Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2131
Views
25
Helpful
6
Replies

How to get secondary ASA configurations written to New primary ASA?

Go to solution
VRizk
Level 1
Level 1

‎05-07-2018 11:59 AM - edited ‎02-21-2020 07:44 AM

I need to replace the primary 5516 ASA but am confused when it comes to getting the configuration written over to it. I configured the failover interface but I am wondering how to get all configurations written from the secondary (which would be the active) to the primary (which would be standby since newly installed). Would I be doing the wri standby command ? Or will that write from the primary to secondary (then leaving me with two unconfigured ASAs) ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to VRizk

‎05-08-2018 10:45 AM

The problem they had in the link provided by Dennis is that they performed the tasks in an incorrect order.  What they did was power on the new primary first without connecting it to the network, then configured failover on the primary.  At this point the primary thinks it is the only ASA that is alive in the pair (and so does the standby.)  when the primary was connected to the network the standby sees that the primary has been active and assumes the standby role.

 

This is what should have been done.

1. install the ASA in the rack

2. connect all network cables

3. power on the ASA

4. configure failover on the primary ASA

5. issue no shut on the failover interface

 

Now when the primary comes online, it checks to see if there is already and active ASA, it sees that the secondary is the active ASA and then the primary assumes the standby role.  It is important to remember that the ASA that becomes the active is not always the ASA configured as primary.  Lets say you configure two ASAs for active/standby in a staging area, power them down, install them at the site and then power them on at the same time.  Now, the first ASA to come online will become the active.  So lets say that the secondary boots faster than the primary, then the secondary will become the active ASA.  So always power on the ASA that is to become the active first, and then the secondary.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

6 Replies 6

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎05-07-2018 04:57 PM

Have you seen this post:

 

https://supportforums.cisco.com/t5/firewalling/replacement-of-primary-unit-failed-asa5510-active-standby/td-p/1765303

Please remember to rate useful posts, by clicking on the stars below.

Go to solution
VRizk
Level 1
Level 1
In response to Dennis Mink

‎05-08-2018 07:12 AM - edited ‎05-08-2018 07:13 AM

Hi Dennis, thank you for that link it is very helpful. My concern now with this link you gave is that the replication to mate is going to be done in the reverse (the primary ASA starts to replicate it's blank config to the secondary). Do you know If there is a way to prevent that? A couple of people posted on that link that is what happened to them.. My configurations are as followed:

 

Primary:

failover
failover lan unit primary
failover lan interface HA-INTERFACE GigabitEthernet1/8
failover link HA-INTERFACE GigabitEthernet1/8
failover interface ip HA-INTERFACE 192.168.255.253 255.255.255.252 standby 192.168.255.254

 

Secondary (which would be active at the time):

failover
failover lan unit secondary
failover lan interface HA-INTERFACE GigabitEthernet1/8
failover link HA-INTERFACE GigabitEthernet1/8
failover interface ip HA-INTERFACE 192.168.255.253 255.255.255.252 standby 192.168.255.254

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to VRizk

‎05-08-2018 10:45 AM

The problem they had in the link provided by Dennis is that they performed the tasks in an incorrect order.  What they did was power on the new primary first without connecting it to the network, then configured failover on the primary.  At this point the primary thinks it is the only ASA that is alive in the pair (and so does the standby.)  when the primary was connected to the network the standby sees that the primary has been active and assumes the standby role.

 

This is what should have been done.

1. install the ASA in the rack

2. connect all network cables

3. power on the ASA

4. configure failover on the primary ASA

5. issue no shut on the failover interface

 

Now when the primary comes online, it checks to see if there is already and active ASA, it sees that the secondary is the active ASA and then the primary assumes the standby role.  It is important to remember that the ASA that becomes the active is not always the ASA configured as primary.  Lets say you configure two ASAs for active/standby in a staging area, power them down, install them at the site and then power them on at the same time.  Now, the first ASA to come online will become the active.  So lets say that the secondary boots faster than the primary, then the secondary will become the active ASA.  So always power on the ASA that is to become the active first, and then the secondary.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Marius Gunnerud
VIP
VIP

‎05-08-2018 12:46 AM

config replication happens automatically when the  new ASA is powered on and comes online.

So the current ASA is actually the standby ASA. Then configure the new primary with the failover configuration and connect the ASA to the network.  Before powering on, make sure you have a full running config backup of the ASA configuration (more system:running-config) just in case some config goes missing.  Power on the primary ASA, when it comes online and if you are connected to the console of one of the ASAs you will see a message saying something like, start replication to mate.  Once replication is complete the secondary ASA is the active ASA and the primary is the standby.  you now need to issue the no failover active command on the active ASA.  once this is done you are finished.  Primary ASA is the active ASA and Secondary ASA is in standby.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Florin Barhala
Level 6
Level 6
In response to Marius Gunnerud

‎05-08-2018 04:48 AM

I think he also needs to provision the primary ASA with some failover config commands, right?
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Florin Barhala

‎05-08-2018 05:08 AM

Yes the Primary needs to be configured with failover config commands, but I took that as a given that it had been done by his statement in his post "I configured the failover interface".

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card