cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


269
Views
0
Helpful
2
Replies
Frequent Contributor

Adding failed Primary ASA to HA

We have ASA in Primary - Active

                         Sec-  Standby

 

After Failover the Sec is Active now and Primary has died due to hardware failure.

 

Now I need to add new ASA  as Primary standby.

New ASA has no config yet just default.

 

Need to confirm few things

 

Config on new ASA

1>Write erase and reload

2>Int gi1/1 ----------------This is failover int

no shutdown

 

2> I can add below config on new ASA

 

failover lan unit primary

failover lan interface Statefull GigabitEthernet1/1

failover link Statefull GigabitEthernet1/1

failover interface ip Statefull x.x.x.x  255.255.255.224 standby x.x.x.x

failover

 

3>Wr mem

copy runn config to startup

 

4>Rack Mount the new Primary ASA

5>Power it on

 

6>Connect the console cable and failover cable only for now

 

7>Wait for below messages

 

Detected an Active mate

Beginning configuration replication from mate.

End configuration replication from mate.

 

8>After this I can add all the Data Interfaces and everything should be fine right?

 

Did I miss something?

 

For now I will leave Primary as standby.

Also we are not using any virtual mac address failover will this cause any  layer 2 issues?

Do I need to reboot the Sec ASA which is Active now during this process or if any issue occurs?

 

Regards

MAhesh

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: Adding failed Primary ASA to HA

That sounds fine to me.  I would also take a backup of the conifg off the current active unit to, "just in case".  Also you need to make sure the new unit is running the same software version as the current unit.

 

I typically copy the whole config off the standby to the primary and then just update the line "failover lan unit primary" and then plug them in.

View solution in original post

2 REPLIES 2
VIP Advisor

Re: Adding failed Primary ASA to HA

That sounds fine to me.  I would also take a backup of the conifg off the current active unit to, "just in case".  Also you need to make sure the new unit is running the same software version as the current unit.

 

I typically copy the whole config off the standby to the primary and then just update the line "failover lan unit primary" and then plug them in.

View solution in original post

Highlighted
Frequent Contributor

Re: Adding failed Primary ASA to HA

I heard that when you add primary ASA as standby then current Sec active ASA uses new primary ASA for layer 2 communication.

 

How can i fix this ?