Re: Adding expansion card on ASA failover pair

arkar bo bo · ‎04-10-2018

Hi All,

We have two ASA 5520 which is doing active/ standby pair. I would like to add expansion slot on both 5520. And we do not want any down time while doing this.

My Plan

======

1. Backup all the config

2. Power down the secondary ASA . Install the card. Power up.

3. Failover all the traffic to secondary ASA.

4. Power down the primary ASA . Install the card. Power up.

5. Failback all the traffic to primary.

6. Check all the connectivity after that.

My only worry is that is there any issue while we do failover to secondary ASA with different hardware ( as we install new expansion card)? I hope it will be fine because the only hardware check should be main chassis for failover pair. Since 5520 is EOL /EOS i only depend on community here. If you guys have better idea with no down time, please advice to me. Thanks.

Rahul Govindan · ‎04-10-2018

I believe this will fail at step 2. Failover requires the exact same hardware, including expansion cards. This is documented here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/ha_overview.html#wp1077521

The two units in a failover configuration must be the same model, have the same number and types of interfaces, the same SSMs installed (if any), and the same RAM installed

I can't think of a way without complete downtime. Here is what i suggest:

1. Backup all the config

2. Power down the secondary ASA . Install the card. Unplug all data and failover cables. Power up.

4. Power down the primary ASA and immediately re-cable the secondary firewall. The downtime will be between power down and re-cabling secondary. Install the card. Power up.

5. Failback all the traffic to primary.

6. Check all the connectivity after that.

Hope this helps.