03-16-2015 01:37 PM - edited 03-07-2019 11:07 PM
Hello! We have 2 ASAs 5520 in active/standby mode. Our standby device is having some hardware issues and decided to replace it. The device is accesible. I was wondering the easiest/no downtime way to replace it.
Can I export the config in the current device and import it into the new one and just replace the hardware? (obviously hardware/soft is the same version, etc). Will that work?
Thanks!
Solved! Go to Solution.
03-17-2015 06:09 AM
Nicolas
The additional information is helpful. I pointed out the potential issue of active/standby vs primary/secondary because I thought that the original description was not really clear about it, and because I have had the experience where people took action on what they thought was the relationship without really checking to be sure which unit had which role.
I am glad that your current ASAs support using the management interface for failover. I would check the config of the current ASA to see whether the management-only is still in the config or was removed.
Otherwise it looks like you should be good to go.
HTH
Rick
03-16-2015 01:48 PM
Remove the failed ASA
Configure failover only on the new ASA (make sure it's set to secondary)
Connect new ASA to Active ASA
The config will be sync'd from the current Active ASA to your new Secondary ASA
03-16-2015 05:43 PM
Collin has it right. You put only a very minimal config on the replacement ASA, and no export of the config is needed. When you connect the new replacement ASA to the running ASA they will negotiate their failover relationship and the new ASA will learn its config dynamically from the running ASA.
The other comment that I would add is that you may need to copy some files into the disk of the replacement ASA. In addition to the ASA code consider the ASDM, if you use AnyConnect the AnyConnect files, and any other files that are needed for the operation of the ASA. Unlike the config which is automatically copied from one ASA to the other the other files must be manually copied onto the replacement ASA.
Also consider whether there were licenses applied to the old ASA which need to be installed on the replacement ASA. Since ASA license files are uniquely identified by the serial number of the ASA to which they are applied you can not simply copy the license from one ASA to another.
HTH
Rick
03-17-2015 04:58 AM
Thank you both (I will check the files that need to be copied).
So the minimal config can be this?
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
description LAN/STATE Failover Interface
management-only
!
failover
failover lan unit secondary
failover lan interface Failover_link Management0/0
failover link Failover_link Management0/0
failover interface ip Failover_link 10.10.10.1 255.255.0.0 standby 10.10.10.2
03-17-2015 05:20 AM
I am not sure but I wonder about the specification of management-only. If it were me I would remove that. Some versions of code do not allow using the management interface for failover, but if it is running that way on the existing ASAs then obviously it will be ok on the new unit.
The original post states that you are replacing the standby unit but was not clear whether that one is primary or secondary. I would point out the difference between active and standby vs primary and secondary. It is quite possible that the ASA that is in standby state is configured as the primary unit. I suggest that you use the command show failover and verify which role is configured on the ASA that you are replacing.
HTH
Rick
03-17-2015 05:34 AM
Thanks for the quick response. The ASA that is failing is in stand by and has the following line:
failover lan unit secondary
After much testing we were able to use the management interface for failover heartbeat.
Nicolas
03-17-2015 06:09 AM
Nicolas
The additional information is helpful. I pointed out the potential issue of active/standby vs primary/secondary because I thought that the original description was not really clear about it, and because I have had the experience where people took action on what they thought was the relationship without really checking to be sure which unit had which role.
I am glad that your current ASAs support using the management interface for failover. I would check the config of the current ASA to see whether the management-only is still in the config or was removed.
Otherwise it looks like you should be good to go.
HTH
Rick
03-17-2015 06:12 AM
Thanks! The change is for easter weekend!
03-17-2015 06:19 AM
Nicolas
I am glad that our suggestions have been helpful. Thank you for using the rating system to mark our responses. This helps other readers in the forum to identify discussions that have helpful information.
I believe that you are in good shape for the replacement of your ASA. I hope that it goes well.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide