ARTICLES

Cisco ASA Firewall Cluster Member Replacement

Cisco ASA Firewall Cluster Member Replacement

So one of your firewalls in your highly available cluster died. It happens. It’s not your fault. But, you have to put humpty dumpty back together again. Do it the wrong way, and you can erase your configuration and bring the cluster down!

Prepare for Success

  1. Backup current configuration:
  2.  Use the more system:running-config command
    b.      Certificates (if required)
    2.      No network connectivity:
    a.      Logically shutdown switchports
    3.      Matching:
    a.      Exact same hardware, software version, and license as the other cluster member
    4.      Rack & stack new hardware.
    5.      Connect all cables.
    6.      Console connectivity.
    7.      Commands:

    failover lan unit <primary|secondary>
    failover lan interface <interface name> <physical interface>
    failover link <interface name> <physical interface>
    failover interface ip <interface name> <IP> <SUBNET> standby <IP>
    interface <physical interface>
    no shut
    exit
    failover

The Main Event

  1. Login to the replacement firewall via console.
  2. Paste your prepared commands.
  3. Verify failover status.
  4. Unshut switchports
  5. Verify connectivity, failover, connections, VPNs, xlate, etc
  6. Congratulations, you just leveled up! 👾

TAGS: |

FILED UNDER: Cisco ASA | How To

Request a Demo

Fill out the form below and we'll get in touch via email.
We look forward to talking to you!
Thank you! We'll be in touch.
Oops! Something went wrong while submitting the form.
Top ^