ASA 5520 replacement

Unanswered Question
Mar 5th, 2008

does anyone have experience with replacing the failed primary unit in an asa 5520 clusster? My standby unit has kicked in and i received my replacement for the primary from cisco. I want to know what the best practice is for getting it back into the network with the correct configuration?

do i need to upload it with my most recent image and then place in the network and let replicate to the secondary unit?

Not sure how to go about doing this, any advice would be appreciated

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ebreniz Tue, 03/11/2008 - 10:33

From your description I think that you are using Active/Standby failover. In this scenario when the active (master) unit goes down the standby unit takes over as the active unit and it will constantly poll to check if the master unit is available and is working fine. if the master unit is availalbe it will then transfer the control to the master unit making it once again the active unit.

Richard Burts Tue, 03/11/2008 - 10:47

Greg

I have not done it with the ASA but I have done this kind of thing with the PIX and I believe that ASA works the same. Make sure that the replacement for the primary/active ASA is running the same version of code as the existing standby. Then power down and remove the old primary. Put the replacement in place of the removed primary and cable it up. Then power up the new primary. It should learn the config from the standby. After it is running and has completed its sync with the standby you might want to fail the standby to make sure that the new unit is functioning properly as the primary/active unit.

HTH

Rick

srue Tue, 03/11/2008 - 10:52

Make sure you load the same OS and ASDM images that you have on the existing asa.

I've never had to do it, but here's how i would do it:

configure the good one still in production to be the primary:

failover lan unit primary

then bootstrap the new one and configure it as secondary:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#sec

rburts solution won't work. the asa's don't use cable based failover. you have to bootstrap the new one.

JEFF SPRADLING Fri, 07/20/2012 - 11:01

I was just preparing to replace  the primary ASA in an HA pair and could not find a solid answer to this  question.  I found that, indeed, the primary ASA started replicating  it's blank config to the secondary as soon as I connected the LAN  Failover cable.

Here's the steps to keep this from happening:

configure the primary for failover -

failover lan unit primary

failover lan interface LANFail GigabitEthernet0/2

failover replication http

failover link stateful GigabitEthernet0/3

failover interface ip LANFail 172.16.100.1 255.255.255.0 standby 172.16.100.2

failover interface ip stateful 172.16.101.1 255.255.255.0 standby 172.16.101.2    

Configure all interfaces with the primary IP (no standby needed at this point)

'no shut' on all active interfaces

no failover active         <------- (critical! Forces the primary to standby)

connect lan failover cable (the only one needed at this point)

Secondary will start replicating to primary.

Once  the replication is complete (show failover, ensure primary is "standby  ready", you can connect the remaining cables and do a 'failover active'  on the primary.

Hope this helps others...

Actions

This Discussion