Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2751
Views
0
Helpful
4
Replies

Replacing dead primary ASA - what did I do wrong

Go to solution
Bram Van den Bosch
Level 1
Level 1

‎04-17-2014 04:36 AM - edited ‎03-11-2019 09:05 PM

Hi all,

I faced a problem when replacing a primary ASA with an RMA unit and want to know where I did go wrong.

This is what happened:

  • The secondary unit was active and had all the config.
  • Installed the new primary unit, configured fail over, connected the fail over interface to the existing secondary ASA.
  • Config synced from the RMA unit to the existing active secondary unit, basically wiped out all the config.

 

This is more detailed info of what I did:

  1. On the active standby unit, issue the 'no failover' command, followed by the 'failover' command and did a 'write memory'. I wanted to be sure that this is the first unit with the failover command entered, as i found in the documentation that he should then push its config.
  2. On the RMA unit: configured failover, configured it as primary.
  3. On the RMA unit: added description and 'no shut' command to the failover interface.
  4. On the RMA unit: issued the 'failover' command
  5. On the RMA unit: issued the 'write memory' command
  6. Connected the failover interfaces to each other
  7. Then the config synced in the wrong direction, from RMA to active standby unit

In the end I did fix it with erasing both units, configure failover from scratch and putting back the backup taken before the replacement.

But I want to avoid it in the future!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Bram Van den Bosch

‎04-17-2014 11:21 AM

The RMA unit did not need the step 2 "failover primary".

Then, after step 3, you would connect the failover interfaces to each other and the config should have synced in the proper direction (from Secondary - Active to Primary - Standby).

After that was confirmed to happen, you would then issue "write standby" from the Secondary-Active unit.

Finish up with a "failover" from Secondary-Active and you should have the end sate of Primary -Active and Secondary-Standby.

Don't forget to also copy any remote access VPN profiles, ASDM images., certificates, etc. that are outside the configuration but on disk0: and required.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-17-2014 08:59 AM

You should have done "write standby" from the Secondary-Active unit. That would push the proper running config into startup-config on the Primary-Standby unit.

Here's a link to the proper section of the Configuration Guide.

0 Helpful

Go to solution
Bram Van den Bosch
Level 1
Level 1
In response to Marvin Rhoads

‎04-17-2014 11:08 AM

Hi Marvin,

Thanks for the feedback.

When should I have done the 'write standby' command?

Right before connecting the failover link?

Because as soon as I connected the 2 the config sync did take place.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Bram Van den Bosch

‎04-17-2014 11:21 AM

The RMA unit did not need the step 2 "failover primary".

Then, after step 3, you would connect the failover interfaces to each other and the config should have synced in the proper direction (from Secondary - Active to Primary - Standby).

After that was confirmed to happen, you would then issue "write standby" from the Secondary-Active unit.

Finish up with a "failover" from Secondary-Active and you should have the end sate of Primary -Active and Secondary-Standby.

Don't forget to also copy any remote access VPN profiles, ASDM images., certificates, etc. that are outside the configuration but on disk0: and required.

0 Helpful

Go to solution
ChrisNewnham_
Level 1
Level 1
In response to Marvin Rhoads

‎05-02-2023 01:18 AM

Just sharing my experience here, but I believe "failover lan unit primary" IS required before configuring failover. I tested this myself, and if you don't configure the device as either primary or secondary, it won't join the failover group.

I believe the one step you missed off, was to disable the production interfaces either by disconnecting the cables or disabling the switch interfaces. I believe this is a CRUCIAL step!

Of course, Cisco could make this far far easier by jus having a failover priority value, like lots of other things do. But that would make everyone's life too easy  

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card