Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1573
Views
15
Helpful
6
Replies

ASA 5545X HA question

Go to solution
Craddockc
Level 3
Level 3

‎02-12-2019 11:09 AM - edited ‎02-21-2020 08:48 AM

Dear community,

We have a pair of ASA 5545X firewalls in an Active/Failover HA pair. The configuration of our external "outside" interface is in a port channel with the rest of our internal interfaces. I have to do some work this weekend to change that. I will be deleting the port channel sub interface that acts as the "outside" interface and configuring an unused physical interface to be the new outside interface. My question is this: Should I keep the HA connection connected while first working the Standby unit? 

 

The reason I ask is because if I break HA, then both units will go Active, I do not want that. I want the Primary (Active) unit to continue servicing traffic while I work on the Standby unit. Once I am done with the standby unit and have verified that all the rules and NATs etc pertaining to the outside interface are back in place, I want to power down the Primary/Active unit and make the Secondary/Standby unit the Active unit. Once I am satisfied that everything is working, I want to power up the Primary unit again and force the config changes to be propagated to the Primary unit. Does this sound like a reasonable approach?

 

How would you approach this situation? Any help would be appreciated. Thanks. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎02-12-2019 11:42 AM

I my opinion, this is not a good way of doing this. Reason being that I just do not like doing any work on the standby unit while the pair are still in a Active/Standby failover pair.  Here are some suggestions how to do it the way you suggest and a way that I have done.

 

Method 1.

  1. shutdown interface on the switch going to the secondary ASA.
  2. shutdown failover interface on secondary ASA
  3. change the configuration on standby ASA
  4. shutdown port on the switch going to primary ASA
  5. no shutdown on interface on the switch going to the secondary ASA
  6. Test changes
  7. If all is OK, take full backup of running configuration, pull the power on the primary ASA and no shutdown interface on switch going to primary ASA as well as failover interface on standby.
  8. add power back to primary ASA and verify configuration is successfully copied to the primary (standby) ASA.
  9. failover back to primary ASA

Method 2 (I have done this):

  1. configure the new public interface using a different name (I used outside2 but you can use the ISP name or anything else for that matter)
  2. duplicate all NAT rules referencing outside2 interface instead (I copied all config into notepad and did a search and replace)
  3. add an access-group configuration for outside2 interface using the existing ACL for the current outside interface.
  4. Now when you are going to make the swap you only need to move the interface IP and the default route.
--
Please remember to select a correct answer and rate helpful posts

View solution in original post

6 Replies 6

Go to solution
Marius Gunnerud
VIP
VIP

‎02-12-2019 11:42 AM

I my opinion, this is not a good way of doing this. Reason being that I just do not like doing any work on the standby unit while the pair are still in a Active/Standby failover pair.  Here are some suggestions how to do it the way you suggest and a way that I have done.

 

Method 1.

  1. shutdown interface on the switch going to the secondary ASA.
  2. shutdown failover interface on secondary ASA
  3. change the configuration on standby ASA
  4. shutdown port on the switch going to primary ASA
  5. no shutdown on interface on the switch going to the secondary ASA
  6. Test changes
  7. If all is OK, take full backup of running configuration, pull the power on the primary ASA and no shutdown interface on switch going to primary ASA as well as failover interface on standby.
  8. add power back to primary ASA and verify configuration is successfully copied to the primary (standby) ASA.
  9. failover back to primary ASA

Method 2 (I have done this):

  1. configure the new public interface using a different name (I used outside2 but you can use the ISP name or anything else for that matter)
  2. duplicate all NAT rules referencing outside2 interface instead (I copied all config into notepad and did a search and replace)
  3. add an access-group configuration for outside2 interface using the existing ACL for the current outside interface.
  4. Now when you are going to make the swap you only need to move the interface IP and the default route.
--
Please remember to select a correct answer and rate helpful posts

Go to solution
Craddockc
Level 3
Level 3
In response to Marius Gunnerud

‎02-13-2019 08:04 AM - edited ‎02-13-2019 10:52 AM

Marius,

Thanks so much for the reply. I appreciate the thoughtful response. For Method 2, is this done on the Primary/Active Firewall? This seems like a much cleaner approach that would only cause a minor traffic interruption when the IP address is moved to the new outside2 interface. Also, will the access list associated with the old outside interface (outside_in) be deleted from the running config when the old outside interface is deleted from the config? Or will it persist? Labbing it up on my spare ASA here it doesn't look like the ACL is removed after deleting the interface, but I just wanted to check what your experience was. I know the NAT rules and VPN configs will be deleted. 

