Replacing a failed ASA5505 question

tdennehy · ‎04-20-2010

We have a remote site with a 5505 that builds a VPN tunnel back to our 5550. The unit failed, and I am on vacation... The network engineer that responded showed up with a brand new ASA5505. He didn't have the config, so he swapped the flash from the failed unit (the unit really failed, it wasn't just the power brick) and put it in the new ASA and it booted, but didn't build a tunnel back to our 5550.

Does anyone know if there's something that needs to happen, like regenerating certificate or something? Is there a reason why swapping flash wouldn't bring this unit up?

Thanks,

Tim

Federico Coto Fajardo · ‎04-20-2010

Hi,

The new unit is working fine?

Meaning... it has Internet access?

If the configuration is exactly the same as the previous ASA 5505, the tunnel should establish.

Perhaps it is not connected physically in the same way, or is not getting IP from the DHCP, or something is missing in the configuration.

Federico.

tdennehy · ‎04-20-2010

I was told the engineer that stepped in to help brought a brand new ASA5505 with him, opened it up, swapped the flash and brought the new one up but it did not come up and build a tunnel. Supposedly he hooked it up correctly, but I am wondering if he cabled it up the same. I was mostly concerned that something else needed to happen, like "crypto key generate" or something else that would prohibit the unit from operating. I guess it will have to wait until I return. Thanks!

Federico Coto Fajardo · ‎04-20-2010

There's no need to regenerate the RSA keys to bring an IPsec tunnel up.

You need RSA keys for other purposes like if using Digital Certificates for authentication for the VPN connection or using management SSH connections to the ASA.

Federico.