Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community


Password Recovery ASA - HA Fail-over pair

Hi All,


We have a HA Failover pair of Firewalls at different Data centers - A link is there in between where they are forming HA.


Somehow we have lost management access to those firewalls now. 


Can someone please advice how we can break the passwork with no or minimum impact to business.



Prasanna Desireddy

Hall of Fame Master

Re: Password Recovery ASA - HA Fail-over pair

Is it the local password only you were using for management access? No TACACS or RADIUS or LDAP (AD) authentication?

If so you will be facing some impact to restore access.

Steps I would recommend:

1. Take the standby unit offline (disconnect data and failover interfaces). The LED on front will indicate which is standby as well as inspection of traffic flow from upstream or downstream devices.

2. Then use console cable on it to recover password. Procedure here:

3. Now take the active unit offline (OUTAGE begins).

4. Reintroduce the previously standby unit. It should come up active since no active mate is detected. (OUTAGE ends).

5. Confirm traffic is flowing as expected.

6. Reintroduce the previously active unit. Connect only failover cable to start. It should detect an active mate and sync config from it.

7. Connect data cabling to standby unit. Verify it is in Standby Ready state.

8. Failover (if needed) to re-establish Primary-Active and Secondary-Standby Ready


Re: Password Recovery ASA - HA Fail-over pair

This is what i am thinking.

You will required physical access to the device to access the console of the ASA.
You mentioned you have ASA in HA pair. So lets assume

ASA-1 is Primary and ASA-2 is Secondary at this point.

Power-off your Secondary ASA-2, Disconnect from network. Perform regular ASA password recovery process as mentioned in the below links. And save configuration.

During this time your business will not affect as your primary ASA is up and running.

Power off your secondary ASA-2 on which you performed the password recovery.

Connect it back Secondary ASA-2 but do not power on.

Now you have to shutdown your Primary ASA-1 and keep it down. ( Which lead to downtime ).

Now you power on your secondary ASA-2 and wait until it stabilise and become the Active ASA.

Once it became Active ASA. You can bring back your (older) primary ASA-1.

So what happen here is that, When the ASA-1 rebooted it will become the secondary ASA and will have all the configuration downloaded from the ASA-2, so the password also get synchronised.

Once you have access to both the ASAs you can make ASA-1 active.

This is my point of view, there may be experts here who can share their view.