If ASA5525-K9 and ASA5525-FPWR-K9 will form Active/Standby failover pair

Artem Makovnyuk · ‎11-28-2016

Hello everybody,

I'm going to deploy an ASA Active/Standby failover pair of ASA-5525X. Currently I've got one Cisco [ASA5525] ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC (see details below).
I'm planning to order the following hardware:
01. New ASA purchase
01.a. 01 x Cisco [ASA5525-FPWR-K9] ASA 5525-X with FirePOWER Services, 8GE, AC, 3DES/AES, SSD
02. Old ASA Upgrade
02.a. 01 x Cisco [ASA5525-FP-UPG] Upgrade Kit: ASA5525-X FW, IPS, CX to ASA5525-X FirePower
02.b. 01 x Cisco [ASA5500X-SSD120=] ASA 5512-X through 5555-X 120 GB MLC SED SSD (Spare)
02.c. 01 x Cisco [ASA5525-CTRL-LIC=] ASA5525 Control License

I'm going to do the following:
01. install SSD into the old ASA
02. upgrade ASAs software to v.9.6.2 so both units will have the same version
03. install FirePOWER software v.6.1.0 on both units

In order for two ASAs to form an Active/Standby failover pair standard requirements should be met (http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/ha-failover.html#ID-2107-0000000a).
But there're no requirements related to software modules specified in this doc. I've digged for any related info and found virtually nothing except one discussion (https://supportforums.cisco.com/discussion/12526776/failover-problem-cisco-asa-5525x-after-upgrade-version-941), where during the upgrade of failover pair of ASA-5525X the failover broke due to different software modules.

I would appreciate any help with several points, in particular:
- if the existing ASA5525-K9 and new ASA5525-FPWR-K9 will form Active/Standby failover or should I order one more ASA5525-K9 instead of ASA5525-FPWR-K9 ?
- should I install and maintain FirePOWER software on both ASAs event if I will not use FP services in the nearest future ?

Existing ASA5525 info:
--------------------------------------------------
asa-5525x-01# show inventory
Name: "Chassis", DESCR: "ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC"
PID: ASA5525 , VID: V01 , SN: XXXXXXXXXXX

asa-5525x-01#
asa-5525x-01#
asa-5525x-01#
asa-5525x-01# show module

Mod Card Type                                    Model              Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC ASA5525            XXXXXXXXXXX
ips Unknown                                      N/A                XXXXXXXXXXX

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 bc16.6520.391b to bc16.6520.3924 1.0          2.1(9)8      8.6(1)2
ips bc16.6520.3919 to bc16.6520.3919 N/A          N/A

Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable

Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
0 Up Sys             Not Applicable
ips Unresponsive       Not Applicable

Mod License Name License Status Time Remaining
--- -------------- --------------- ---------------
ips IPS Module Disabled perpetual

asa-5525x-01#
--------------------------------------------------

Thanks in advance.

Richard Burts · ‎11-28-2016

I am slightly confused. In part of your post you indicate that you plan on making the following changes:

I'm going to do the following:
01. install SSD into the old ASA
02. upgrade ASAs software to v.9.6.2 so both units will have the same version
03. install FirePOWER software v.6.1.0 on both units

But then the questions that you ask are based on the assumption that one ASA does not have FirePower while the other does. But your changes will have put FirePower on the original ASA. Even if you do not plan to use FirePower in the nearest future I believe that you will want to have the software for it on both of the ASAs and to maintain that software so that somewhere further into the future you may decide that you do want to use this feature.

And I do believe that if you make the changes that you outline that the ASA will be successful in establishing an active/standby failover pair.

HTH

Rick

HTH

Rick

Artem Makovnyuk · ‎11-29-2016

Dear Richard, thank you for the reply.

Main and the most critical question is if existing ASA5525-K9 and new ASA5525-FPWR-K9 will form a failover pair.
Regarding the FirePOWER software, sorry for some confusion I've introduced. I've specified the steps I'm going to perform to be more specific and minimize some trivial questons regarding versions I'm going to upgrade to and such. By the question regarding FP software I meant if I really should proceed with this or may be it will be easier just to uninstall SFR module software on the newly purchased unit so both ASAs will be equal in terms of modules installed and I can go now this way. And when I later need SFR module functionality I will just install latest FP software (I prefer clean install instead of upgrade) onto both ASAs and use FirePOWER services.

Have you or your colleagues faced with this case in reality ?

Thank you.

Richard Burts · ‎11-29-2016

I have not faced this case in reality. I can only address your questions from my understanding of how Cisco ASA does things and my understanding of requirements for deploying ASA. Perhaps someone else in the forum has faced the case in reality and can speak from their experience. In the meantime I continue to believe that if you upgrade the existing ASA as you have described then both ASA will have similar capabilities, will have same versions of software, and will successfully form a High Availability failover pair. I believe that this is a better approach than trying to remove the FirePower from the new ASA.

HTH

Rick

HTH

Rick

Boris Uskov · ‎11-30-2016

Hello, I had an experience of upgrading ASA5515 Active/Standby failover pair to FirePOWER Services. The upgrade was made with zero downtime.

I installed SSD disks to both ASAs, updated the software on both ASAs to version 9.4(2) consequentially and then began to deploy firepower images.

After the first ASA got FirePOWER module started, there was no problem with failover. So I was able to continue to deploy FirePOWER to the second one.

So, answering your question, from my experience (ASA5515, software 9.4(2)) ASA can work in Act/Sdby failover even if the first ASA is equiped with FirePOWER sw-module while the second one is not.

Richard Burts · ‎11-30-2016

Thanks for sharing your experience with us about the ability to establish failover pair when one has FirePower.

HTH

Rick

HTH

Rick

Artem Makovnyuk · ‎11-30-2016

Boris, thank you for the info.

I know that there're no issues when both units are the same (the same PNs) so in this case the only point is software modules installed on ASAs.

Main and the only anxiety I've got is that new ASA5525-FPWR-K9 platform hardware differs from ASA5525-K9 platform hardware and this difference can prevent both units to form HA pair.

May be somebody has experience with exactly this case (forming failover pair of ASA5525-FPWR-K9 and ASA5525-K9).

Thank you.

Boris Uskov · ‎11-30-2016

Hi, Artem.

As far as I know the only difference between ASA5525-FPWR-K9 platform and ASA5525-K9 platform is that ASA5525-FPWR-K9 is equiped with SSD-disk, while ASA5525-K9 does not have SSD. So, when you install SSD disk to ASA5525-K9 it will become absolutely the same platform as ASA5525-FPWR-K9.

Moreover, if one ASA has SSD while the second one does not have, they can still work in failover.

In my case ASA5515 were in different locations, while they worked in failover. So I had to install SSD into the first ASA and then move to the location, where the second ASA is installed. And during my journey from one location to another there was no problem with failover.