Cisco ASA Firewall Cluster Member Replacement ~~By Justin Jocewicz

I have the privilege of having Justin Jocewicz as a guest poster on the Network Fun!!! blog today.  He brings some very nice experience to us all today, and I want to thank him for posting.  Very nice job Justin! ~~Shane Killen

Cisco ASA Firewall Cluster Member Replacement

So one of your firewalls in your highly available cluster died.  It happens.  It’s not your fault.  But, you have to put humpty dumpty back together again.  Do it the wrong way, and you can erase your configuration and bring the cluster down!

Prepare for Success

1.      Backup current configuration:

          a.      Use the more system:running-config command
     b.      Certificates (if required)
2.      No network connectivity:
     a.      Logically shutdown switchports
3.      Matching:
     a.      Exact same hardware, software version, and license as the other cluster member
4.      Rack & stack new hardware.
5.      Connect all cables.
6.      Console connectivity.
7.      Commands:
     a.      failover lan unit <primary|secondary>
          failover lan interface <interface name> <physical interface>
          failover link <interface name> <physical interface>
          failover interface ip <interface name> <IP> <SUBNET> standby <IP>
          interface <physical interface>
          no shut
          exit
         failover

The Main Event

1.      Login to the replacement firewall via console.

2.      Paste your prepared commands.

3.      Verify failover status.

4.      Unshut switchports.

5.       Verify connectivity, failover, connections, VPNs, xlate.

6.       Celebrate flawless replacement with coffee.