We have a pair of ASAs and the standby has to be replaced it, I have not found many documents about the replacement process so I have some questions:
1- The failover configuration in the primary device is:
failover failover lan unit primary failover lan interface FAILOVER Management0/0 failover key ***** failover link FAILOVER Management0/0 failover interface ip FAILOVER X.X.X.1 255.255.255.252 standby X.X.X.2
I think that the configuration in the RMA ASA should be:
failover lan unit secondary failover lan interface FAILOVER Management0/0 failover key ***** failover link FAILOVER Management0/0 failover interface ip FAILOVER X.X.X.1 255.255.255.252 standby X.X.X.2
The only problem is that we not have failover key and I only see it encrypted, is there a way to see the failover key in plan text or do I need to generate a new key?
2- The second issue is about the licenses, the broken ASA has a license activated on it with its corresponding activation-key. As I understand, this activation-keys are related to the chassis S/N and I think that the new ASA will not accept the activation-key of the broken one, what I have to do to have the new ASA activated with the same license that the broken one has?
3 - Lastly, the ASAs cluster have an ASA-SSM card installed on each ASA, when I replace the broken one for the new ASA, just removing the SSM card from the broken ASA and installing it in the new is necesary? Or do I have to do something else like?
1. You can get the failover key by issuing the following:
more system:running-config | i failover
2. Once you received the RMA ASA, you would need to send email to firstname.lastname@example.org, provide the show version output from the failed ASA, and requested activation key for the RMA ASA (provide the serial# of the RMA ASA too).
3. Yes, once you received the RMA ASA, please move the SSM card from the failed ASA to the RMA ASA.
Before changing the failed ASA, we tried to load an image in ROMMON via tftp. We were lucky and we wer able to load it, but all the configuration and activation keys wer lost.
We tried to do a dir all: but the disk0: were all the images were supposed to be did not appear so we think thet the memory is corrupted and we are going to change it by a new one.
ciscoasa# dir all
Directory of system:/
1 ---- 0 00:00:00 Jan 01 1970 running-config
No space information available
The thing is that I tried to configure andenable the failover in the "broken ASA" and I was not able because of the licenses:
ciscoasa# Mate's license (Failover Enabled) is not compatible with my license (Failover Disabled). Failover will be disabled. Mate's license (VPN-DES Enabled) is not compatible with my license (VPN-DES Disabled). Failover will be disabled. Mate's license (VPN-3DES-AES Enabled) is not compatible with my license (VPN-3DES-AES Disabled). Failover will be disabled. Mate's license (2 Contexts) is not compatible with my license (0 Contexts). Failover will be disabled.
ciscoasa# sh ver
Cisco Adaptive Security Appliance Software Version 7.2(2)
Compiled on Wed 22-Nov-06 14:16 by builders System image file is "tftp://188.8.131.52/asa722-k8.bin" Config file at boot was "startup-config" .......
Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 150 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Disabled Security Contexts : 2 GTP/GPRS : Disabled VPN Peers : 750 WebVPN Peers : 2
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :