Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
0
Helpful
1
Replies

adding standby firewall to priduction

cstpierre4
Level 1
Level 1

‎05-01-2013 06:38 AM - edited ‎03-11-2019 06:37 PM

Hello,

I was just wondering if there is any huccup in introducing a secong firewall to a prod. one to make a HA pair.

Current firewall will have to have the:

- standby IPs updated on the interface. this is needed correct or will the second firewall just take the next IP?

- configure the failover commands on the primary

- connect the HA cable

with these steps.. there should not be any interuption to production correct?

any help would be great..

Thanks

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎05-01-2013 06:47 AM

Hi,

You have stated most of the required steps to add a Standby device to form a Active/Standby ASA Failover pair.

Before doing any configurations you should make sure that the Standby device you are going to add to be the Failover Pair of the original ASA is identical to the other ASA with regards to the hardware.

You should also check what the software version on the ASA is. IF the software level is anything BELOW 8.3(1) software level then you need identical Licenses on the ASA firewalls also. IF your software level is EQUAL OR AFTER 8.3(1) then the ASA will allow a Failover pair device that doesnt have the same Licenses than the original ASA.

With regards to actual configurations, as you say you should first configure the Failover configurations on the Primary ASA and also make sure that every interface has the Standby IP address configured. You will have to configure this manually.

After this you could prepare the Standby ASA and clear its configurations. Configure the physical ports with "no shutdown". Configure the ASA with only the Failover configurations.

After everythings confirmed and configured you could attach the Standby device to the network and finally attach the Failover interface and let the Standby device receive the configurations from the Active unit.

Even though you shouldnt expirience any outage in the network connections, I would still strongly recommend to always reserve a small time window where network users should expect possible minor outages. In other words have a maintanance window and do the change then.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card