04-17-2014 04:36 AM - edited 03-11-2019 09:05 PM
Hi all,
I faced a problem when replacing a primary ASA with an RMA unit and want to know where I did go wrong.
This is what happened:
This is more detailed info of what I did:
In the end I did fix it with erasing both units, configure failover from scratch and putting back the backup taken before the replacement.
But I want to avoid it in the future!
Solved! Go to Solution.
04-17-2014 11:21 AM
The RMA unit did not need the step 2 "failover primary".
Then, after step 3, you would connect the failover interfaces to each other and the config should have synced in the proper direction (from Secondary - Active to Primary - Standby).
After that was confirmed to happen, you would then issue "write standby" from the Secondary-Active unit.
Finish up with a "failover" from Secondary-Active and you should have the end sate of Primary -Active and Secondary-Standby.
Don't forget to also copy any remote access VPN profiles, ASDM images., certificates, etc. that are outside the configuration but on disk0: and required.
04-17-2014 08:59 AM
You should have done "write standby" from the Secondary-Active unit. That would push the proper running config into startup-config on the Primary-Standby unit.
Here's a link to the proper section of the Configuration Guide.
04-17-2014 11:08 AM
Hi Marvin,
Thanks for the feedback.
When should I have done the 'write standby' command?
Right before connecting the failover link?
Because as soon as I connected the 2 the config sync did take place.
04-17-2014 11:21 AM
The RMA unit did not need the step 2 "failover primary".
Then, after step 3, you would connect the failover interfaces to each other and the config should have synced in the proper direction (from Secondary - Active to Primary - Standby).
After that was confirmed to happen, you would then issue "write standby" from the Secondary-Active unit.
Finish up with a "failover" from Secondary-Active and you should have the end sate of Primary -Active and Secondary-Standby.
Don't forget to also copy any remote access VPN profiles, ASDM images., certificates, etc. that are outside the configuration but on disk0: and required.
05-02-2023 01:18 AM
Just sharing my experience here, but I believe "failover lan unit primary" IS required before configuring failover. I tested this myself, and if you don't configure the device as either primary or secondary, it won't join the failover group.
I believe the one step you missed off, was to disable the production interfaces either by disconnecting the cables or disabling the switch interfaces. I believe this is a CRUCIAL step!
Of course, Cisco could make this far far easier by jus having a failover priority value, like lots of other things do. But that would make everyone's life too easy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: