Tag: asa

Cisco ASA

Recovering / updating secondary cisco asa into an Active/standby config

I have two cisco asa 5510 with ALMOST matchin configurations,
basically I copied the configuration of one devices to the other device (using tftp://) but then we had a problem where they could not communicate because they both though they were masters.
runing the below on both devices showed the exact same thing

[codebox]show running-config failover[/codebox]

The secondary had failed.

so what I had to do was tell one of the devices that it was the secondary.

[codebox]failover lan unit secondary[/codebox]

The full recipe:

[codebox line_numbers=”true” remove_breaks=”false” lang=”text”]

ciscoasa> enable
Password:<Enter>
ciscoasa# conf t
ciscoasa(config)# interface Ethernet0/1
no shutdown
description LAN Failover Interface
ciscoasa(config)# failover
failover lan unit secondary
failover lan interface failover_link Ethernet0/1
failover interface ip failover_link 172.16.100.1 255.255.255.252 standby 172.16.100.2

Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.

ciscoasa(config)#write
ciscoasa(config)#config-register 0x2102
ciscoasa(config)#reload

Proceed with reload? [confirm] <Enter>

[/codebox]

 

Immediately they connected .
Here is how ou duplicate this

[codebox]ciscoasa(config)#write clear
ciscoasa(config)#reload[/codebox]

!confirm and agree
!as the system is booting press ESC to stop the boot process

Use BREAK or ESC to interrupt boot.

make it so enable can be run  without password and then boot

[codebox]ROMMON #1>confreg 0x41
ROMMON #2>boot[/codebox]

The boot process continues and then you can enable it to enter the priviledged mode,  just press enter when the password prompt appears

[codebox]ciscoasa>enable
Password:
ciscoasa#conf t
ciscoasa(config)#[/codebox]

At this poing I am going to configure an interface with an IP Address so I can copy the configuration I need to use over TFTP

[codebox]ciscoasa(config)#interface Ethernet0/0
no shutdown
nameif inside
security-level 100
ip address 192.168.101.1 255.255.254.0 standby 192.168.101.2[/codebox]

Now I can connect to a tftp server I have setup and copy the running-config I need to use

[codebox]ciscoasa(config)# copy tftp://192.168.101.64/running-config-2014-01-22.txt running-config[/codebox]

since I just copied the running configuration from file,  the system just thinks it is the primary

[codebox]ciscoasa(config)#  show failover

Last Failover at: 10:43:23 MST Jan 22 2014
 This host: Primary – Active
   Active time: 208 (sec)
   slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
      Interface inside (192.168.101.1): Normal (Waiting)
      Interface outside (192.168.1.184): Normal (Waiting)
   slot 1: empty
 Other host: Secondary – Failed
   Active time: 0 (sec)
   slot 0: empty
     Interface inside (192.168.101.2): Unknown (Waiting)
     Interface outside (192.168.1.183): Unknown (Waiting)
  slot 1: empty[/codebox]

Notice that the Secondary is failed and when I connect to the other device I get the exact same thing,  basically what has to be done here,  is I need to tell one of them that they are secondary  I tried many different things to make it secondary

[codebox]ciscoasa(config)#  failover reset

ciscoasa(config)# no failover active
WARNING: NO Standby detected in the network, or standby is in FAILED state.
Switching this unit to Standby can bring down the Network without any Active
ciscoasa(config)#
Switching to Standby

Switching to Active[/codebox]

These did not work,  the system just couldn’t communicate with the other device until I just set it to the secondary device

[codebox]ciscoasa(config)#  failover lan unit secondary

                  State check detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.

                  Switching to Standby[/codebox]

That was it!  now the devices are synced,  when I turn off device 1 device 2 takes over,  when I turn off device 2,  device 1 takes over. Now the status is

[codebox]ciscoasa(config)# show failover

Last Failover at: 10:55:22 MST Jan 22 2014
  This host: Secondary – Standby Ready
    Active time: 702 (sec)
    slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
      Interface inside (192.168.101.2): Normal
      Interface outside (192.168.1.183): Normal
    slot 1: empty
  Other host: Primary – Active
    Active time: 5717 (sec)
    slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
      Interface inside (192.168.101.1): Normal
      Interface outside (192.168.1.184): Normal
    slot 1: empty

[/codebox]

This exercise helps us to learn and recover failed systems.  however it is not the most efficient way to recover.   I removed the secondary from the failover pair ,  clear the config and reloaded.  Enter No and Ente when asking if you want to save

[codebox]ciscoasa(config)# clear configure failover
ciscoasa(config)# write erase
ciscoasa(config)# reload

System config has been modified. Save? [Y]es/[N]o:N
Proceed with reload? [confirm] <Enter>[/codebox]

This brings up an interface asking if you want to configure the firewall using prompts,  I answer no

[codebox]Ignoring startup configuration as instructed by configuration register.
INFO: Converting to disk0:/
Pre-configure Firewall now through interactive prompts [yes]? no[/codebox]

Now, starting from “scratch” lets  only configure the failover interface and start as the secondar in the quickest method to bring up a ‘fresh’ standby.

[codebox]ciscoasa> enable
Password:<Enter>
ciscoasa# conf t
ciscoasa(config)# interface Ethernet0/1
no shutdown
description LAN Failover Interface
ciscoasa(config)# failover
failover lan unit secondary
failover lan interface failover_link Ethernet0/1
failover interface ip failover_link 172.16.100.1 255.255.255.252 standby 172.16.100.2

Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.

ciscoasa(config)#write
ciscoasa(config)#reload

Proceed with reload? [confirm] <Enter>[/codebox]

The key here I have underlined.  This was copied directly from my running configuration on the live device except that the word primary was changed to secondary as you see above

Dont forget to write and reload to test!!