Hey r/networking,
This weekend I will be replacing the primary ASA in my H/A pair of 5585Xs. What I mean by primary, is when I originally configured H/A, this unit was marked as the primary unit, and the other was the secondary. Is there anyone here who was done this that can give me a brief rundown of this process? I will post my strategy as of right now below, in a step by step. If I'm doing something wrong, or missing something, please let me know.
1- Receive the new RMA unit. Upgrade the image to match that of the current active unit. Install the same license as the current active unit. Install any flash images, such as Anyconnect, directly on the new RMA unit
2- Configure the same exact set of failover commands that is on the current (failing) primary to the new RMA unit.
3- In the datacenter, ensure that the Secondary unit is Active. Remove the failing unit. Remove all up-link and interface modules, and insert them in the new RMA unit. Also take the SSP hard drive out of the failing on and insert in the new one??
4- Rack the new RMA unit and connect all of the connections. Lastly, connect the failover cable and pray that the 'Secondary-Active' unit take its config and writes it to the newly added "Primary-Standby Ready' unit, and not the opposite, like I've seen happen to people.
How does that look? My two huge follow up questions are below:
1- Is it necessary to, once I remove the failing unit from the H/A cluster, make the current "Secondary-Active' unit the Primary, and then configure the new RMA unit as the secondary? I just want to avoid all possibilities of the new RMA unit with a blank config, overwriting my production firewall when they detect each other.
2- In step 3, is it necessary to also install the SSP of the failing unit in the new RMA unit? From what I've researched, the SSP is mostly used for IPS/IDS services, which we are not running in our datacenter.
Thank for very much in advance for the feedback.
No comments:
Post a Comment