ASA 5520's active / standby, do not sync AnyConnect Profles
I'm working on two ASA 5520 configuration in a configuration active / standby. I have almost all the same between the two units for AnyConnect work waiting for both of the following:
AnyConnect Client profiles
AnyConnect Client software
If I download the software manually to the standby unit I get warning against them are not synchronized, and on the active unit if I do a 'writing' standby does not copy the profile or the software. Anyone has any ideas on this?
Thank you
Dan
Hello
Bug CSCsr31403
When you configure the ASA in a failover pair, you must manually copy the AnyConnect and CSD images for the primary and the secondary ASA. You must also do the same for the Anyconnect profile file if you use it.
Either force the ASA shall become active and copy the files to the new ASA assets using ASDM or copy files directly from the console ASA ensures using tftp or ftp.
Kind regards
Note the useful messages
Julio
Tags: Cisco Security
Similar Questions
-
ASA 5520 to 5510 VPN is not the creation of the IPSEC Security Association
I have an L2L built between a 5520 and 5510 ipsec tunnel. I'm sure I configured everything that I need to but when I do a show ipsec cry his it is nothing. I do not know the inbetween firewall are open to allow connections as well. also whenever I set up a part of the cryptomap as a command: crypto outside_map 10 card game peers 6.7.0.13 he would come back with this error
[IKEv1]: ignoring msg SA brand with the specified coordinates
dead. any ideas?
Hello
Could you please paste the output of the command "show following run crypto" since both the ASAs. Also, what do you see when you give "cry isa to show her.
Also if your ACL crypto for the tunnel have something like this "access-list extended ACL permit tcp host 192.168.11.11 host 10.1.100.105 eq ftp.
Change the ACL for ip that is "access-list extended ACL permit ip 192.168.11.11 host 10.1.100.105" Let me know if that helps
Thank you
Delvallée
-
ASA 5520 Active standby and ssl vpn loadbalancing
I have a pair of Asa 5520 failover active rescue running. Can I use these two machines in a cluster of ssl vpn load balancing?
N ° when a couple active / standby is part of a cluster of VPN, the rescue unit is still pending - she will not be actively terminate user sessions. Only the active cluster members (and non-failover) will do.
-
Cisco ASA CX active / standby
Hello friends
One of my clients has a couple of ASA 5545 work quite well as active / standby failover. But the configuration that is not copied to the secondary unit is CX. Do you know how to get it? Please, do not hesitate to request further information, comment or document will be appreciated.
Kind regards!
The CX configurations are not part of the active reserve ASA replication.
How to synchronize the configurations of CX is to use PRSM (first Security Manager - product under separate license, not the one provided with the CX) running on a virtual machine in device mode.
Once you find out what pair CX with a PRSM "out of area", all configuration changes are deployed both to the pair.
-
Cisco ASA 8.4 Active Failover / standby with anyconnect local CA
Hi Friend´s
I hope you do well! I ve got a question, hope you can help me. I ve got an ASA 5550 with version 8.4 (6), it s focusing anyconnect VPN remote access who authenticate through certificate locally generated in ASA. We´ve got an another 5550 with the same hardware and same version, and we focus on the configuration of the failover. I ve heard of network other than it s engineers may not failover configuration when the ASA doing this local. Then I ve read full failover for version 8.4 operating guide (6) and I didn t find any restrictions on the local failover and CA working together. I m tests over the next weekend, but I would like to know from your experience, if I'm having problems on VPN connections or failover configuration.
Please, do not hesitate to ask as much as necessary information. All comment and documentation will be appreciated.
Best regards!
It's the n: documentatio
Does not support Active/Active or Active/Standby failover
And on top of that, ASDM shows that "Local CA cannot be configured when failover is activated".
-
ASA (Active standby) site-to-Site VPN Question
Hello
I had the question as below
Site A - 1 unit of VPN Netscreen firewall
Site B - 2 units of ASA VPN firewall
I'm trying to set up a VPN from Site to Site, but a problem with the configuration of the active standby.
Initially, I tried Site A 1 unit Netscreen and Site B 1 unit ASA vpn site-to-site. There's no problem.
but joins another ASA at site B and configure it as active / standby then I saw a few questions that I need help from here
Things that confuse me.
(1) do I need to use 2 public IP address on the SAA? (public IP for assets and the other a public IP ensures IP. it seems like a waste of the public IP address.)
(2) link failover and dynamic failover can be configured on the same interface?
Please help in this case, configuring VPN from Site to Site with active configuration / standby.
just to add to this,
just be careful when you dedicate an interface for dynamic failover, make sure that it is the highest capacity, or at least the same ability as an interface offers th
so if you use concert for passing traffic interface uses a concert for dynamic failover port, several times we saw people using the management for steful interface when they ports of concert and they run into issues where the dynamic function does not work as expected
You can read more here
https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/failover.html#wp1051759
-
Procedure to upgrade (Active-Standby) ASA
Hi all
I just want to check if our upgrade scheduled SAA causes no problems during the procedure.
Material: ASA5525-X
Existing IOS: 9.1.2
Update to: 9.4.2 (11)
Setup: Active standby
We intend to be upgraded the first start, after that, is the day before still will to resume after we force a failover him so that we can then pass the main firewall.
Thank you very much!
Yes, it's the process. I did it several times it it works perfectly when you follow the documented procedure.
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
-
ASA active / standby after failover
ASA 5520 tipping very well. My problem is I want the ASA elementary school to become active after returning to the line. I can't find all the commands that provide the primary unit back to active after a failure, I know I can get it back manually, but to be really dynamic. Thanks for your help.
Jake,
You must configure a failover pre-emption group to accomplish this kind of behavior.
http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/failover.html#wp1002608
HTH
Rgds
Jorge
Any useful message rate
-
ASA 5520 8.0 (4) port depending on the ACLs vpn works not
Hi all
I have a problem with an ASA (5520 8.0 (4)) for lack of working with a port based acl for remote clients. I have a simple acl from a single line to split traffic, if I allowed the tunnel IP works fine, if I lock it up to TCP 3389 rdp will not work. I don't see anything in the logs and debug output, I did have a problem with a similar configuration (5510 8.0 (4) and I'm at a loss to explain it.)
Everyone knows about this problem before? I have nat exclusions etc and as I said, the tunnel only works if the acl permits all IP traffic between client and server.
THX in advance
Split-tunnel list cannot IP, if you want to restrict which ports are are sent via the tunnel vpn for your clients vpn, you need to use VPN filters under Group Policy:
-
Cisco ASA active / standby Mac addresses
Hi all
Please advise on the underside.
Say that I have to active / standby. I have two interfaces on each firewall configured as below
For the primary (active)
interface GigabitEthernet1 / 0--> Say burned in mac address is 6c41.6bb0.1111
nameif test1
security-level 0
10.1.1.1 IP address 255.255.255.0 ensures 10.1.1.2im int 2/0
Test2 nameif--> Say burned in mac address is 6c41.6aa0.1111
security-level 0
10.2.1.1 IP address 255.255.255.0 ensures 10.2.1.2For secondary school (currently idle)
interface GigabitEthernet1 / 0--> Say burned in mac address is 6c41.6bb0.2222
nameif test1
security-level 0
10.1.1.1 IP address 255.255.255.0 ensures 10.1.1.2im int 2/0
Test2 nameif--> Say burned in mac address is 6c41.6aa0.2222
security-level 0
10.2.1.1 IP address 255.255.255.0 ensures 10.2.1.2According to my understanding of the DOC.
To transfer traffic, other devices will use the main unit mac address and IP addresses.
Please consider under the scenario:
My primary unit has failed and secondary took over as active unit.
Primary (standby)
Secondary (active)
secondary Q1) so now will use the IP address and Mac address as below? Please confirm
10.1.1.1 & 6c41.6bb0.1111
10.2.1.1 & 6c41.6aa0.1111
Q2) I believe that the ip address of the primary (Standby) in aid will be
10.1.1.2
10.2.1.2
It will use what mac addresses? What is the BIA of the secondary unit? Please notify
Thanks in advance.
Q1 Yes), IP address and the MAC will be moving to the new active unit so no matter who the network except the switch will notice failover event
Q2) Yes, primary (watch now) will use IP addresses and MAC addresses available for secondary:
6C41.6bb0.2222
6C41.6aa0.2222
Kind regards.
-
SSL VPN using ASA 5520 mode cluster - several problems
I configured 2 ASA 5520 s in the load balancing cluster mode. I connect using anyconnect and I download the customer the first time and everything works well except outlook. I don't know why outlook does not work.
