Solved: Replacing primary ASA in H/A pair

shawnseter · ‎04-20-2018

Hey folks!

This weekend I will be replacing the primary ASA in my H/A pair of 5585Xs. What I mean by primary, is when I originally configured H/A, this unit was marked as the primary unit, and the other was the secondary. Is there anyone here who was done this that can give me a brief rundown of this process? I will post my strategy as of right now below, in a step by step. If I'm doing something wrong, or missing something, please let me know.

1- Receive the new RMA unit. Upgrade the image to match that of the current active unit. Install the same license as the current active unit. Install any flash images, such as Anyconnect, directly on the new RMA unit

2- Configure the same exact set of failover commands that is on the current (failing) primary to the new RMA unit.

3- In the datacenter, ensure that the Secondary unit is Active. Remove the failing unit. Remove all up-link and interface modules, and insert them in the new RMA unit. Also take the SSP hard drive out of the failing on and insert in the new one??

4- Rack the new RMA unit and connect all of the connections. Lastly, connect the failover cable and pray that the 'Secondary-Active' unit take its config and writes it to the newly added "Primary-Standby Ready' unit, and not the opposite, like I've seen happen to people.

How does that look? My two huge follow up questions are below:

1- Is it necessary to, once I remove the failing unit from the H/A cluster, make the current "Secondary-Active' unit the Primary, and then configure the new RMA unit as the secondary? I just want to avoid all possibilities of the new RMA unit with a blank config, overwriting my production firewall when they detect each other.

2- In step 3, is it necessary to also install the SSP of the failing unit in the new RMA unit? From what I've researched, the SSP is mostly used for IPS/IDS services, which we are not running in our datacenter.

Thank for very much in advance for the feedback.

Rahul Govindan · ‎04-20-2018

1- Is it necessary to, once I remove the failing unit from the H/A cluster, make the current "Secondary-Active' unit the Primary, and then configure the new RMA unit as the secondary? I just want to avoid all possibilities of the new RMA unit with a blank config, overwriting my production firewall when they detect each other.

No need to change config. The secondary unit can remain secondary. There is no preempt concept with Active Standby Failover. So when you add the RMA unit, it should find an Active (Secondary) unit and sync its config with the Secondary unit. The only thing you need to be careful about is having the right cabling done when adding the secondary device.

2- In step 3, is it necessary to also install the SSP of the failing unit in the new RMA unit? From what I've researched, the SSP is mostly used for IPS/IDS services, which we are not running in our datacenter.

I would say yes. Failover requires hardware parity between the 2 devices. Even though you are not using the SSP, you might want to keep both exactly the same.

View solution in original post

Rahul Govindan · ‎04-20-2018

1- Is it necessary to, once I remove the failing unit from the H/A cluster, make the current "Secondary-Active' unit the Primary, and then configure the new RMA unit as the secondary? I just want to avoid all possibilities of the new RMA unit with a blank config, overwriting my production firewall when they detect each other.

No need to change config. The secondary unit can remain secondary. There is no preempt concept with Active Standby Failover. So when you add the RMA unit, it should find an Active (Secondary) unit and sync its config with the Secondary unit. The only thing you need to be careful about is having the right cabling done when adding the secondary device.

2- In step 3, is it necessary to also install the SSP of the failing unit in the new RMA unit? From what I've researched, the SSP is mostly used for IPS/IDS services, which we are not running in our datacenter.

I would say yes. Failover requires hardware parity between the 2 devices. Even though you are not using the SSP, you might want to keep both exactly the same.

shawnseter · ‎04-20-2018

Thanks for the reply! So just to make sure, I don't have to change anything with the failover configuration, and when I add the new RMA unit, it will take the current "Secondary-Active" configuration, and apply it to itself? The Secondary-Active unit will also remain active?

Rahul Govindan · ‎04-20-2018

The RMA unit will have the same failover configuration as the unit you will replace - Primary. The RMA unit will detect an Active mate and take over as Standby. At this point, the Secondary unit will be Active and RMA unit will be Primary - Standby Ready.

Once they sync up, you can switch roles so that the RMA unit becomes Primary - Active.

shawnseter · ‎04-20-2018

Thanks again. I've read horror stories about some engineers doing this incorrectly, and results in the RMA unit overwriting the current active unit with a blank configuration.

That would be a nightmare.

Rahul Govindan · ‎04-20-2018

I have heard the same :) The main thing to be careful about is the cabling when you put the RMA unit back in. If that gets messed up in any way, then both units can become Active. When you finally fix the cabling, then the Primary (with a blank config) can take over as Active and sync its blank config back to the Secondary.

My suggestion would be to keep CLI sessions to both devices on during this point. The CLI on the RMA unit should say "Detected an Active Mate" and then "Beginning configuration sync from Mate".

shawnseter · ‎04-20-2018

So let's say SOMETHING goes wrong, and the blank config overwrites my production config. In theory, all I SHOULD have to do would be to break the H/A pair, and reboot the Secondary (With the production config), and it should come back up with the original config. Right?

You've been most helpful, thank you very much.

Rahul Govindan · ‎04-20-2018

Yes, that should work. I guess you'll know pretty soon when all hell breaks loose in the datacenter. So, you should be able to break HA and add the secondary unit back with original startup config.

Another option is to keep the primary config handy in case such a situation arises. All you have to do is paste the config on to your active unit and it should sync back up.

Pulsant · ‎04-14-2022

My Primary Firewall had issues and was replaced. I configured the new ASA with the exact same commands for failover as the current standby Active ASA, except i added this command "failover lan unit primary". I then powered it up and then connected only the failover cable and my ASA copied a blank config to the Standby (active). I disconnected the failover cable and reloaded the Secondary Active ASA which brought my config back online. I then went on the Standby ACtive ASA and configured it to be the Primary ASA by typing failover lan unit primary.

I then added the reloaded the replacement firewall except this time i copied the failover commands but removed the line failover lan unit primary. This time it sync fine and became the Secondary Standby unit.