Re: Primary ASA Failed in HA Pair

BB34 · ‎09-10-2020

So our Primary firewall failed and our Secondary ASA is our active unit. We just received our replacement ASA. I just want to verify these are the steps to introduce the Primary ASA back into the HA setup.

Currently, our Secondary unit (Active unit) has this config:

5516# sh run fail

failover
failover lan unit secondary
failover lan interface fail GigabitEthernet1/8
failover mac address GigabitEthernet1/1 0018.73d0018.195b.dc18
failover mac address GigabitEthernet1/2 0018.73d 0018.195b.0001
failover mac address GigabitEthernet1/3 0018.73d0018.195b.0002
failover link fail GigabitEthernet1/8
failover interface ip fail1 172.16.1.1 255.255.255.0 standby 172.16.1.2

5516# sh fail
Failover On
Failover unit Secondary
Failover LAN Interface: fail GigabitEthernet1/8 (Failed - No Switchover)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 160 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(3)16, Mate 9.8(3)16
Serial Number: Ours AAD95, Mate ZAD26
Last Failover at: 22:51:28 CDT Aug 5 2020
This host: Secondary - Active
Active time: 3063670 (sec)
slot 1: ASA5516 hw/sw rev (2.1/9.8(3)16) status (Up Sys)
slot 2: SFR5516 hw/sw rev (N/A/6.4.0.6-28) status (Up/Up)
ASA FirePOWER, 6.4.0.6-28, Up, (Not-Monitored)
slot 2: SFR5516 hw/sw rev (N/A/6.4.0.6-28) status (Up/Up)
ASA FirePOWER, 6.4.0.6-28, Up, (Not-Monitored)
Other host: Primary - Failed
Active time: 54116848 (sec)

5516# sh fail int
interface fail GigabitEthernet1/8
System IP Address: 172.16.1.1 255.255.255.0
My IP Address : 172.16.1.2
Other IP Address : 172.16.1.1

Now, to configure the new ASA I will do the following:

Hook up the failover cable to port 8 on both ASAs.

Run the commands:

failover lan unit primary

failover lan interface fail eth 0/8

failover key ! 'Not seeing a key' --> Omit this line

failover replication http

failover link fail1 eth 0/8

failover interface ip fail 172.16.1.1 255.255.255.0 standby 172.16.1.2

After we verify communication between the failover interfaces using ping, then we can enable failover.

failover

After replication happens, then we can hook up the other ethernet cables to the other ethernet interfaces.

I am confused for this line I would enter on the new ASA: failover interface ip fail 172.16.1.1 255.255.255.0 standby 172.16.1.2

When I issue the command failover lan unit primary, by designating this as primary does that assign the 172.16.1.1 address to the port 8 interface on this new ASA? And is this correct line correct, the standby unit is currently the active unit. Or does it need to be, failover interface ip fail 172.16.1.2 255.255.255.0 standby 172.16.1.1.

Any help is much appreciated!

balaji.bandi · ‎09-10-2020

Before intouduced Primary(failed unit back in to network, you need to configure Manually basic config) - then connect back sync and otehr links

Make sure you take the confioguraiton backup out of the box safe.

below guide exaplain clear step by step :

https://community.cisco.com/t5/security-documents/introducing-failed-primary-unit-back-in-the-ha-fail-over-pair/ta-p/3146927

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

BB34 · ‎09-10-2020

1. So make sure IOS is on the same version, and all licenses are the same.

2. Hook ethernet cable to port 8 on both ASAs

3. Initiate faiover commands on new ASA:

failover lan unit primary

failover lan interface fail eth 0/8

failover key ! 'Not seeing a key' --> Omit this line

failover replication http

failover link fail1 eth 0/8

failover interface ip fail 172.16.1.1 255.255.255.0 standby 172.16.1.2

4. Ping between the failover interfaces of the two ASAs, if successful, move to the next step.

5. Enable failover on the new ASA:

failover

6. After config has replicated from the Secondary (active) unit to the newly introduced ASA (Primary-Standby) unit, hook up the rest of the ethernet cables to the other interfaces on this new primary unit.

Sound right? Can anyone else confirm?

balaji.bandi · ‎09-10-2020

yes seems to be reasonable approach, implement and advise. (make sure you collect the Logs and have console access so you can erify what is the process going on)/

Once primary unit in the Fail over domain, you can failover test and see all working as expected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ruben Cocheno · ‎09-10-2020

@BB34

you need to setup the primary node with the following config

failover lan unit primary
failover lan interface fail GigabitEthernet1/8
failover mac address GigabitEthernet1/1 0018.73d0018.195b.dc18
failover mac address GigabitEthernet1/2 0018.73d 0018.195b.0001
failover mac address GigabitEthernet1/3 0018.73d0018.195b.0002
failover link fail GigabitEthernet1/8
failover interface ip fail1 172.16.1.1 255.255.255.0 standby 172.16.1.2

once you have all interfaces patched and also the g1/8 you can run the following command failover

At this point the secondaary node will detect the primary one and replicate the config, you just need to wait a few seconds and do show failover on the secondary firewall and confirm that the HA pair is healthy. If you want to test the failover movinf the service back to the primary node, run no failover active on the secondary node and it will trigger a failover to the other node.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

BB34 · ‎09-10-2020

Thanks Ruben, assuming because there could be an arp cache issue if the mac changes so that is why the failover for the mac addresses?