Migrate to multiple context mode on ASA cluster

d_p_grant · ‎06-05-2012

I have a pair of ASA 5520s in active/standby failover mode, single context. I'll be migrating to multiple context mode later this week. Do I need to break failover first? Or if I don't need to, should I? Or can I do this while maintaining failover? Can somebody tell me if either of these scenarios will work (or fail). I'll be remote, doing my work via SSH, but have somebody local who can console in if needed.

Migration option #1

Log into active/primary ASA

Configure Multiple Context mode

Reboot both devices

Login to active/primary ASA

Load context licenses (forget whether another reboot is necessary)

Configure contexts as desired

Migration option #2

Login to standby/secondary ASA

Remove from failover group (will I lose my connection?)

Configure multiple context mode; reboot

Login to active/primary ASA

Configure multiple context mode; reboot

Login to primary ASA; changeto system

Configure failover (as active and primary)

Login to secondary ASA; changeto system

Configure failover (as standby and secondary)

Load context licenses on active/primary (forget whether reboot is necessary)

Configure contexts as desired

varrao · ‎06-05-2012

Don't do that without a console connection. Because teh moment you change the mode from single to multiple, the firewall would wipe your single mode configuration and you would lose the access. You would definitely need to disable failover on teh two firewalls before doing it. I would suggest you go through the active/active configuration guides before performing any thing.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao