Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5520 replacement

does anyone have experience with replacing the failed primary unit in an asa 5520 clusster? My standby unit has kicked in and i received my replacement for the primary from cisco. I want to know what the best practice is for getting it back into the network with the correct configuration?

do i need to upload it with my most recent image and then place in the network and let replicate to the secondary unit?

Not sure how to go about doing this, any advice would be appreciated


Re: ASA 5520 replacement

From your description I think that you are using Active/Standby failover. In this scenario when the active (master) unit goes down the standby unit takes over as the active unit and it will constantly poll to check if the master unit is available and is working fine. if the master unit is availalbe it will then transfer the control to the master unit making it once again the active unit.

Hall of Fame Super Silver

Re: ASA 5520 replacement


I have not done it with the ASA but I have done this kind of thing with the PIX and I believe that ASA works the same. Make sure that the replacement for the primary/active ASA is running the same version of code as the existing standby. Then power down and remove the old primary. Put the replacement in place of the removed primary and cable it up. Then power up the new primary. It should learn the config from the standby. After it is running and has completed its sync with the standby you might want to fail the standby to make sure that the new unit is functioning properly as the primary/active unit.




Re: ASA 5520 replacement

Make sure you load the same OS and ASDM images that you have on the existing asa.

I've never had to do it, but here's how i would do it:

configure the good one still in production to be the primary:

failover lan unit primary

then bootstrap the new one and configure it as secondary:

rburts solution won't work. the asa's don't use cable based failover. you have to bootstrap the new one.

New Member

Re: ASA 5520 replacement

I was just preparing to replace  the primary ASA in an HA pair and could not find a solid answer to this  question.  I found that, indeed, the primary ASA started replicating  it's blank config to the secondary as soon as I connected the LAN  Failover cable.

Here's the steps to keep this from happening:

configure the primary for failover -

failover lan unit primary

failover lan interface LANFail GigabitEthernet0/2

failover replication http

failover link stateful GigabitEthernet0/3

failover interface ip LANFail standby

failover interface ip stateful standby    

Configure all interfaces with the primary IP (no standby needed at this point)

'no shut' on all active interfaces

no failover active         <------- (critical! Forces the primary to standby)

connect lan failover cable (the only one needed at this point)

Secondary will start replicating to primary.

Once  the replication is complete (show failover, ensure primary is "standby  ready", you can connect the remaining cables and do a 'failover active'  on the primary.

Hope this helps others...