cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
806
Views
0
Helpful
4
Replies

ASA 5540/5520 Failover

justin putman
Level 1
Level 1

Hello Experts,

Just had a quick question regarding ASA failover:  Is it possible to have an ASA pair, with the primary ASA being a 5540 and the standby device an ASA 5520 (or vice versa)?

I need to replace a set of ASA 5540s with with ASA 5520s on our production network and would like to do it with little to no downtime.  My plan was to shutdown the standby ASA 5540 and put in the new ASA 5520, let the new 5520 come up into Standby mode, force the primary ASA 5540 into Sandby and let the new 5520 take over as the primary.  Once that is completed.  Shutdown the ASA 5540(which should now be in Standby mode) and replace it with another ASA 5520.  Let the second ASA 5520 come up and viola, we should be good.

Is this possible?

Thanks,

Justin

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Justin

Unfortunately no. From the ASA config guide -

Hardware Requirements

The two units in a failover configuration must be the same model, have the same number and types of interfaces, and the same SSMs installed (if any).

If you are using units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail.

Although it is not required, it is recommended that both units have the same amount of RAM memory installed.

Jon

View solution in original post

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Justin

Unfortunately no. From the ASA config guide -

Hardware Requirements

The two units in a failover configuration must be the same model, have the same number and types of interfaces, and the same SSMs installed (if any).

If you are using units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail.

Although it is not required, it is recommended that both units have the same amount of RAM memory installed.

Jon

Jon,

Thanks for the information!! I guess I have no choice but to take an outage.  Thanks again.

Justin

Hey Justin

You are right. You have to take a small downtime.. In such migrations, we basically have 2 solutions and it really depends on the complexity of the customer networks as to which solution to choose from:

1) Copy + paste the exact configuration of the existing firweall to the new firewal (with same IPs), mount the device near the existing device, and just switch the cables , and troubleshoot any issues, if it arises

2) second method is to add these firewalls parallel to the existing firewalls (more often used in Proof of concepts & phased migrations).. the existing subnet should allow this (esp inside & outside), and to flip traffic, we used to just change statics on inside switches.. again, this is only for very small networks which use static routing and has no complicated DMZ/VPN setups.

Im sure 99 % of us would take the first approach, but sometimes the 2nd one can be useful..

Hope it helps.. all the best..


Raj

Raj,

Thanks for the information.  Yeah it looks like option 1 is going to be my best bet.

Justin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: