How to Replaced Failed ASA in Active/Standby HA Setup

Looking for the quick and clean way of replacing a failed ASA in an active/standby HA pair without breaking production traffic?

You’re in the right place.

On the surface this seems like a daunting task but it’s actually quite simple and quick.

Before we get started, we need to lay out some requirements:

  1. You have your shiny new replacement firewall.
  2. It’s the same make and model as the active unit running in production.
  3. It has the same licensing as the active unit
  4. You have a rollover cable and application such as PuTTy for console access to the new firewall.
  5. You have a tftp server application,  I use the Free TFTP Server from Solarwinds, or a fat32 formatted USB drive, available to transfer software and configs.

All good? Great! Let’s proceed.

How to Add New ASA to failed Active/Standby HA Pair

  1. On the live active failover unit, make a backup of the running config by either transferring it via TFTP or copying it to a USB drive inserted into the unit. This is just a failsafe. Situations like this are why I highly recommend running a product like Solarwinds NCM that routinely backs up your networking equipment for you without intervention.
  2. On the live active failover unit, enter enable mode and run the command “show run failover” and save the output to a text file.
    NPGFW1# show run failover
    failover lan unit secondary
    failover lan interface folink GigabitEthernet1/8
    failover link statelink GigabitEthernet1/7
    failover interface ip folink standby
    failover interface ip statelink standby
    failover ipsec pre-shared-key *****
    no failover wait-disable
  3. On the live active failover unit, run the command “show version” and save the output to a text file.
    NPGFW1# show version
  4. Rack the new ASA but leave all networking cables unplugged and power it on.
  5. When asked if you want to enter the initial configuration wizard, say no.
    Pre-configure Firewall now through interactive prompts [yes]? no
  6. Enter enable mode and enter a password for enable mode when prompted.
  7. Verify the new ASA is running the same software version and licensing features as the active failover unit by running the command “show version” and comparing the output to what you saved earlier.
    ciscoasa# show version
  8. If either differs, correct that before proceeding. I won’t cover that as I assume you know how to upgrade/downgrade ASA software. If everything matches up, proceed.
  9. Enter configuration mode and set the failover lan unit command by evaluating the output from “show run failover” on the live unit in step one and choosing the opposite failover designation. For example, if the live unit has “failover lan unit secondary” in the config output, we need to enter the command “failover lan unit primary”
    ciscoasa# conf t
    ciscoasa(config)# failover lan unit primary
  10. Copy the rest of the failover config from the live unit to the new unit, in my case this is:
    ciscoasa(config)# failover lan interface folink GigabitEthernet1/8
    ciscoasa(config)# failover link statelink GigabitEthernet1/7
    ciscoasa(config)# failover interface ip folink standby
    ciscoasa(config)# failover interface ip statelink standby
    ciscoasa(config)# failover ipsec pre-shared-key *****
  11. Connect the failover interface and statelink interface from the live firewall to the new replacement unit. Depending on your setup, these can often be the same interface and cable as it is option to have the failover and statelink on separate interfaces.
  12. Connect the failover interface and statelink interface from the live firewall to the new replacement unit.
  13. Enable the interfaces you connected on the new unit by running the “no shut” command for each interface.
  14. On the new replacement unit, enter the command “failover” and watch as the active unit detects the new unit and replicates the config to it.
    ciscoasa(config)# failover
    ciscoasa(config)# exit
    ciscoasa# Beginning configuration replication: Sending to mate.
    End Configuration Replication to mate
  15. Verify everything is correct on the new unit by running the command “show failover state” and “show run”
    NPGFW1# show failover state
  16. If everything looks right, connect the remaining interfaces on your firewall.

At this point you should have a healthy active/standby HA pair. You can either leave it at this point or change which firewall is the active member depending on your preferences.

Recommended for You: Solarwinds Network Configuration Manager (NCM)

What would you do if one of your pieces of networking equipment failed? Could you rebuild it quickly? Do you know exactly what configuration it had? What ports were on what vlan? What about port channels?

You get the point.

Automate backing up configurations and updating of all your switching, routing, and firewall equipment without needing to know a single line of code with Solarwinds Network Configuration Manager.

This is one of those tools that pays for itself in man hours the first time you need to rely on it. Plus, you’ll sleep easier knowing you really have backed up all the things.

Chase Smith, CCNP

Chase Smith, CCNP is a Network Engineer III who has spent the last decade elbow deep in enterprise system administration and networking. He can usually be found trying to warm up behind the storage in the datacenter.

Leave a Reply

Your email address will not be published. Required fields are marked *