Re: Scheduled Cisco ASA firewall reboot via scripting

Prashobcv93 · ‎05-26-2023

I am having Cisco ASA 5525 running with 9.14(4)15 with an HA pair with the same version.

I would like to know whether we could arrange a script to reboot the firewall every month last Saturday.

Let us know and bring this to a discussion.

MHM Cisco World · ‎05-26-2023

event timer countdown time <seconds>

ASA Embedded Event Manager Configuration Example - Cisco

I think you use countdown time

NOTE:- first try this EEM using action showdown any unuse interface (for testing EEM ) before apply it for reboot

Prashobcv93 · ‎05-26-2023

Hi MHM Cisco World,
Looks like this is very difficult to apply for all last Saturday of every month.

MHM Cisco World · ‎05-26-2023

reload [ at hh : mm [ month day | day month ] ] [ cancel ] [ in [ hh :] mm ] [ max-hold-time [ hh :] mm ] [ noconfirm ] [ quick ] [ reason text ] [ save-config ]

check this command, I think you can reload ASA in specific day of specific month.
NOTE:- make double check the command before apply it.
Thansk
MHM

Prashobcv93 · ‎05-26-2023

How about in a setup like HA pair?

When we reboot the firewall without failover, there will be auto switch over or downtime.

Is there any suitable option for HA pair setup?

MHM Cisco World · ‎05-26-2023

I check the command in lab and it work for standalone
I will check command with HA
I will update you

Prashobcv93 · ‎05-26-2023

Thank you

MHM Cisco World · ‎05-27-2023

I access to both FW
config different time for reload one after 5 min and other after 6 min
then standby (after 5 min) reload and active (after 6 min, i.e. 1 after standby reload) reload
the status is change when active FW reload it become standby

so you can reload OLD active first (the OLD standby here will become NEW active) and then reload OLD standby (NEW active) this will make OLD active to become NEW active again.

Prashobcv93 · ‎05-29-2023

I used this method but we need to try an automated setup for the same.

SSH to current active

failover reload-standby //This will reload the standby unit//
**Wait for the standby ASA to come back**

no failover active //The other unit will take over the active role//

**You will lose the connectivity to your SSH-session**

SSH to New Active

failover reload-standby //This will reload the active unit//

no failover active //The other unit will take over the active role//

Sheraz.Salim · ‎05-27-2023

Are these Firewalls in production if so why there is need to reload/reboot every month?

please do not forget to rate.

Prashobcv93 · ‎05-29-2023

Hi Sheraz,
The firewall was automatically switching over to the secondary and until we receive a service contract, we are planning to reboot the firewall pair every last saturday of the month (with customer approval).

Sheraz.Salim · ‎05-29-2023

if switching over to secondary mean there must be one/or more then interface/s are going down/falping to either on the firewall or it could be the up-stream link or down-stream link.

in a high availability pair that command determines which interface(s) are monitored for purposes of determining the ability of a member to be eligible for the Active role. this could be causing the issue.

you can give these commands

no monitor-interface dmz
no monitor-interface inside

if you using the ASA IPS module give these command

no monitor-interface service-module

also can you share the "show failover", "show failover history","show failover state"

please do not forget to rate.