06-09-2010 11:31 AM - edited 03-11-2019 10:57 AM
Hello Experts,
Just had a quick question regarding ASA failover: Is it possible to have an ASA pair, with the primary ASA being a 5540 and the standby device an ASA 5520 (or vice versa)?
I need to replace a set of ASA 5540s with with ASA 5520s on our production network and would like to do it with little to no downtime. My plan was to shutdown the standby ASA 5540 and put in the new ASA 5520, let the new 5520 come up into Standby mode, force the primary ASA 5540 into Sandby and let the new 5520 take over as the primary. Once that is completed. Shutdown the ASA 5540(which should now be in Standby mode) and replace it with another ASA 5520. Let the second ASA 5520 come up and viola, we should be good.
Is this possible?
Thanks,
Justin
Solved! Go to Solution.
06-09-2010 11:46 AM
Justin
Unfortunately no. From the ASA config guide -
The two units in a failover configuration must be the same model, have the same number and types of interfaces, and the same SSMs installed (if any).
If you are using units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail.
Although it is not required, it is recommended that both units have the same amount of RAM memory installed.
Jon
06-09-2010 11:46 AM
Justin
Unfortunately no. From the ASA config guide -
The two units in a failover configuration must be the same model, have the same number and types of interfaces, and the same SSMs installed (if any).
If you are using units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail.
Although it is not required, it is recommended that both units have the same amount of RAM memory installed.
Jon
06-09-2010 11:54 AM
Jon,
Thanks for the information!! I guess I have no choice but to take an outage. Thanks again.
Justin
06-09-2010 12:01 PM
Hey Justin
You are right. You have to take a small downtime.. In such migrations, we basically have 2 solutions and it really depends on the complexity of the customer networks as to which solution to choose from:
1) Copy + paste the exact configuration of the existing firweall to the new firewal (with same IPs), mount the device near the existing device, and just switch the cables , and troubleshoot any issues, if it arises
2) second method is to add these firewalls parallel to the existing firewalls (more often used in Proof of concepts & phased migrations).. the existing subnet should allow this (esp inside & outside), and to flip traffic, we used to just change statics on inside switches.. again, this is only for very small networks which use static routing and has no complicated DMZ/VPN setups.
Im sure 99 % of us would take the first approach, but sometimes the 2nd one can be useful..
Hope it helps.. all the best..
Raj
06-09-2010 12:06 PM
Raj,
Thanks for the information. Yeah it looks like option 1 is going to be my best bet.
Justin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide