Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315
Views
0
Helpful
2
Replies

asa5520 in Active\Standby - Primary has dead flash

Go to solution
serotonin888
Level 1
Level 1

‎04-03-2007 11:54 AM - edited ‎03-09-2019 05:44 PM

All,

Today our primary ASA had some flash issues. The result is it that the flash is empty and you cant "wr m" or create directories anymore. Ive reloaded the device and booted an image from tftp but still no joy.

Luckily we have a second ASA acting as a standby, this is now active firewall. We also have a support call to replace either the flash or device.

I have 2 questions really.

1) I managed to take a copy of sh ver on the faulty firewall to retain the acitivation key. If they replace the flash module how do I re-enter the key? Can i re-enter the key? (i read that if you replace the flash you need a new key?)

2)As the faulty system was the primary what is the best way of recovering the configuration? Should i just copy tftp start and reload? I have a feeling that i will need manually configure failover first as this writes information into a hidden partition on flash (.private). Then once the 2 firewalls "see" each other the running config on the Active Secondary will automatically copy to the primary?

Any thoughts?

All help much appreciated

Cheers

Andy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David White
Cisco Employee
Cisco Employee

‎04-04-2007 07:57 PM

Hi Andy,

For #1, if you have to re-enter the activation key, you can get into config mode and issue the command:

activation-key <5-tuple>

(simple, I know). On the PIXes, the activation key was saved on the flash. I'm trying to remember on the ASAs (it's been a few years since this was designed/discussed) but I want to say that we no longer store the activation key on flash, but honestly, I can't remember.

For #2, when you get the replacement, you can tftp the config to the startup config, then power off, connect the cables and power on. That will do it. OR, you can just minimally configure failover. Which is basically adding the Failover LAN interface & IP, along with 'failover unit primary'. That will be enough for the ASA to sync the config from the peer. NOTE: This will not trigger a failover, and your Secondary unit will remain as active.

Hope it helps,

David.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
David White
Cisco Employee
Cisco Employee

‎04-04-2007 07:57 PM

Hi Andy,

For #1, if you have to re-enter the activation key, you can get into config mode and issue the command:

activation-key <5-tuple>

(simple, I know). On the PIXes, the activation key was saved on the flash. I'm trying to remember on the ASAs (it's been a few years since this was designed/discussed) but I want to say that we no longer store the activation key on flash, but honestly, I can't remember.

For #2, when you get the replacement, you can tftp the config to the startup config, then power off, connect the cables and power on. That will do it. OR, you can just minimally configure failover. Which is basically adding the Failover LAN interface & IP, along with 'failover unit primary'. That will be enough for the ASA to sync the config from the peer. NOTE: This will not trigger a failover, and your Secondary unit will remain as active.

Hope it helps,

David.

0 Helpful

Go to solution
serotonin888
Level 1
Level 1
In response to David White

‎04-04-2007 11:10 PM

Thanks David,

It looks like we will be getting a new unit. I was fortuante enough to have 2 ASA5510's that hadnt been deployed, so ive tested out the minimal failover config option and it works great.

Thanks for your help

Regards

Andy

0 Helpful
Customers Also Viewed These Support Documents