topic Re: Procedure for Swapping out live firewalls in a failover pair in Network Security

Procedure for Swapping out live firewalls in a failover pair

bbriggs — Fri, 21 Feb 2020 16:09:34 GMT

Hi,

I have a task to swap-out two ASA single-mode firewalls.

They are in a pair and neither has failed, this is merely a hardware upgrade.

I am tempted to failover i.e. enter "no failover active" and replace the Primary unit first.

However if I left the HA pair in their current configuration and replaced the Secondary, without failing over, the Primary should be able to keep working.

The firewalls should then sync from Primary to Secondary.

Once I replace the Primary I can then failover by entering "no failover active" and then replace the Secondary.

Is anyone aware of an official procedure to replace a failover pair where both are working?

Thanks

Re: Procedure for Swapping out live firewalls in a failover pair

Ajay Saini — Tue, 28 Aug 2018 20:47:51 GMT

Hello,

As long as the hardware model is same, you can do what you have described. Going by the description, looks like you are doing a hardware upgrade, which means at one point of time primary and secondary firewalls will be different models. That is not supported for a failover replacement.

The best way for hardware upgrade would be to take a maintenance window and do it. Should not take more time. We can prepare a parallel setup and swap the firewalls out.

If the model is same, then you can follow the steps:

https://community.cisco.com/t5/security-documents/introducing-failed-primary-unit-back-in-the-ha-fail-over-pair/ta-p/3146927

HTH

Re: Procedure for Swapping out live firewalls in a failover pair

bbriggs — Thu, 21 Mar 2019 10:47:36 GMT

Thanks for your help,

Brian