Solved: Convert single 5555-X firewall deployment to HA pair

s88fan · ‎03-18-2021

Hello all,

I have a single 5555-X firewall and want to know if it is feasible to convert this appliance into an active/passive deployment while not taking the current device out of action. I am able to get my hands on a second device that matches in all respects to the first device. Is it possible to configure failover links on the the initial device (while it is still performing as the operational firewall), plug in and attach the secondary unit and have the initial device push the active configuration to the standby and finally have HA on the network? My conundrum is not having the ability/permission to take the initial device out of service. Thanks!

Chris

Sheraz.Salim · ‎03-18-2021

yes that correct. as long as you match the software and hardware spec you should be good.

make sure configure the command on RUNNING production ASA as primary and do all the failover cabling and other standby ip address and cabling plus when it will come to ASA secondary give a command failover secondary. I think by default the ASA is in secondary mode. I shall double check and update you.

also remember very important. when the failover configuration are applied on both unit. do not give command "failover" on standby. make sure issue the "failover" command first on ASA primary than do it on secondary. doing this your secondary ASA will get the configuarion from primary ASA and become and HA pair.

Spoiler

Existing ASA
!
STANGE1
!
Interface gig0/6
no shut
!
interface gig0/7
no shut
!
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/6
failover link STATEFULL GigabitEthernet0/7
failover interface ip FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2
failover interface ip STATEFULL 192.168.2.1 255.255.255.252 standby 192.168.2.2
!
------
NEW-ASA as standby
!
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/6
failover link STATEFULL GigabitEthernet0/7
failover interface ip FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2
failover interface ip STATEFULL 192.168.2.1 255.255.255.252 standby 192.168.2.2
!
------

Stage2
!
Step 1.now to make them HA pair go to Primary ASA and give command "Failover"
Step 2.on secondary ASA give command "Failover"

Existing ASA!STANGE1!Interface gig0/6no shut!interface gig0/7no shut!failover lan unit primaryfailover lan interface FAILOVER GigabitEthernet0/6failover link STATEFULL GigabitEthernet0/7failover interface ip FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2failover interface ip STATEFULL 192.168.2.1 255.255.255.252 standby 192.168.2.2!------NEW-ASA as standby!failover lan unit secondaryfailover lan interface FAILOVER GigabitEthernet0/6failover link STATEFULL GigabitEthernet0/7failover interface ip FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2failover interface ip STATEFULL 192.168.2.1 255.255.255.252 standby 192.168.2.2!------ Stage2!Step 1.now to make them HA pair go to Primary ASA and give command "Failover"Step 2.on secondary ASA give command "Failover"

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎03-18-2021

yes that correct. as long as you match the software and hardware spec you should be good.

make sure configure the command on RUNNING production ASA as primary and do all the failover cabling and other standby ip address and cabling plus when it will come to ASA secondary give a command failover secondary. I think by default the ASA is in secondary mode. I shall double check and update you.

also remember very important. when the failover configuration are applied on both unit. do not give command "failover" on standby. make sure issue the "failover" command first on ASA primary than do it on secondary. doing this your secondary ASA will get the configuarion from primary ASA and become and HA pair.

Spoiler

Existing ASA
!
STANGE1
!
Interface gig0/6
no shut
!
interface gig0/7
no shut
!
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/6
failover link STATEFULL GigabitEthernet0/7
failover interface ip FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2
failover interface ip STATEFULL 192.168.2.1 255.255.255.252 standby 192.168.2.2
!
------
NEW-ASA as standby
!
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/6
failover link STATEFULL GigabitEthernet0/7
failover interface ip FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2
failover interface ip STATEFULL 192.168.2.1 255.255.255.252 standby 192.168.2.2
!
------

Stage2
!
Step 1.now to make them HA pair go to Primary ASA and give command "Failover"
Step 2.on secondary ASA give command "Failover"

Existing ASA!STANGE1!Interface gig0/6no shut!interface gig0/7no shut!failover lan unit primaryfailover lan interface FAILOVER GigabitEthernet0/6failover link STATEFULL GigabitEthernet0/7failover interface ip FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2failover interface ip STATEFULL 192.168.2.1 255.255.255.252 standby 192.168.2.2!------NEW-ASA as standby!failover lan unit secondaryfailover lan interface FAILOVER GigabitEthernet0/6failover link STATEFULL GigabitEthernet0/7failover interface ip FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2failover interface ip STATEFULL 192.168.2.1 255.255.255.252 standby 192.168.2.2!------ Stage2!Step 1.now to make them HA pair go to Primary ASA and give command "Failover"Step 2.on secondary ASA give command "Failover"

please do not forget to rate.

s88fan · ‎03-18-2021

Sheraz,

Thank you for the quick reply. I was fairly confident we could configure a standby and place it inline with the active FW to create the HA environment, I just couldn't find the guide stating exactly that. Cheers!

Chris