09-19-2024 11:21 AM
Hi
I have a single Firepower 1120 running ASA software which is currently in production and working fine. It has been decided to add a second 1120 and convert them into an HA pair running as active/standby for redundancy.
Can anyone advise if there is an established process for doing this when one of the firewalls is already live, and would it be possible to achieve without any downtime? The traffic volume is low and it only has a handful of firewall and NAT rules, no VPN.
Solved! Go to Solution.
09-19-2024 11:40 AM
First i would Draw a diagram that includes cables and Layer2 to connection to switch.
I would go simple steps :
1. take the configuration backup from exiting firewall and write the configuration on the Live one.
2. New one upgrade the ASA code as same old one same, Make sure both same model and same code on both device.
3. Configure the Interface and HA Links and switch configuration.
Follow below guide lines :
some example configuration you can follow :
https://www.packetswitch.co.uk/cisco-asa-active-passive-failover-example/
Note : before enable failover - check you have reachability between HA Link p2p IP ( so you are sure the connection reachable)
If all good then when you enable failover on both unit you see below message as mentioned in the document :
Beginning configuration replication: Sending to mate,” and when it is complete, the ASA displays the message “End Configuration Replication to mate.” Depending on the size of the configuration, replication can take from a few seconds to several minutes.
09-19-2024 11:40 AM
First i would Draw a diagram that includes cables and Layer2 to connection to switch.
I would go simple steps :
1. take the configuration backup from exiting firewall and write the configuration on the Live one.
2. New one upgrade the ASA code as same old one same, Make sure both same model and same code on both device.
3. Configure the Interface and HA Links and switch configuration.
Follow below guide lines :
some example configuration you can follow :
https://www.packetswitch.co.uk/cisco-asa-active-passive-failover-example/
Note : before enable failover - check you have reachability between HA Link p2p IP ( so you are sure the connection reachable)
If all good then when you enable failover on both unit you see below message as mentioned in the document :
Beginning configuration replication: Sending to mate,” and when it is complete, the ASA displays the message “End Configuration Replication to mate.” Depending on the size of the configuration, replication can take from a few seconds to several minutes.
09-26-2024 02:02 AM
Thanks, I followed the guidelines and was able to convert the single unit into an HA pair.
There was an outage of about 30secs after entering the "failover" command on the active unit whilst it negotiated with the new unit and then applied the active config again, but that's fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide