Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
129
Views
0
Helpful
2
Replies

Convert single Firepower 1120 into an HA pair

Go to solution
graham robinson
Level 1
Level 1

‎09-19-2024 11:21 AM

Hi

I have a single Firepower 1120 running ASA software which is currently in production and working fine. It has been decided to add a second 1120 and convert them into an HA pair running as active/standby for redundancy. 

Can anyone advise if there is an established process for doing this when one of the firewalls is already live, and would it be possible to achieve without any downtime?  The traffic volume is low and it only has a handful of firewall and NAT rules, no VPN. 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-19-2024 11:40 AM

First i would Draw a diagram that includes cables and Layer2 to connection to switch.

I would go simple steps :

1. take the configuration backup from exiting firewall and write the configuration on the Live one.

2. New one upgrade the ASA code as same old one same, Make sure both same model and same code on both device.

3. Configure the Interface and HA Links and switch configuration.

Follow below guide lines :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/configuration/general/asa-919-general-config/ha-failover.html

some example configuration you can follow :

https://www.packetswitch.co.uk/cisco-asa-active-passive-failover-example/

Note : before enable failover - check you have reachability between HA Link p2p IP ( so you are sure the connection reachable)

If all  good then when you enable failover on both unit you see below message as mentioned in the document :

Running Configuration Replication

Beginning configuration replication: Sending to mate,” and when it is complete, the ASA displays the message “End Configuration Replication to mate.” Depending on the size of the configuration, replication can take from a few seconds to several minutes.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
2 Replies 2

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-19-2024 11:40 AM

First i would Draw a diagram that includes cables and Layer2 to connection to switch.

I would go simple steps :

1. take the configuration backup from exiting firewall and write the configuration on the Live one.

2. New one upgrade the ASA code as same old one same, Make sure both same model and same code on both device.

3. Configure the Interface and HA Links and switch configuration.

Follow below guide lines :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/configuration/general/asa-919-general-config/ha-failover.html

some example configuration you can follow :

https://www.packetswitch.co.uk/cisco-asa-active-passive-failover-example/

Note : before enable failover - check you have reachability between HA Link p2p IP ( so you are sure the connection reachable)

If all  good then when you enable failover on both unit you see below message as mentioned in the document :

Running Configuration Replication

Beginning configuration replication: Sending to mate,” and when it is complete, the ASA displays the message “End Configuration Replication to mate.” Depending on the size of the configuration, replication can take from a few seconds to several minutes.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
graham robinson
Level 1
Level 1

‎09-26-2024 02:02 AM

Thanks, I followed the guidelines and was able to convert the single unit into an HA pair.

There was an outage of about 30secs after entering the "failover" command on the active unit whilst it negotiated with the new unit and then applied the active config again, but that's fine.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card