In my day-to-day I do a lot with Cisco technology and I tend to forget some of my commands that I use, so I thought I would start to put a few more bits on the blog. Hence this post. I will admit that there is a lot on the web about this subject but I found a couple of gotcha’s that I thought were worth documenting.
First points to note if you have any advanced licensing that is not covered by a SmartNet you will be in trouble. As when the replacement unit arrives it will be shipped with no licenses and you cannot reassign licenses in the Cisco portal if it’s not paired to a SmartNet. I like to think of your license as an OEM license that lives and dies with the machine.
Make sure that the new unit has the same amount of RAM as again the failover will not pair up if the RAM does not match. The same goes for the ASA OS version. In our case Cisco actually shipped one with a matching OS.
Not knowing how your ASA died, I will detail two processes for bring the ASA back online. I am only talking about bring an Active/Standby pair back online.
First the simple one. Your ASA died and was shipped out, so you have a new device with no config.
Normal
0
false
false
false
EN-GB
X-NONE
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
Check that your current live ASA has failover enabled and if its Primary or Secondary.
Do a show run failover
ASA01# show run failover
Failover {Denotes that Failover is enabled}
failover lan unit primary
failover lan interface failover GigabitEthernet0/2
failover link failover GigabitEthernet0/2
failover interface ip failover 172.16.100.100 255.255.0.0 standby 172.16.100.101
If it’s not the primary then change that so it is by using the command Failover LAN unit primary
Take your new ASA and perform the following steps. Please note I am not going to detail all the commands to do these steps.
Install your licenses
Configure your host name
Select your Interfaces for Outside, Inside and Failover. I would match your other ASA if I were you. Label the ports with a description and enable them
Configure your Failover interface
Failover lan interface if_name
Configure your active and standby IP’s for the failover interface
failover interface ip failover 172.16.100.100 255.255.0.0 standby 172.16.100.101
Configure your device to the be secondary
Failover lan unit secondary
Enable failover
Now we had this scenario where it was just the power supply that had died and we swapped that out and powered the device back on. All our config was there, but before making it live we took some additional steps to ensure that no complications occurred.
1. In our case it was the primary that failed, so using a terminal connection we hopped on and took a look at what was going on.
2. Firstly we turned failover off using the command No failover
3. Then we set the unit to be the secondary
4. We then set our current active unit to now be the primary
5. We then plugged in the failover interface and enabled failover on the now secondary unit, with in a few seconds they saw each other and paired up. This was the output that we observed.
ASA01(config)# failover
ASA01(config)# Failover LAN became OK
Switchover enabled
Configuration has changed, replicate from mate.
Detected an Active mate
Beginning configuration replication from mate.
INFO: Specified entry already exists in access-list “XXXXXXX”
INFO: Specified entry already exists in access-list “XXXXXXX”
End configuration replication from mate.
6. We then brought each interface up, first the inside and then the outside.
7. A show failover state proved that we were back in business.
infrastructureguy 