Hello! We have 2 ASAs 5520 in active/standby mode. Our standby device is having some hardware issues and decided to replace it. The device is accesible. I was wondering the easiest/no downtime way to replace it.
Can I export the config in the current device and import it into the new one and just replace the hardware? (obviously hardware/soft is the same version, etc). Will that work? Thanks!
The additional information is helpful. I pointed out the potential issue of active/standby vs primary/secondary because I thought that the original description was not really clear about it, and because I have had the experience where people took action on what they thought was the relationship without really checking to be sure which unit had which role.
I am glad that your current ASAs support using the management interface for failover. I would check the config of the current ASA to see whether the management-only is still in the config or was removed.
Collin has it right. You put only a very minimal config on the replacement ASA, and no export of the config is needed. When you connect the new replacement ASA to the running ASA they will negotiate their failover relationship and the new ASA will learn its config dynamically from the running ASA.
The other comment that I would add is that you may need to copy some files into the disk of the replacement ASA. In addition to the ASA code consider the ASDM, if you use AnyConnect the AnyConnect files, and any other files that are needed for the operation of the ASA. Unlike the config which is automatically copied from one ASA to the other the other files must be manually copied onto the replacement ASA.
Also consider whether there were licenses applied to the old ASA which need to be installed on the replacement ASA. Since ASA license files are uniquely identified by the serial number of the ASA to which they are applied you can not simply copy the license from one ASA to another.
Thank you both (I will check the files that need to be copied).
So the minimal config can be this?
interface GigabitEthernet0/0 no nameif no security-level no ip address ! interface GigabitEthernet0/1 no nameif no security-level no ip address ! interface GigabitEthernet0/2 no nameif no security-level no ip address ! interface GigabitEthernet0/3 no nameif no security-level no ip address ! interface Management0/0 description LAN/STATE Failover Interface management-only !
failover failover lan unit secondary failover lan interface Failover_link Management0/0 failover link Failover_link Management0/0 failover interface ip Failover_link 10.10.10.1 255.255.0.0 standby 10.10.10.2
I am not sure but I wonder about the specification of management-only. If it were me I would remove that. Some versions of code do not allow using the management interface for failover, but if it is running that way on the existing ASAs then obviously it will be ok on the new unit.
The original post states that you are replacing the standby unit but was not clear whether that one is primary or secondary. I would point out the difference between active and standby vs primary and secondary. It is quite possible that the ASA that is in standby state is configured as the primary unit. I suggest that you use the command show failover and verify which role is configured on the ASA that you are replacing.
The additional information is helpful. I pointed out the potential issue of active/standby vs primary/secondary because I thought that the original description was not really clear about it, and because I have had the experience where people took action on what they thought was the relationship without really checking to be sure which unit had which role.
I am glad that your current ASAs support using the management interface for failover. I would check the config of the current ASA to see whether the management-only is still in the config or was removed.
I am glad that our suggestions have been helpful. Thank you for using the rating system to mark our responses. This helps other readers in the forum to identify discussions that have helpful information.
I believe that you are in good shape for the replacement of your ASA. I hope that it goes well.
HTH
Rick
HTH
Rick
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
