Replacing a failed ASA5505 question

Unanswered Question
Apr 20th, 2010
User Badges:

We have a remote site with a 5505 that builds a VPN tunnel back to our 5550.  The unit failed, and I am on vacation...  The network engineer that responded showed up with a brand new ASA5505.  He didn't have the config, so he swapped the flash from the failed unit (the unit really failed, it wasn't just the power brick) and put it in the new ASA and it booted, but didn't build a tunnel back to our 5550.

Does anyone know if there's something that needs to happen, like regenerating certificate or something?  Is there a reason why swapping flash wouldn't bring this unit up?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Tue, 04/20/2010 - 13:16
User Badges:
  • Green, 3000 points or more


The new unit is working fine?

Meaning... it has Internet access?

If the configuration is exactly the same as the previous ASA 5505, the tunnel should establish.

Perhaps it is not connected physically in the same way, or is not getting IP from the DHCP, or something is missing in the configuration.


tdennehy Tue, 04/20/2010 - 18:57
User Badges:

I was told the engineer that stepped in to help brought a brand new ASA5505 with him, opened it up, swapped the flash and brought the new one up but it did not come up and build a tunnel. Supposedly he hooked it up correctly, but I am wondering if he cabled it up the same. I was mostly concerned that something else needed to happen, like "crypto key generate" or something else that would prohibit the unit from operating. I guess it will have to wait until I return. Thanks!

Federico Coto F... Tue, 04/20/2010 - 19:08
User Badges:
  • Green, 3000 points or more

There's no need to regenerate the RSA keys to bring an IPsec tunnel up.

You need RSA keys for other purposes like if using Digital Certificates for authentication for the VPN connection or using management SSH connections to the ASA.



This Discussion