Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1974
Views
0
Helpful
2
Replies

ASA 5540 SSM-4GE Active/Standby Failover

Dmitry Samko
Level 1
Level 1

‎08-05-2011 01:34 AM - edited ‎02-21-2020 04:25 AM

Greatings!

Gyes, we had such kind of issue: while installing 2 SSM-4GE modules to 2 ASA 5540 (Active/Standby) the firewall is splitted. That's my step:

1) Turn off standby ASA and plug SSM-4GE module

2) Power it On

After it was booted up failover relationships were broked and previously stabdby became Active appliance.

3) Turn off active ASA and plug SSM-4GE module

4) Power it On

After the it was booted up failover comes up and previously Active (on step 2) appliance became Standby. Everything is up and running now, but the issue was on step 2, I suppose becouse of distinct in hardware (when one ASA was on SSM reachest than another one). Still have no ideas why so happens and is there any way to plug SSM modules int ASA active/standby cluster without downtime.

Any ideas?

0 Helpful
2 Replies 2

grischast
Level 1
Level 1

‎08-17-2011 12:08 AM

I guess that hardware modification without downtime is simply not possible with an ASA failover pair. Refer to the configuration guide http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077521:

Hardware Requirements 
 The two units in a failover configuration must be the same model, have  the same number and types of interfaces, and the same SSMs installed (if  any).

Regards,

Grischa

0 Helpful

varrao
Level 10
Level 10
In response to grischast

‎08-18-2011 06:53 AM

Hi,

Yes, hardware upgrades are possible without downtime only for memory on ASA 8.2 onwards, but for SSM cards, you would need downtime for it, the best option for it would be:

  2. Ensure that the primary device is active, shut down the secondary/standby ASA, and add the new interface card.

  3. Remove all cables and boot the secondary/standby ASA to test that the new hardware is operational.

  4. Shut down the secondary/standby ASA again, and reconnect the cables.

  5. Shut down the primary/active ASA, and boot the secondary ASA.

    Note: Do not allow both ASAs to become active at the same time.

  6. Confirm that the secondary ASA is up and passing traffic, and then make the secondary device active with the failover active command.

  7. Install the new interface on the primary ASA, and remove the cables.

  8. Boot the primary ASA, and test the new hardware.

  9. Shut down the primary ASA, and reconnect the cables.

  10. Boot the primary ASA, and make the primary device active with the failover active command

Here's the doc if you need more info:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card