ASA 5540/5520 Failover

Answered Question
Jun 9th, 2010
User Badges:

Hello Experts,


Just had a quick question regarding ASA failover:  Is it possible to have an ASA pair, with the primary ASA being a 5540 and the standby device an ASA 5520 (or vice versa)?


I need to replace a set of ASA 5540s with with ASA 5520s on our production network and would like to do it with little to no downtime.  My plan was to shutdown the standby ASA 5540 and put in the new ASA 5520, let the new 5520 come up into Standby mode, force the primary ASA 5540 into Sandby and let the new 5520 take over as the primary.  Once that is completed.  Shutdown the ASA 5540(which should now be in Standby mode) and replace it with another ASA 5520.  Let the second ASA 5520 come up and viola, we should be good.


Is this possible?


Thanks,

Justin

Correct Answer by Jon Marshall about 7 years 2 weeks ago

Justin


Unfortunately no. From the ASA config guide -


Hardware Requirements

The two units in a failover configuration must be the same model, have the same number and types of interfaces, and the same SSMs installed (if any).

If you are using units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail.

Although it is not required, it is recommended that both units have the same amount of RAM memory installed.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 06/09/2010 - 11:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Justin


Unfortunately no. From the ASA config guide -


Hardware Requirements

The two units in a failover configuration must be the same model, have the same number and types of interfaces, and the same SSMs installed (if any).

If you are using units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail.

Although it is not required, it is recommended that both units have the same amount of RAM memory installed.


Jon

justin putman Wed, 06/09/2010 - 11:54
User Badges:

Jon,


Thanks for the information!! I guess I have no choice but to take an outage.  Thanks again.


Justin

sachinraja Wed, 06/09/2010 - 12:01
User Badges:
  • Red, 2250 points or more

Hey Justin


You are right. You have to take a small downtime.. In such migrations, we basically have 2 solutions and it really depends on the complexity of the customer networks as to which solution to choose from:


1) Copy + paste the exact configuration of the existing firweall to the new firewal (with same IPs), mount the device near the existing device, and just switch the cables , and troubleshoot any issues, if it arises


2) second method is to add these firewalls parallel to the existing firewalls (more often used in Proof of concepts & phased migrations).. the existing subnet should allow this (esp inside & outside), and to flip traffic, we used to just change statics on inside switches.. again, this is only for very small networks which use static routing and has no complicated DMZ/VPN setups.


Im sure 99 % of us would take the first approach, but sometimes the 2nd one can be useful..


Hope it helps.. all the best..


Raj

justin putman Wed, 06/09/2010 - 12:06
User Badges:

Raj,


Thanks for the information.  Yeah it looks like option 1 is going to be my best bet.


Justin

Actions

This Discussion