cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


321
Views
5
Helpful
2
Replies
Highlighted
Beginner

Procedure for Swapping out live firewalls in a failover pair

Hi,

I have a task to swap-out  two ASA single-mode firewalls.

They are in a pair and neither has failed, this is merely a hardware upgrade.

I am tempted to failover i.e. enter "no failover active" and replace the Primary unit first.

However if I left the HA pair in their current configuration and replaced the Secondary, without failing over, the Primary should be able to keep working.

The firewalls should then sync from Primary to Secondary.

 

Once I replace the Primary I can then failover by entering "no failover active" and then replace the Secondary.

 

Is anyone aware of an official procedure to replace a failover pair where both are working?

 

Thanks

 

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Rising star

Re: Procedure for Swapping out live firewalls in a failover pair

Hello,

 

As long as the hardware model is same, you can do what you have described. Going by the description, looks like you are doing a hardware upgrade, which means at one point of time primary and secondary firewalls will be different models. That is not supported for a failover replacement.

 

The best way for hardware upgrade would be to take a maintenance window and do it. Should not take more time. We can prepare a parallel setup and swap the firewalls out.

 

If the model is same, then you can follow the steps:

 

https://community.cisco.com/t5/security-documents/introducing-failed-primary-unit-back-in-the-ha-fail-over-pair/ta-p/3146927

 

HTH

AJ

 

 

2 REPLIES 2
Rising star

Re: Procedure for Swapping out live firewalls in a failover pair

Hello,

 

As long as the hardware model is same, you can do what you have described. Going by the description, looks like you are doing a hardware upgrade, which means at one point of time primary and secondary firewalls will be different models. That is not supported for a failover replacement.

 

The best way for hardware upgrade would be to take a maintenance window and do it. Should not take more time. We can prepare a parallel setup and swap the firewalls out.

 

If the model is same, then you can follow the steps:

 

https://community.cisco.com/t5/security-documents/introducing-failed-primary-unit-back-in-the-ha-fail-over-pair/ta-p/3146927

 

HTH

AJ

 

 

Beginner

Re: Procedure for Swapping out live firewalls in a failover pair

Thanks for your help,

 

Brian