 

Thanks. 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Craddockc

‎02-13-2019 12:00 PM

As a rule, all configuration should done on an ASA in active/standby should be done on the active ASA.  If you configure the standby ASA you will get error messages that the ASAs are out of synch since only the Active ASA synchronizes it's configuration to the standby.  Using method 2, you should be able to do the switchover in less 1 minute if you have prepared configuration scripts ahead of time for the interface IPs and routing. remember to also have roll back scripts, just in case.

 

The ACL itself will not be removed when you remove the nameif command from the old interface.  What will be removed is any command referencing that interface name. Here is a list of commands that might be deleted, (for the purpose of this example lets say the interface name is outside), I also realize that many of these commands are not best practice but I am just trying to demonstrate what will be removed if configured:

  • nat (inside,outside) source dynamic any interface
  • ssh 0.0.0.0 0.0.0 outside
  • http 0.0.0.0 0.0.0.0 outside
  • access-group outside_access_in in outside
  • route outside 0.0.0.0 0.0.0.0 1.2.3.4
  • service-policy TEST-POLICY interface outside
  • management-access outside
--
Please remember to select a correct answer and rate helpful posts

Go to solution
Craddockc
Level 3
Level 3
In response to Marius Gunnerud

‎02-14-2019 10:05 AM

Marius,

 

Thank you so much for your comments and help. I have decided to go with Method 1 in an attempt to keep the configs as consistent as possible. I have all the relevant CLI configs in a script ready to go as you suggested. here is a synopsis of my work plan:

 

1) shutdown interface on the switch going to the secondary ASA:

 

       QTS-AGG-1B# int po5
                                  shut

 

2) shutdown failover interface on secondary ASA:

 

       qts-fwprod-1a# interface GigabitEthernet0/7
                                               shut

 

3) change the configuration on standby ASA

3a) Remove the Po2 subinterface 2.1101: 

 

      qts-fwprod-1a# no interface Port-channel2.1101


3b) Remove the Po2 port channel interface: (This PC is not being used for anything, one of its member ports Gi0/4 will be used as the new outside interface)

       qts-fwprod-1a# no interface Port-channel2

 

3c) Remove the Po1 subinterface 1.1001 (current outside interface)

       qts-fwprod-1a# no interface Port-channel1.1001

 

3d) Configure Gigibitethernet0/4 as the new outside interface

       interface GigabitEthernet0/4
         nameif outside
         security-level 0
          ip address 64.x.x.6 255.255.255.128 standby 64.x.x.7

 

3e) Reconfigure NAT Rules that were deleted when old outside interface was deleted (separate file)

 

3f) Reconfigure Site to Site IPSec VPN that was deleted when old outside interface was deleted (separate file)

 

3g) Apply access list "outside_in" to new outside interface

        qts-fwprod-1a# access-group outside_in in interface outside

3h) Reconfigure static default route that was deleted when old outside interface was deleted

         qts-fwprod-1a# route outside 0.0.0.0 0.0.0.0 64.x.x.1

 

3i) Physically connect Gi0/4 of firewall to port G1/0/46 on Edge Switch B

 

4) shutdown port on the switch going to primary ASA

 

QTS-AGG-1A# int po4
                          shut


5) no shutdown on interface on the switch going to the secondary ASA

        QTS-AGG-1B# int po5
                                  no shut

Test changes


If all is OK, take full backup of running configuration, pull the power on the primary ASA and no shutdown interface on switch going to primary ASA (Po4) as well as failover interface on standby (G0/7).

Add power back to primary ASA and verify configuration is successfully copied to the primary (standby) ASA.
failover back to primary ASA

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Craddockc

‎02-14-2019 11:49 AM

3b) Remove the Po2 port channel interface: (This PC is not being used for anything, one of its member ports Gi0/4 will be used as the new outside interface)

       qts-fwprod-1a# no interface Port-channel2

Is this a typo?  This will remove the whole port-channel that, to me, seems to have several subinterfaces associated with it.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Craddockc
Level 3
Level 3
In response to Marius Gunnerud

‎02-15-2019 08:40 AM

Marius,

This particular PC has 2 physical interfaces associated with it, G0/4 and G0/5. It was being used in the past but is no longer being used. The other 6 physical interfaces are already being used for other purposes. By removing the PC2, this will free up 2 physical interfaces, one of which (G0/4) will be used as the new outside interface.

 

Thanks for the feedback! 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card