topic Hi Marvin,Thanks for the in Network Security

Replacing dead primary ASA - what did I do wrong

Bram Van den Bosch — Tue, 12 Mar 2019 04:05:39 GMT

Hi all,

I faced a problem when replacing a primary ASA with an RMA unit and want to know where I did go wrong.

This is what happened:

The secondary unit was active and had all the config.
Installed the new primary unit, configured fail over, connected the fail over interface to the existing secondary ASA.
Config synced from the RMA unit to the existing active secondary unit, basically wiped out all the config.

This is more detailed info of what I did:

On the active standby unit, issue the 'no failover' command, followed by the 'failover' command and did a 'write memory'. I wanted to be sure that this is the first unit with the failover command entered, as i found in the documentation that he should then push its config.
On the RMA unit: configured failover, configured it as primary.
On the RMA unit: added description and 'no shut' command to the failover interface.
On the RMA unit: issued the 'failover' command
On the RMA unit: issued the 'write memory' command
Connected the failover interfaces to each other
Then the config synced in the wrong direction, from RMA to active standby unit

In the end I did fix it with erasing both units, configure failover from scratch and putting back the backup taken before the replacement.

But I want to avoid it in the future!

You should have done "write

Marvin Rhoads — Thu, 17 Apr 2014 15:59:06 GMT

You should have done "write standby" from the Secondary-Active unit. That would push the proper running config into startup-config on the Primary-Standby unit.

Here's a link to the proper section of the Configuration Guide.

Hi Marvin,Thanks for the

Bram Van den Bosch — Thu, 17 Apr 2014 18:08:33 GMT

Hi Marvin,

Thanks for the feedback.

When should I have done the 'write standby' command?

Right before connecting the failover link?

Because as soon as I connected the 2 the config sync did take place.

The RMA unit did not need the

Marvin Rhoads — Thu, 17 Apr 2014 18:21:44 GMT

The RMA unit did not need the step 2 "failover primary".

Then, after step 3, you would connect the failover interfaces to each other and the config should have synced in the proper direction (from Secondary - Active to Primary - Standby).

After that was confirmed to happen, you would then issue "write standby" from the Secondary-Active unit.

Finish up with a "failover" from Secondary-Active and you should have the end sate of Primary -Active and Secondary-Standby.

Don't forget to also copy any remote access VPN profiles, ASDM images., certificates, etc. that are outside the configuration but on disk0: and required.

Re: The RMA unit did not need the

ChrisNewnham_ — Tue, 02 May 2023 08:18:21 GMT

Just sharing my experience here, but I believe "failover lan unit primary" IS required before configuring failover. I tested this myself, and if you don't configure the device as either primary or secondary, it won't join the failover group.

I believe the one step you missed off, was to disable the production interfaces either by disconnecting the cables or disabling the switch interfaces. I believe this is a CRUCIAL step!

Of course, Cisco could make this far far easier by jus having a failover priority value, like lots of other things do. But that would make everyone's life too easy 😉