The second problem is after the anyconnect client is installed on your machine, he remembers that ASA (say ASA2) he first connected and the GUI shows the address IP of ASA2 instead of the virtual IP address of the cluster. I want users always connect using the virtual IP address.
The third problem I have is there is a default group of SSL VPN and I want all users to use this group. In the initial web page, there is a drop down menu which shows that this group, but I still want to disable this menu drop-down.
Any suggestions?
To disable the drop-down menu, you can turn it off with the command
WebVPN
no activation of tunnel-group-list
This will take care of your last issue.
***************************
You can create a profile of the Anyconnect client with the name of the server you want to connect with and that make the ASA that will solve your problem of virtual IP.
**************************
Regarding Outlook, do you use specific ports which allows inspection of the ASA. Take a look at the list of inspection on the SAA and perhaps try to disable inspection and see if it works.
*****************************
-
Failover of VPN for data/VoIP through ASA 5520 or 7204 VXR
I would like to install a VPN failover for my remote sites using broadband 3dn/1up. They are mainly 2800 routers. I like options for end hub a pair of Cisco ASA active / standby and a 7204 VXR. Voice and data will travel down the VPN failover and I intend to have QOS/Traffic shaping in place to better meet the needs for VoIP as possible. I need to do it on about 150 sites. My questions are:
1. What is the best why the ASA or the 7204
2 Will VoIP packets pass through the two in the same way
3 as far as redistributing routes can I use GRE on an ASA or should I keep all static. NH on the SAA is an L3 switch.
4. an ASA with 100 mg of bandwithd through metro E supports 150 tunnels making VoIP and data. 1 to 3 calls per site max.
Thank you
J R
To answer your questions: -.
1. who is better for this, the ASA or the 7204 - ASA, is what is designed to do.
2 packages VoIP Will cross both the same way - Yes
3 as far as redistributing routes can I use GRE on an ASA or should I keep all static. NH on the SAA is an L3 switch. -l'ASA does not support GRE tunnels.
4. an ASA with 100 mg of bandwithd through metro E supports 150 tunnels making VoIP and data. 1 to 3 calls per site max. -It depends on the model of the SAA, see the below matrix for thru-put http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
HTH >
-
ASA 5520 - SSL VPN (Anyconnect) licenses
Hello
Can someone clarify for me the SSL VPN/AnyConnect for the ASA 5520 license? Specifically, the differences between the AnyConnect Essentials and AnyConnect Premium. Our current license looks like this:
The devices allowed for this platform:
The maximum physical Interfaces: unlimited
VLAN maximum: 150
Internal hosts: unlimited
Failover: Active/active
VPN - A: enabled
VPN-3DES-AES: enabled
Security contexts: 2
GTP/GPRS: disabled
SSL VPN peers: 2
Total of the VPN peers: 750
Sharing license: disabled
AnyConnect for Mobile: disabled
AnyConnect Cisco VPN phone: disabled
AnyConnect Essentials: disabled
Assessment of Advanced endpoint: disabled
Proxy sessions for the UC phone: 2
Total number of Sessions of Proxy UC: 2
Botnet traffic filter: disabledThis platform includes an ASA 5520 VPN Plus license.
I guess that means that we have just the 2 'free trial' SSL VPN licenses and nothing else.
I would like to add 25 or maybe 50 SSL VPN licenses and be able to use a combination of full free client, thin client and groups client AnyConnect. The 'ASA5500-SSL-25' (or 50) would be the correct license I need to buy?
Thank you
Rob
Hello
The essentials license is per device and does not allow full-tunnel.
If you need other features like Secure Desktop, without client SSL and other optional features such as shared licenses, you must go to the Premium license.
Federico.
-
Community support,
I want to run this question by you guys to avoid the sales of our partner CISCO and similar pitch more to the best solution that would give us what we want.
We currently have a VPN from CISCO 3020 hub to terminate the Lan-to-Lan tunnels and have our mobile workers to connect through the client VPN CISCO (300 users-employees and contractors).
Given that this device is coming to an end of LIFE this year, we bought a CISCO 5520 (here is the current licenses in this topic)
Licensing seems quite complicated, so here's my question:
-What VPN do you recommend for our users and entrepreneurs? I understand that the CISCO VPN client does not work with ASA 5500 Series devices
Is there a license needed to deploy a VPN solution for our remote users(employees/contractors)?
