does anyone have experience with replacing the failed primary unit in an asa 5520 clusster? My standby unit has kicked in and i received my replacement for the primary from cisco. I want to know what the best practice is for getting it back into the network with the correct configuration?
do i need to upload it with my most recent image and then place in the network and let replicate to the secondary unit?
Not sure how to go about doing this, any advice would be appreciated
From your description I think that you are using Active/Standby failover. In this scenario when the active (master) unit goes down the standby unit takes over as the active unit and it will constantly poll to check if the master unit is available and is working fine. if the master unit is availalbe it will then transfer the control to the master unit making it once again the active unit.
I have not done it with the ASA but I have done this kind of thing with the PIX and I believe that ASA works the same. Make sure that the replacement for the primary/active ASA is running the same version of code as the existing standby. Then power down and remove the old primary. Put the replacement in place of the removed primary and cable it up. Then power up the new primary. It should learn the config from the standby. After it is running and has completed its sync with the standby you might want to fail the standby to make sure that the new unit is functioning properly as the primary/active unit.
I was just preparing to replace the primary ASA in an HA pair and could not find a solid answer to this question. I found that, indeed, the primary ASA started replicating it's blank config to the secondary as soon as I connected the LAN Failover cable.
Here's the steps to keep this from happening:
configure the primary for failover -
failover lan unit primary
failover lan interface LANFail GigabitEthernet0/2
failover replication http
failover link stateful GigabitEthernet0/3
failover interface ip LANFail 172.16.100.1 255.255.255.0 standby 172.16.100.2
failover interface ip stateful 172.16.101.1 255.255.255.0 standby 172.16.101.2
Configure all interfaces with the primary IP (no standby needed at this point)
'no shut' on all active interfaces
no failover active <------- (critical! Forces the primary to standby)
connect lan failover cable (the only one needed at this point)
Secondary will start replicating to primary.
Once the replication is complete (show failover, ensure primary is "standby ready", you can connect the remaining cables and do a 'failover active' on the primary.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...