ASA FAILOVER PAIR HW REPLACEMENT

Unanswered Question
May 23rd, 2010

Hi all,


We have a pair of ASAs and the standby has to be replaced it, I have not found many documents about the replacement process so I have some questions:



1- The failover configuration in the primary device is:



     failover
     failover lan unit primary
     failover lan interface FAILOVER Management0/0
     failover key *****
     failover link FAILOVER Management0/0
     failover interface ip FAILOVER X.X.X.1 255.255.255.252 standby X.X.X.2



     I think that the configuration in the RMA ASA should be:


     failover lan unit secondary
     failover lan interface FAILOVER Management0/0
     failover key *****
     failover link FAILOVER Management0/0
     failover interface ip FAILOVER X.X.X.1 255.255.255.252 standby X.X.X.2

     failover


     The only problem is that we not have failover key and I only see it encrypted, is there a way to see the failover key in plan text or do I need to      generate a new key?



2- The second issue is about the licenses, the broken ASA has a license activated on it with its corresponding activation-key. As I understand, this activation-keys are related to the chassis S/N and I think that the new ASA will not accept the activation-key of the broken one, what I have to do to have the new ASA activated with the same license that the broken one has?




3 - Lastly, the ASAs cluster have an ASA-SSM card installed on each ASA, when I replace the broken one for the new ASA, just removing the SSM card from the broken ASA and installing it in the new is necesary? Or do I have to do something else like?



Thank you very much,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sun, 05/23/2010 - 04:32

1. You can get the failover key by issuing the following:

more system:running-config | i failover


2. Once you received the RMA ASA, you would need to send email to [email protected], provide the show version output from the failed ASA, and requested activation key for the RMA ASA (provide the serial# of the RMA ASA too).


3. Yes, once you received the RMA ASA, please move the SSM card from the failed ASA to the RMA ASA.


Hope that confirms everything.

lcuchisanmillan Tue, 05/25/2010 - 12:32

Hello halijen,


Thank you for your response.


Before changing the failed ASA, we tried to load an image in ROMMON via tftp. We were lucky and we wer able to load it, but all the configuration and activation keys wer lost.


We tried to do a dir all: but the disk0: were all the images were supposed to be did not appear so we think thet the memory is corrupted and we are going to change it by a new one.


     ciscoasa# dir all


     Directory of system:/


     1      ----  0           00:00:00 Jan 01 1970  running-config


     No space information available



The thing is that I tried to configure andenable the failover in the "broken ASA" and I was not able because of the licenses:


     ciscoasa# Mate's license (Failover Enabled) is not compatible with my license (Failover Disabled). Failover will be disabled.
     Mate's license (VPN-DES Enabled) is not compatible with my license (VPN-DES Disabled). Failover will be disabled.
     Mate's license (VPN-3DES-AES Enabled) is not compatible with my license (VPN-3DES-AES Disabled). Failover will be disabled.
     Mate's license (2 Contexts) is not compatible with my license (0 Contexts). Failover will be disabled.



     ciscoasa# sh ver


     Cisco Adaptive Security Appliance Software Version 7.2(2)


     Compiled on Wed 22-Nov-06 14:16 by builders
     System image file is "tftp://1.1.1.9/asa722-k8.bin"
     Config file at boot was "startup-config"
     .......


     Licensed features for this platform:
     Maximum Physical Interfaces : Unlimited
     Maximum VLANs               : 150      
     Inside Hosts                : Unlimited
     Failover                    : Active/Active
     VPN-DES                     : Enabled  
     VPN-3DES-AES                : Disabled 
     Security Contexts           : 2        
     GTP/GPRS                    : Disabled 
     VPN Peers                   : 750      
     WebVPN Peers                : 2       


     This platform has an ASA 5520 VPN Plus license.



     Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
     Configuration register is 0x1


Are these logs only because VPN Plus license is not activated with the activation key? or do I have to activate anything else?



O would like to know if it would have same problems with the new ASA. Here is a sh ver of the primary ASA that is working fine:




     Licensed features for this platform:
     Maximum Physical Interfaces : Unlimited
     Maximum VLANs               : 150      
     Inside Hosts                : Unlimited
     Failover                    : Active/Active
     VPN-DES                     : Enabled  
     VPN-3DES-AES                : Enabled  
     Security Contexts           : 2        
     GTP/GPRS                    : Disabled 
     VPN Peers                   : 750      
     WebVPN Peers                : 2       


     This platform has an ASA 5520 VPN Plus license.





Thank you,

Panos Kampanakis Tue, 05/25/2010 - 14:40

It seems the RMAed ASA does not have a 3DES license.

Please make sure you call in and you ask for your old 3DES license of the old unit is rehosted for the RMAed ASA.


I hope it helps.


PK

Actions

This Discussion