Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1392
Views
2
Helpful
4
Replies

ASA replacing standby unit

Go to solution
hitaesh.aggarwal1
Frequent Visitor
Frequent Visitor

‎01-15-2024 01:05 PM

Hi, 

I am replacing an standby ASA in a HA pair, and the guidelines I have recieved are to remove HA configuration on current active, and then configure HA again on the Primary unit. Refering to Cisco documentation on setting up HA, I am a bit confused with the examples. 

I refered to https://www.cisco.com/c/en/us/td/docs/security/asa/asa918/configuration/general/asa-918-general-config/ha-failover.html#ID-2107-00000429:~:text=write%20memory-,Examples,ciscoasa(config)%23%20write%20memory,-Configure%20Active/Active

The link highlights the example in the HA setup guide.

In the example following configuration is suggested:

Primary Unit:

failover interface ip folink 172.27.48.0 255.255.255.254 standby 172.27.48.1

Secondary Unit:

ciscoasa(config)# failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2

 I am not sure if this is a typo, but shouldn't the configuration be:

Primary Unit:

failover interface ip folink 172.27.48.1 255.255.255.254 standby 172.27.48.2

And the secondary Unit:

failover interface ip folink 172.27.48.2 255.255.255.254 standby 172.27.48.1

Or I may have not understood how this works.

Please help me understand this.

- Tired searcher

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎01-15-2024 02:47 PM

 you need use same config IP in both ASA HA

ciscoasa(config)# failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2

I know it confuse, my first time do this mistake and man learn from his mistake 
so cisco doc. is correct 
MHM

 

View solution in original post

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-16-2024 01:54 AM

Yes cisco documentation very huge, sometime you see some typo's around the documents.

Steps we follow all the time and with out any issue :

1. take the configuration back from primary all the time out of the box

2. configure the failed unit as mentioned below steps document.

This instruction help youy failover unit replacement :

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-asa/220525-replace-an-asa-firewall-into-an-active-s.html

3. To be safe only connect sync link make sure it synched before you connect other interfaces (rather failing the FW to distrupt the traffic)

4. connect the console to FW and check the logs below one important.

Beginning configuration replication: Sending to mate.

 5. once fully sych done check the Firewall status 

# show failover

6. then connect other interface - if you like you can failover and test it if you have maintenance window.

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

4 Replies 4

Go to solution
MHM Cisco World
VIP
VIP

‎01-15-2024 02:47 PM

 you need use same config IP in both ASA HA

ciscoasa(config)# failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2

I know it confuse, my first time do this mistake and man learn from his mistake 
so cisco doc. is correct 
MHM

 

Go to solution
hitaesh.aggarwal1
Frequent Visitor
Frequent Visitor

‎01-15-2024 10:09 PM

Thanks! this should get me going.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-16-2024 01:54 AM

Yes cisco documentation very huge, sometime you see some typo's around the documents.

Steps we follow all the time and with out any issue :

1. take the configuration back from primary all the time out of the box

2. configure the failed unit as mentioned below steps document.

This instruction help youy failover unit replacement :

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-asa/220525-replace-an-asa-firewall-into-an-active-s.html

3. To be safe only connect sync link make sure it synched before you connect other interfaces (rather failing the FW to distrupt the traffic)

4. connect the console to FW and check the logs below one important.

Beginning configuration replication: Sending to mate.

 5. once fully sych done check the Firewall status 

# show failover

6. then connect other interface - if you like you can failover and test it if you have maintenance window.

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
hitaesh.aggarwal1
Frequent Visitor
Frequent Visitor

‎01-16-2024 05:08 AM

Thanks for this tip, it made me feel much more secure. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card