Correct procedure to replace failed secondary ASA unit

Similar Messages

• Correct way to replace config on asa

  Hi all
  If I want to replace the current config on my asa what is the best way of doing it ?

  You can copy and paste the new configuration in after you have erased the old configuration. I suggest copy pasting approx. 10 lines at a time.  This makes it easier to troubleshoot if you see any errors.
  There are two ways of erasing your config. the first way is to use the command configure factory-default [ip_address [mask]]  This will set the ASA config to the way it was when you first recieved it, so there will be some configuration left on it such as boot system,DHCP, ASDM, etc.  The IP address is the management IP you will used to connect to the ASA if you are not connecting via a serial cable.
  The other way is to use the command write erase. This deletes all configuration from the ASA.  Here you will need to configure everything from scratch
  Now to copy your config into the ASA again you could either copy paste your config from notepad, I suggest copying around 10 lines at a time, as this makes it easier to troubleshoot if you see any errors.
  Another way is to copy the running config straight from a TFTP server to the running-config
  copy tftp running-config
  just remember to save the running-config to the startup-config
  Please remember to rate and select a correct answer

• Surprises on Replacing failed primary unit

  Dear friends,
  I have done failover for firewalls umpteen number of times but yesterday it failed for some reason.
  I had replaced the failed primary unit with a fresh one and i had expected that it will detect the secondary unit as active and try to begin config replication from it but rather it wiped off the secondary unit's config. I dont think that i faulted in the sequence but let me share with you what i did:
  1. Put the four or five lines of failover configuration (except the failover command) and did a no shut on the failover interface (management0/0)
  2. Ran the failover command
  Instead of getting the config from the active unit, it started forcing the configs to the other unit. To restore, i had to reload the active unit to restore its config. After that i reloaded the fresh unit and now the failover happened as expected.
  I think that i should forced a reload of the new unit before trying to establish failover.
  Has anyone tried this in a fail-proof way during production hours? if yes, can you please share with me the steps?
  I did not ask for downtime because i was confident but i resulted in bringing down the ASA for 5 minutes because of the unexpected failover action.
  Thanks a lot
  Gautam

  Dear kureli,
  Thanks a lot for the efforts you took. I really appreciate it.
  Here's the exact sequence of steps that happened:
  1.  When primary unit failed, secondary got active and i dont remember if sh fail showed "secondary- not detected" or "secondary - failed"
  2.  I replaced the faulty primary unit with another primary unit and said no shut on the m0/0 failover interface and also put all the failover commands except "failover" command.
  3. I made sure that the new primary unit runs the same code (i checked only the main code version, i did not check the asdm version similarity). The asdm versions were different on both boxes though.
  4. After powering up the box and connecting cables, i said failover. It then prompted me saying that SSL license is not the same on both units and disabling failover.
  5. I applied for an activiation key from [email protected] and then got the SSL license from them.
  6. Next day i went back to the customer and installed the license key. After installing the license key, i said failover. It gave me the message "No response from mate"
  7. I then said no failover to disable failover on the new primary unit.
  8. I then went to secondary active unit and said failover as failover was disabled
  9. I then went back to primary unit and said failover
  10. This is where blank config replication started !!
  11. Reloaded secondary unit to undo the blank running config
  12. Went to Primary unit and disconnected the failover cable. Rebooted the primary unit and connected the failover cable.
  13. Secondary came up as active, primary then came up, and this time primary honored the secondary as active and did config replication
  14. All was well then!!
  Not sure still why this happened and it was a bit shameful for me to see this happening after 3.5 years of firewalling experience.
  Anyways, i am willing to learn and improve from now on.
  Probably next time, i would try to make sure that i apply the failover configs, reload, and while reload connect the failover cable.
  I think the learning lesson is that if the unit reloads, the reloaded unit always honors the currently active unit and does not try to override its role.
  This is what worked for me.
  Thanks a lot
  Gautam

• Primary ASA unit fails due to IPS

  Hello there,
  We have Active/Standy ASA units with SSM-20 IPS modules. Everytime the Primary ASA unit gets failed and a switchover is triggered. As a result, Secondary becomes active and Primary becomes standy failed.
  I upgraded IPS firmware to the latest one, I then changed both Primary ASA unit along with IPS module. But the issue still persists.
  I have provided proper earth and power.
  Thanks in advance.

