Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
773
Views
10
Helpful
5
Replies

Trying to create a backup ASA 5505

Go to solution
Steve Krantzman
Level 1
Level 1

‎06-13-2013 04:10 PM - edited ‎03-11-2019 06:57 PM

I have a production ASA 5505 that is working perfectly. I wanted to take a spare ASA 5505 and copy the running config to it so that I would have a backup unit that could be swapped out if the production unit went down.

Both units have security plus and running 8.2(1). The only difference is that the production ASA has 512MB of RAM while the backup ASA has 256MB. Also the backup has anyconnect and the production unit does not.

I copied the running-config to my tftp server and then copied the running config from my tftp server to the backup ASA as startup-config. After reload the device booted with an identical configuration to my production ASA, but after swapping out the units to test it, I have no access to the WAN or DMZ from my LAN. Swapping back to the production unit and all works as it should.

I printed out the running config from both devices and compared them line by line. They are identical except for the anyconnect line on the backup ASAs config file.

I have never attempted this before, so I don't know if I have missed something.

Steve

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎06-13-2013 05:20 PM

Hello Steve,

Maybe an ARP problem, Did you clear the ARP table on the outside device (Modem,router,etc)

You can force the ASA to send a gratitous ARP by doing a shut, no shut on it's outside interface,

Let me know how it goes.

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎06-13-2013 05:20 PM

Hello Steve,

Maybe an ARP problem, Did you clear the ARP table on the outside device (Modem,router,etc)

You can force the ASA to send a gratitous ARP by doing a shut, no shut on it's outside interface,

Let me know how it goes.

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Steve Krantzman
Level 1
Level 1
In response to Julio Carvajal

‎06-13-2013 08:17 PM

jcarvaja,

Yup that was it. I tried the shut – no shut commands for the outside interface, but that did not help. Rebooting the modem/router is what did the trick.

This is very useful information as I want office staff to be able to swap out the ASAs if the production unit goes down while I am out of the office. Having them just reboot the modem in addition is no big deal, and anyone in my office could now probably make the switch if needed.

I know that having two units I should probably just configure the second one as a failover unit, but I don't have the time for that right now.

My next task is to upgrade the units. I assume that all I need to do is to upgrade the offline unit, and once that is complete and working, I can just upload the new asaXXX.bin and asdmXXX.bin files along with the new running-config file and I should be good to go. Is that correct? Also any recommendation on whether to go with 8.4(6) or 9.X(X)?

Thanks you very much.

Steve

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Steve Krantzman

‎06-13-2013 08:22 PM

Hello Steve,

Exactly, that looks good ( An upgrade while the unit is out of the network so u can test it afterwards)

Due to the major features provided on the 9.x versions I would go there, just make sure to read the release note before any upgrade so u can see open bugs ,etc so u can determine whether it affects u or not,

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
Steve Krantzman
Level 1
Level 1
In response to Julio Carvajal

‎06-13-2013 08:37 PM

jcarvaja,

I was leaning toward 9 but hadn't talked with anyone using it production. I always read the release notes on these but it helps to talk with some who has gone through the process already.  From what I have read it sound like either way, the huge change is in the difference between 8.2 and 8.3 and the whole NAT structure change.  Seeing I have to adjust either way, I guess I will go for the upgrade to 9 and get the most out of these units.

Thank you again for all your help and getting me around that sticking point.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Steve Krantzman

‎06-13-2013 08:43 PM

Hello Steve,

It's a pleasure to help,

Just for you to have it here is one link that I always recommend for the big change regarding Nat and ACLs,

Any other query you have, configuration assistance u can always contact me,

https://supportforums.cisco.com/docs/DOC-12690

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card