03-05-2008 08:37 AM - edited 03-11-2019 05:12 AM
does anyone have experience with replacing the failed primary unit in an asa 5520 clusster? My standby unit has kicked in and i received my replacement for the primary from cisco. I want to know what the best practice is for getting it back into the network with the correct configuration?
do i need to upload it with my most recent image and then place in the network and let replicate to the secondary unit?
Not sure how to go about doing this, any advice would be appreciated
03-11-2008 10:33 AM
From your description I think that you are using Active/Standby failover. In this scenario when the active (master) unit goes down the standby unit takes over as the active unit and it will constantly poll to check if the master unit is available and is working fine. if the master unit is availalbe it will then transfer the control to the master unit making it once again the active unit.
03-11-2008 10:47 AM
Greg
I have not done it with the ASA but I have done this kind of thing with the PIX and I believe that ASA works the same. Make sure that the replacement for the primary/active ASA is running the same version of code as the existing standby. Then power down and remove the old primary. Put the replacement in place of the removed primary and cable it up. Then power up the new primary. It should learn the config from the standby. After it is running and has completed its sync with the standby you might want to fail the standby to make sure that the new unit is functioning properly as the primary/active unit.
HTH
Rick
03-11-2008 10:52 AM
Make sure you load the same OS and ASDM images that you have on the existing asa.
I've never had to do it, but here's how i would do it:
configure the good one still in production to be the primary:
failover lan unit primary
then bootstrap the new one and configure it as secondary:
rburts solution won't work. the asa's don't use cable based failover. you have to bootstrap the new one.
07-20-2012 11:01 AM
I was just preparing to replace the primary ASA in an HA pair and could not find a solid answer to this question. I found that, indeed, the primary ASA started replicating it's blank config to the secondary as soon as I connected the LAN Failover cable.
Here's the steps to keep this from happening:
configure the primary for failover -
failover lan unit primary
failover lan interface LANFail GigabitEthernet0/2
failover replication http
failover link stateful GigabitEthernet0/3
failover interface ip LANFail 172.16.100.1 255.255.255.0 standby 172.16.100.2
failover interface ip stateful 172.16.101.1 255.255.255.0 standby 172.16.101.2
Configure all interfaces with the primary IP (no standby needed at this point)
'no shut' on all active interfaces
no failover active <------- (critical! Forces the primary to standby)
connect lan failover cable (the only one needed at this point)
Secondary will start replicating to primary.
Once the replication is complete (show failover, ensure primary is "standby ready", you can connect the remaining cables and do a 'failover active' on the primary.
Hope this helps others...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide