How to Replace Failed ASA in Active/Standby HA Setup

ByChase Smith Hours Updated on Categories Networking, Network Security

Looking for the quick and clean way of replacing a failed Cisco ASA in an active/standby HA pair without breaking production traffic?

You’re in the right place.

On the surface this seems like a daunting task but it’s actually quite simple and quick.

Prerequisites

Before we get started, we need to lay out some requirements:

  1. You have your shiny new replacement firewall.
  2. It’s the same make and model as the active unit running in production.
  3. It has the same licensing as the active unit.
  4. It’s on the same version of code as the active unit.
  5. You have a rollover cable and application such as PuTTy for console access to the new firewall.
  6. You have a tftp server application or a fat32 formatted USB drive, available to transfer software and configs.

All good? Great! Let’s proceed.

How to Add New ASA to failed Active/Standby HA Pair

  1. On the live active failover unit, make a backup of the running config by either transferring it via TFTP or copying it to a USB drive inserted into the unit. This is just a failsafe.
  2. On the live active failover unit, enter enable mode in the CLI and run the command “show run failover” and save the output to a text file. 
    NPGFW1# show run failover
failover failover lan unit secondary
failover lan interface folink GigabitEthernet1/8
failover link statelink GigabitEthernet1/7
failover interface ip folink 172.30.1.1 255.255.255.252 standby 172.30.1.2
failover interface ip statelink 172.30.1.5 255.255.255.252 standby 172.30.1.6
failover ipsec pre-shared-key ***** no failover wait-disable
  3. On the live active failover unit, run the command “show version” and save the output to a text file. 
    NPGFW1# show version
  4. Rack the new ASA but leave all networking cables unplugged and power it on.
  5. When asked if you want to enter the initial configuration wizard, say no. 
    Pre-configure Firewall now through interactive prompts [yes]? no
  6. Enter enable mode and enter a password for enable mode when prompted.
  7. Verify the new ASA is running the same software version and licensing features as the active failover unit by running the command “show version” and comparing the output to what you saved earlier. 
    ciscoasa# show version
  8. If either differs, correct that before proceeding. I won’t cover that as I assume you know how to upgrade/downgrade ASA software. If everything matches up, proceed.
  9. Enter configuration mode and set the failover lan unit command by evaluating the output from “show run failover” on the live unit in step one and choosing the opposite failover designation. For example, if the live unit has “failover lan unit secondary” in the config output, we need to enter the command “failover lan unit primary”: 
    ciscoasa# conf t
ciscoasa(config)# failover lan unit primary
  10. Copy the rest of the failover config from the live unit to the new unit, in my case this is: 
    ciscoasa(config)# failover lan interface folink GigabitEthernet1/8
ciscoasa(config)# failover link statelink GigabitEthernet1/7
ciscoasa(config)# failover interface ip folink 172.30.1.1 255.255.255.252 standby 172.30.1.2
ciscoasa(config)# failover interface ip statelink 172.30.1.5 255.255.255.252 standby 172.30.1.6
ciscoasa(config)# failover ipsec pre-shared-key *****
  11. Connect the failover interface and statelink interface from the live firewall to the new replacement unit. Depending on your setup, these can often be the same interface and cable as it is option to have the failover and statelink on separate interfaces.
  12. Connect the failover interface and statelink interface from the live firewall to the new replacement unit.
  13. Enable the interfaces you connected on the new unit by running the “no shut” command for each interface.
  14. On the new replacement unit, enter the command “failover” and watch as the active unit detects the new unit and replicates the config to it.
    ciscoasa(config)# failover
ciscoasa(config)# exit
ciscoasa# Beginning configuration replication: Sending to mate. End Configuration Replication to mate NPGFW1#
  15. Verify everything is correct on the new unit by running the command “show failover state” and “show run” 
    NPGFW1# show failover state
  16. If everything looks right, connect the remaining interfaces on your firewall.

At this point you should have a healthy active/standby HA pair. You can either leave it at this point or change which firewall is the active member depending on your preferences.

Recommended Tool: ManageEngine OpManager

  • Multi-vendor Network Monitoring
  • Simple Installation & Setup
  • Intuitive UI
  • Complete Visibility
  • Intelligent Detections
  • Easy Resolutions

Avatar

Network Engineer III

I am a Senior Network Engineer who has spent the last decade elbow deep in enterprise System Administration and Networking in the local government and energy sectors. I can usually be found trying to warm up behind the storage arrays in the datacenter.

Leave a Reply

Your email address will not be published. Required fields are marked *