cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
182
Views
1
Helpful
2
Replies

Correct procedure to replace failed Primary ASA unit with Multi cotex

Abhishek7310
Level 1
Level 1

 

Hello,

I have received an RMA for a failed ASA 5508, which was the primary unit in a multicontext configuration with SFR modules installed. Could you please provide the correct procedure for reinstalling this device in production?

Additionally, if there is any relevant documentation available, I would appreciate it if you could share the links.

Here is the proposed procedure I intend to follow:
1. Remove the HA configuration from the secondary device currently running in production.
2. Configure the multicontext and HA configuration on the RMA device as the secondary unit.
3. Reconfigure the existing device to act as the primary unit.
4. Connect both firewalls and synchronize the HA.

Could you confirm if these steps are correct or provide any necessary adjustments?

Thank you.

Best regards,

Abhishek

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

@Abhishek7310 that will work for the base ASA.

Note the Firepower service modules have no HA relationship between one another. If you have a Firepower service module then you need to reimage to match the version you had before, do the bootstrap configuration and configure any policy you had on it. If you are using FMC then it is as easy as re-registering and deploying the policies stored on FMC. If you were using ASDM management for the Firepower service module then you need to configure everything from the start manually.

Changing unit role from secondary to primary may lead to MAC address change which in turn can lead to traffic interruption.

The standard procedure is to configure new unit received as RMA in multiple mode ("mode multiple"), enable failover interface (and statelink if this is a separate interface), configure failover parameters on it (the new RMAed unit is the "primary" unit in your case), but failover should stay disabled ("no failover"). Then verify connectivity over failover (and state) links by pinging failover (and state) IP addresses of the peer. It is not necessary to create contexts in the system execution space. If ping is successful, enable failover on the new RMAed unit ("failover"). Units will see each other and the primary unit should proceed to sync config phase. Secondary should stay active. When config is received and primary becomes standby, run "write mem" on active.

 

Review Cisco Networking for a $25 gift card