Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1294
Views
0
Helpful
3
Replies

Export/import Firepower config from Active to Standby ASA in HA setup?

Go to solution
Thomas Winther
Level 1
Level 1

‎01-06-2017 06:05 AM - edited ‎03-12-2019 06:14 AM

I have some 5508X HA setups in PoCs, and I recently realized that I can't manage the standby device via ASDM, through an active IPSEC tunnel.
That's an ASA classic issue, but it is a challenge for my ability to manual(huh) synchronize the Firepower configs between active/standby devices.

Is there a way to import/export configs in CLI on Firepower @ ASA5508X ?

I know that the Firepower sync. wouldn't be a problem, if I bought the FMC.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-06-2017 07:32 AM

No you cannot do that - from cli or ASDM.

The ability to do so is one of the several reasons I always recommend customers with even two ASAs purchase the FMC.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-06-2017 07:32 AM

No you cannot do that - from cli or ASDM.

The ability to do so is one of the several reasons I always recommend customers with even two ASAs purchase the FMC.

0 Helpful

Go to solution
Thomas Winther
Level 1
Level 1

‎01-15-2017 09:13 AM

OK, for the configuration synchronization i need FMC.

But.., my setup is still ASA HA remote units, and I'm unable to manage the standby device via the IPSEC tunnel from HQ. So would FMC be I think?

Do you know how the standby unit can be managed behind an IPSEC on the active box?

BR

Thomas

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Thomas Winther

‎01-15-2017 10:04 PM

Both the Primary and Standby units in an ASA HA pair with FirePOWER service modules are managed by FirePOWER Management Center via bidirectional communications over tcp/8305 to the modules' unique IP addresses that are bound the the ASA physical management interfaces.

As long as the gateway defined in your modules has connectivity back to the remote FMC, the IPSec security association (SA) includes the modules' management subnet and tcp/8305 is allowed via the tunnel then remote management should work fine. If there is NATting going on, then a few other considerations need to be done during the module registration process.

Note that you do need to register and license each FirePOWER service module separately. The FMC has no knowledge that the parent ASAs are in an HA pair. Generally I define a group (in FMC device management) and put both modules in it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card