the premium license, but Essentials does not all the features that made the premium.

  In the immediate future, that it would sound like an easy question to answer, use the traditional IPSec VPN client for which theere is not a special permit and it is what you are used to. However Cisco has announced the dates of end of sale and end of Support for the traditional VPN client. If at some point you will need to use the AnyConnect client. I would say that if you make the change of the ASA that it might be a good choice to also adopt the AnyConnect client.

  HTH

  Rick

• ASA 5520 - VPN users have no internet.

  Hello

  We just migrated a Pix 515 and an ASA 5520 VPN concentrator.  The firewall part works fine, but we have some problem with our remote VPN.

  Everything inside network is accessible when you use VPN remote but there is no access to our perimeter network or the internet.  I don't know there's only something simple you need that I'm missing, and hoping someone can shed some light on what is needed to allow the VPN tunnel back outdoors and in our DMZ.

  The ASA is running 8.2 (2) 9 and ASDM 6.2 (1).

  See you soon,.

  Rob

  From the 172.16.68.0/24 you can PING 10.10.10.1 correct?

  The 10.10.10.0/24 you can PING 172.16.68.1 correct?

  I'm having a hard time find now how this tunnel is up since you have PFS
  activated on the SAA, but not on the PIX.

  Federico.