Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1342
Views
0
Helpful
2
Replies

Password Recovery ASA - HA Fail-over pair

D Prasanna Kumar Reddy
Level 1
Level 1

‎09-17-2019 03:54 AM - edited ‎09-17-2019 03:56 AM

Hi All,

 

We have a HA Failover pair of Firewalls at different Data centers - A link is there in between where they are forming HA.

 

Somehow we have lost management access to those firewalls now. 

 

Can someone please advice how we can break the passwork with no or minimum impact to business.

 

Thanks,

Prasanna Desireddy

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-17-2019 04:58 AM

Is it the local password only you were using for management access? No TACACS or RADIUS or LDAP (AD) authentication?

If so you will be facing some impact to restore access.

Steps I would recommend:

1. Take the standby unit offline (disconnect data and failover interfaces). The LED on front will indicate which is standby as well as inspection of traffic flow from upstream or downstream devices.

2. Then use console cable on it to recover password. Procedure here:

https://community.cisco.com/t5/security-documents/asa-password-recovery/ta-p/3126046

3. Now take the active unit offline (OUTAGE begins).

4. Reintroduce the previously standby unit. It should come up active since no active mate is detected. (OUTAGE ends).

5. Confirm traffic is flowing as expected.

6. Reintroduce the previously active unit. Connect only failover cable to start. It should detect an active mate and sync config from it.

7. Connect data cabling to standby unit. Verify it is in Standby Ready state.

8. Failover (if needed) to re-establish Primary-Active and Secondary-Standby Ready

0 Helpful

bhargavdesai
Spotlight
Spotlight

‎09-17-2019 05:12 AM

This is what i am thinking.

You will required physical access to the device to access the console of the ASA.
You mentioned you have ASA in HA pair. So lets assume

ASA-1 is Primary and ASA-2 is Secondary at this point.

Power-off your Secondary ASA-2, Disconnect from network. Perform regular ASA password recovery process as mentioned in the below links. And save configuration.

https://community.cisco.com/t5/security-documents/asa-password-recovery/ta-p/3126046
https://www.petenetlive.com/KB/Article/0000572

During this time your business will not affect as your primary ASA is up and running.


Power off your secondary ASA-2 on which you performed the password recovery.

Connect it back Secondary ASA-2 but do not power on.

Now you have to shutdown your Primary ASA-1 and keep it down. ( Which lead to downtime ).

Now you power on your secondary ASA-2 and wait until it stabilise and become the Active ASA.

Once it became Active ASA. You can bring back your (older) primary ASA-1.

So what happen here is that, When the ASA-1 rebooted it will become the secondary ASA and will have all the configuration downloaded from the ASA-2, so the password also get synchronised.

Once you have access to both the ASAs you can make ASA-1 active.


This is my point of view, there may be experts here who can share their view.



HTH
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card