Thank you
John
The devices allowed for this platform:
The maximum physical Interfaces: unlimited perpetual
VLAN maximum: 150 perpetual
Guests of the Interior: perpetual unlimited
Failover: Active/active perpetual
VPN - A: enabled perpetual
VPN-3DES-AES: activated perpetual
Security contexts: 2 perpetual
GTP/GPRS: Disabled perpetual
AnyConnect Premium peers: 2 perpetual
AnyConnect Essentials: Disabled perpetual
Counterparts in other VPNS: 750 perpetual
Total VPN counterparts: 750 perpetual
Shared license: disabled perpetual
AnyConnect for Mobile: disabled perpetual
AnyConnect Cisco VPN phone: disabled perpetual
Assessment of Advanced endpoint: disabled perpetual
Proxy UC phone sessions: 2 perpetual
Proxy total UC sessions: 2 perpetual
Botnet traffic filter: disabled perpetual
Intercompany Media Engine: Disabled perpetualThis platform includes an ASA 5520 VPN Plus license.
Your understanding that the Cisco VPN client does not work with ASA is wrong. Maybe it's the version of Cisco VPN client that you use currently does not work with ASA. But these (and so not very new indeed) versions of VPN client work with the ASA. I installed for several clients who use the traditional IPSec VPN client with ASA ASAs and they work well.
You are right that the granting of licenses for the SAA is complicated. Your tunnels IPSec VPN site-to-site will work on the SAA and pose much challenge in terms of licenses. But there are problems and alternative solutions to consider for remote access VPN clients. At this point, there are two major variants: you can use the classic IPSec VPN client or you can use the new AnyConnect client. From a licensing perspective there is a Hugh difference between them. It is not special license that applies to the traditional IPSec client and they are just against your license for peers Total VPN (for which you have 750 in your license). For the AnyConect there is a condition of licence. There is a premium for AnyConnect license and there are licensed AnyConnect Essentials. The Essentials license price is much lower than the premium license, but Essentials does not all the features that made the premium.
In the immediate future, that it would sound like an easy question to answer, use the traditional IPSec VPN client for which theere is not a special permit and it is what you are used to. However Cisco has announced the dates of end of sale and end of Support for the traditional VPN client. If at some point you will need to use the AnyConnect client. I would say that if you make the change of the ASA that it might be a good choice to also adopt the AnyConnect client.
HTH
Rick
-
ASA 5520 - VPN users have no internet.
Hello
We just migrated a Pix 515 and an ASA 5520 VPN concentrator. The firewall part works fine, but we have some problem with our remote VPN.
Everything inside network is accessible when you use VPN remote but there is no access to our perimeter network or the internet. I don't know there's only something simple you need that I'm missing, and hoping someone can shed some light on what is needed to allow the VPN tunnel back outdoors and in our DMZ.
The ASA is running 8.2 (2) 9 and ASDM 6.2 (1).
See you soon,.
Rob
From the 172.16.68.0/24 you can PING 10.10.10.1 correct?
The 10.10.10.0/24 you can PING 172.16.68.1 correct?
I'm having a hard time find now how this tunnel is up since you have PFS
activated on the SAA, but not on the PIX.Federico.
Maybe you are looking for
-
Pay Apple Safari works on a Mac, built in 2012
I have a Mac, built in 2012, and there are new features that would not work between my Mac and iOS, as the drop. Safari work between iOS and Mac built in 2012, will be Apple pay? In the same vein, will copy / paste between Mac OS and iOS work with a
-
How can I sync my iphone contacts 6 with gmail
How can I synchronize contacts on my iphone 6 with gmail
-
Replacement of simulate signal VI with the DAQ assistant
Hello I have a VI fucntioning, where signal comes 2 simulate VI signals and is being recorded. I replaced that with the DAQ assistant. I want to know if the wiring is correct and if it will give me the same result as the simulated VI. Thank you.
-
Oracle's 10g not running on Internet Explorer
Dear all,Hope you are all fine.I am facing problem, I installed Oracle Forms 10 g under Windows 7 64-bit. When I complie and run the window browser internet explorer 8 form module comes but form screen does not appear on it.Internet explore 8 link ba
-
Captivate 9 App Packaging - icons
With the old stand-alone app package manager, I was able to first generate the output of the HTML5 and add an icon to the application before packaging. With app package that is integrated in the main application, it is not this intermediate step and