Cisco ASA Firewall Cluster Member Replacement

April 8, 2018 | Filed Under: Cisco ASAHow To

So one of your firewalls in your highly available cluster died. It happens. It’s not your fault. But, you have to put humpty dumpty back together again. Do it the wrong way, and you can erase your configuration and bring the cluster down!

Prepare for Success

  1. Backup current configuration:
  2.  Use the more system:running-config command
    b.      Certificates (if required)
    2.      No network connectivity:
    a.      Logically shutdown switchports
    3.      Matching:
    a.      Exact same hardware, software version, and license as the other cluster member
    4.      Rack & stack new hardware.
    5.      Connect all cables.
    6.      Console connectivity.
    7.      Commands:

    failover lan unit <primary|secondary>
    failover lan interface <interface name> <physical interface>
    failover link <interface name> <physical interface>
    failover interface ip <interface name> <IP> <SUBNET> standby <IP>
    interface <physical interface>
    no shut

The Main Event

  1. Login to the replacement firewall via console.
  2. Paste your prepared commands.
  3. Verify failover status.
  4. Unshut switchports
  5. Verify connectivity, failover, connections, VPNs, xlate, etc
  6. Congratulations, you just leveled up! 👾
Tags: ,