04-03-2007 11:54 AM - edited 03-09-2019 05:44 PM
All,
Today our primary ASA had some flash issues. The result is it that the flash is empty and you cant "wr m" or create directories anymore. Ive reloaded the device and booted an image from tftp but still no joy.
Luckily we have a second ASA acting as a standby, this is now active firewall. We also have a support call to replace either the flash or device.
I have 2 questions really.
1) I managed to take a copy of sh ver on the faulty firewall to retain the acitivation key. If they replace the flash module how do I re-enter the key? Can i re-enter the key? (i read that if you replace the flash you need a new key?)
2)As the faulty system was the primary what is the best way of recovering the configuration? Should i just copy tftp start and reload? I have a feeling that i will need manually configure failover first as this writes information into a hidden partition on flash (.private). Then once the 2 firewalls "see" each other the running config on the Active Secondary will automatically copy to the primary?
Any thoughts?
All help much appreciated
Cheers
Andy
Solved! Go to Solution.
04-04-2007 07:57 PM
Hi Andy,
For #1, if you have to re-enter the activation key, you can get into config mode and issue the command:
activation-key <5-tuple>
(simple, I know). On the PIXes, the activation key was saved on the flash. I'm trying to remember on the ASAs (it's been a few years since this was designed/discussed) but I want to say that we no longer store the activation key on flash, but honestly, I can't remember.
For #2, when you get the replacement, you can tftp the config to the startup config, then power off, connect the cables and power on. That will do it. OR, you can just minimally configure failover. Which is basically adding the Failover LAN interface & IP, along with 'failover unit primary'. That will be enough for the ASA to sync the config from the peer. NOTE: This will not trigger a failover, and your Secondary unit will remain as active.
Hope it helps,
David.
04-04-2007 07:57 PM
Hi Andy,
For #1, if you have to re-enter the activation key, you can get into config mode and issue the command:
activation-key <5-tuple>
(simple, I know). On the PIXes, the activation key was saved on the flash. I'm trying to remember on the ASAs (it's been a few years since this was designed/discussed) but I want to say that we no longer store the activation key on flash, but honestly, I can't remember.
For #2, when you get the replacement, you can tftp the config to the startup config, then power off, connect the cables and power on. That will do it. OR, you can just minimally configure failover. Which is basically adding the Failover LAN interface & IP, along with 'failover unit primary'. That will be enough for the ASA to sync the config from the peer. NOTE: This will not trigger a failover, and your Secondary unit will remain as active.
Hope it helps,
David.
04-04-2007 11:10 PM
Thanks David,
It looks like we will be getting a new unit. I was fortuante enough to have 2 ASA5510's that hadnt been deployed, so ive tested out the minimal failover config option and it works great.
Thanks for your help
Regards
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide