Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1278
Views
5
Helpful
2
Replies

Procedure for Swapping out live firewalls in a failover pair

Go to solution
bbriggs
Level 1
Level 1

‎08-28-2018 10:47 AM - edited ‎02-21-2020 08:09 AM

Hi,

I have a task to swap-out  two ASA single-mode firewalls.

They are in a pair and neither has failed, this is merely a hardware upgrade.

I am tempted to failover i.e. enter "no failover active" and replace the Primary unit first.

However if I left the HA pair in their current configuration and replaced the Secondary, without failing over, the Primary should be able to keep working.

The firewalls should then sync from Primary to Secondary.

 

Once I replace the Primary I can then failover by entering "no failover active" and then replace the Secondary.

 

Is anyone aware of an official procedure to replace a failover pair where both are working?

 

Thanks

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ajay Saini
Level 7
Level 7

‎08-28-2018 01:47 PM

Hello,

 

As long as the hardware model is same, you can do what you have described. Going by the description, looks like you are doing a hardware upgrade, which means at one point of time primary and secondary firewalls will be different models. That is not supported for a failover replacement.

 

The best way for hardware upgrade would be to take a maintenance window and do it. Should not take more time. We can prepare a parallel setup and swap the firewalls out.

 

If the model is same, then you can follow the steps:

 

https://community.cisco.com/t5/security-documents/introducing-failed-primary-unit-back-in-the-ha-fail-over-pair/ta-p/3146927

 

HTH

AJ

 

 

View solution in original post

2 Replies 2

Go to solution
Ajay Saini
Level 7
Level 7

‎08-28-2018 01:47 PM

Hello,

 

As long as the hardware model is same, you can do what you have described. Going by the description, looks like you are doing a hardware upgrade, which means at one point of time primary and secondary firewalls will be different models. That is not supported for a failover replacement.

 

The best way for hardware upgrade would be to take a maintenance window and do it. Should not take more time. We can prepare a parallel setup and swap the firewalls out.

 

If the model is same, then you can follow the steps:

 

https://community.cisco.com/t5/security-documents/introducing-failed-primary-unit-back-in-the-ha-fail-over-pair/ta-p/3146927

 

HTH

AJ

 

 

Go to solution
bbriggs
Level 1
Level 1
In response to Ajay Saini

‎03-21-2019 03:47 AM

Thanks for your help,

 

Brian

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card