cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

892
Views
0
Helpful
3
Replies
Alfred Berberich
Beginner

replace primary ASA at a Cluster active/active configuration

hallo

We had a active/active Cluster and the primary unit crashed and must be replaced.

The secondary is up and running.

The config on the active looks like :  ( Failover is already deactived )

ffm-sep-dc/sec/actNoFailover# sh run | grep fail

no failover

failover lan unit secondary

failover lan interface failover GigabitEthernet0/0

failover key *****

failover link failover GigabitEthernet0/0

failover interface ip failover 10.148.255.6 255.255.255.0 standby 10.148.255.7

failover group 1

failover group 2

join-failover-group 1

What I want to do is :

1. set "no Failover " on the now active Firewall ( former secondary)

2. config the brand new Firewall like :

failover lan unit primary

failover lan interface failover GigabitEthernet0/0

failover key test1234

failover link failover GigabitEthernet0/0

failover interface ip failover 10.148.255.6 255.255.255.0 standby 10.148.255.7

no shut

exit

failover

Question :

  • I fear the an empty config will be sync from the brand new fiewall to the active secondary . can it be ?
  • Must I  excute the "Failover" command also on the "active secondary Firewall" ?

best regards

Alfred

3 REPLIES 3
Philip D'Ath
Advisor

Do not, under any circumstances, type in "no failover".  You will be in a world of pain.

Second thing, make a backup of the config.

Plug in all the cables on the replacement unit, make sure all the interfaces are up, and put in the failover config as you have noted, and the new unit will get its config from the current unit.

interface gig0/0
no shut
failover lan unit primary
failover lan interface failover GigabitEthernet0/0
failover key test1234
failover link failover GigabitEthernet0/0
failover interface ip failover 10.148.255.6 255.255.255.0 standby 10.148.255.7

-Do not, under any circumstances, type in "no failover".-

Can you explain in depth  which Firewall Needs  a "no Failover" or "failover" now , pls ?

At the moment the active seonday has  a "no Failover"

Do exactly what I said above, plug in all the cables, and put in the config I quoted in the new firewall.

Create
Recognize Your Peers
Content for Community-Ad