cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1171
Views
0
Helpful
1
Replies
msompong1
Beginner

Replace the failed primary unit ASA in HA.

Hi All,

 

I've got the RMA unit ASA5506 (both same ASA Version 9.6(1)), I've replace this unit to the failed primary in HA pair with following step.

1.setup the failover interface

interface GigabitEthernet1/8
description LAN/STATE Failover Interface
!
failover
failover lan unit primary
failover lan interface folink GigabitEthernet1/8
failover link folink GigabitEthernet1/8
failover interface ip folink 1.1.1.1 255.255.255.0 standby 1.1.1.2

 

2.connect the faileover cable to the active/secondary firewall.

3.the blank configuration from the the new unit override to the active/secondary.

4.I've disconnect the failover cable and reboot the active/secondary for the temporary solution. 

 

My question is what is wrong in the replacement step ? and what is the best practice for this situation ?

Thank you.

1 REPLY 1
Rob Ingram
VIP Mentor

Hi,

You should have configured the working ASA as primary and added the replacement ASA as secondary, this way the correct configuration would have been replicated to the replacement ASA.

 

This cisco guide below covers the options you could have taken to re-introduce an ASA into a HA failover pair.

https://community.cisco.com/t5/security-documents/introducing-failed-primary-unit-back-in-the-ha-fail-over-pair/ta-p/3146927

 

HTH

 

Content for Community-Ad