Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Replacing dead primary ASA - what did I do wrong

Hi all,

I faced a problem when replacing a primary ASA with an RMA unit and want to know where I did go wrong.

This is what happened:

  • The secondary unit was active and had all the config.
  • Installed the new primary unit, configured fail over, connected the fail over interface to the existing secondary ASA.
  • Config synced from the RMA unit to the existing active secondary unit, basically wiped out all the config.

 

This is more detailed info of what I did:

  1. On the active standby unit, issue the 'no failover' command, followed by the 'failover' command and did a 'write memory'. I wanted to be sure that this is the first unit with the failover command entered, as i found in the documentation that he should then push its config.
  2. On the RMA unit: configured failover, configured it as primary.
  3. On the RMA unit: added description and 'no shut' command to the failover interface.
  4. On the RMA unit: issued the 'failover' command
  5. On the RMA unit: issued the 'write memory' command
  6. Connected the failover interfaces to each other
  7. Then the config synced in the wrong direction, from RMA to active standby unit

In the end I did fix it with erasing both units, configure failover from scratch and putting back the backup taken before the replacement.

But I want to avoid it in the future!

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

The RMA unit did not need the

The RMA unit did not need the step 2 "failover primary".

Then, after step 3, you would connect the failover interfaces to each other and the config should have synced in the proper direction (from Secondary - Active to Primary - Standby).

After that was confirmed to happen, you would then issue "write standby" from the Secondary-Active unit.

Finish up with a "failover" from Secondary-Active and you should have the end sate of Primary -Active and Secondary-Standby.

Don't forget to also copy any remote access VPN profiles, ASDM images., certificates, etc. that are outside the configuration but on disk0: and required.

3 REPLIES
Hall of Fame Super Silver

You should have done "write

You should have done "write standby" from the Secondary-Active unit. That would push the proper running config into startup-config on the Primary-Standby unit.

Here's a link to the proper section of the Configuration Guide.

Hi Marvin,Thanks for the

Hi Marvin,

Thanks for the feedback.

When should I have done the 'write standby' command?

Right before connecting the failover link?

Because as soon as I connected the 2 the config sync did take place.

Hall of Fame Super Silver

The RMA unit did not need the

The RMA unit did not need the step 2 "failover primary".

Then, after step 3, you would connect the failover interfaces to each other and the config should have synced in the proper direction (from Secondary - Active to Primary - Standby).

After that was confirmed to happen, you would then issue "write standby" from the Secondary-Active unit.

Finish up with a "failover" from Secondary-Active and you should have the end sate of Primary -Active and Secondary-Standby.

Don't forget to also copy any remote access VPN profiles, ASDM images., certificates, etc. that are outside the configuration but on disk0: and required.

671
Views
0
Helpful
3
Replies
CreatePlease to create content