  Hi,
  To start with, can you paste the following from the two ASA's:
  - show failover history
  - show failover
  - show module 1 detail
  - show run failover
  - Syslogs from the instant when failover occured if available.
  I will review these and let you know if more outputs are needed to figure out the root cause.
  Sourav

• ASA failover: secondary ASA disabled failover on its own

  Hi all
  I have a failover pair of ASA 5520 (Software Version 8.2(4)4)
  located in two different data centers.
  Because of a network issue the layer 2 connection between both locations has been interrupted for a couple of seconds and the ASAs went into split-brain as one would expect them to do.
  The thing is that after approx. 1 minute the secondary ASA switched off its failover configuration (i.e. "show run" gives "no failover") without anybody telling it to do so. Here is the "show failover history" of the device:
  07:57:34 MESZ Aug 15 2011
  Standby Ready              Just Active                HELLO not heard from mate
  07:57:34 MESZ Aug 15 2011
  Just Active                Active Drain               HELLO not heard from mate
  07:57:34 MESZ Aug 15 2011
  Active Drain               Active Applying Config     HELLO not heard from mate
  07:57:34 MESZ Aug 15 2011
  Active Applying Config     Active Config Applied      HELLO not heard from mate
  07:57:34 MESZ Aug 15 2011
  Active Config Applied      Active                     HELLO not heard from mate
  07:58:03 MESZ Aug 15 2011
  Active                     Cold Standby               Failover state check
  07:58:18 MESZ Aug 15 2011
  Cold Standby               Disabled                   HA state progression failed
  At this point failover was switched off completely and the split-brain remained even after the layer-2-connection has been reestablished.
  This is no good.:( I have searched for "HA state progression failed" without any useful result/explanation.
  Why did the device switch off failover on its own and how can we assure that it won't do this again?
  Best regards,
  Grischa

  Yes, only thing I needed to do was issuing "failover" on the secondary. It detected its active mate and went properly into standby:
  09:16:18 MESZ Aug 15 2011
  Disabled                   Negotiation                Set by the config command
  09:16:19 MESZ Aug 15 2011
  Negotiation                Cold Standby               Detected an Active mate
  09:16:21 MESZ Aug 15 2011
  Cold Standby               Sync Config                Detected an Active mate
  09:16:31 MESZ Aug 15 2011
  Sync Config                Sync File System           Detected an Active mate
  09:16:31 MESZ Aug 15 2011
  Sync File System           Bulk Sync                  Detected an Active mate
  09:16:31 MESZ Aug 15 2011
  Bulk Sync                  Standby Ready              Detected an Active mate
  I guess we will go the TAC way if we encounter this situation a second time. This time we will be warned and know where to look at.
  Is there really no documentation available of the "HA state progression failed" message? What does it mean and how is it triggered usually?
  Regards,
  Grischa

• HT4044 Part of my iPad(1st gen) screen display does not show,hence I can only see it partially.It was not dropped and neither is it broken. Any help as I was told it cant be fixed and i hv 2 replace with a new unit i.e. pay in full as warranty is over? HE

  Part of my iPad screen display does not show. It was not dropped and neither is the screen broken. I was advised to see the local service provider for a diagnosis.
  I had finally managed to find time to find a local service provider last week (not easy) and was disappointed to be advised of Apple's policy of one for one exchange i.e. they wont repair and said that i would have to replace with a whole unit. As my unit is no longer under warranty, it meant that I had to pay for the full price of a new unit!
  I might as well have paid for the latest new unit but since my unit is only 2 years old at most, it would be a great waste of money.
  How can this be? Does this mean apple's product is inferior and do not last since warranty is only for one year?
  I sincerely hope there is a favourable solution otherwse my money is flushed down the drain.
  HELP!!!

  I was using my iPad last night, shut the power off and when I turned it on this morning 2/3 of the screen is not working.  It looks like the pandalela picture. What is the answer to fix this; is this a screen issue or and electronics issues.  Has anybody else experienced this?

• TS3276 Mail Services - Mavericks this is new OS to me.I am having trouble with attachments to my e-mails.  The attachments were not large (single sheet typed).  Getting message file to large.  Never had this before.  Please advise correct procedure to att

  Some of the attachments were only a couple of typed pages.  I saved them as pdf format so receiver could read.  The pdf file would not attach.  Program gave message file to large for attachment to e-mail.  Perhaps I am not doing correct procedure to attaching a file to an e-mail.  I tried typing the document and saving it in pdf format to the desktop.  Opened the e-mail on Safarii - typed a quick message and then tried to drop /drag attachment from desktop to e-mail. Up pops the stupid message.  Would someone give me the step by step procedure for adding attachments to an e-mail being sent via Safari.  Also is there a way to send large files as an attachment.  I was able to do this when I was using mountain lion.  Help please.

      I can see that this issue has been quite extensive, and frustrating, and I am so sorry for all that has happened societygirl! I would like to help you work this issue out. Please follow & send me a Direct Message, so I can get your account specifics and help finally bring this to a resolution.
  Thank you,
  MichelleH_VZW
  Follow us on Twitter @VZWSupport

• What is the correct procedure for upgrading to aperture 3.4

  I am working in South Sudan and am shortly going to be in a place where I can download all the updates. The last time I did an update was around 2 weeks ago.
  I presume that there will be updates for Mountain Lion, iPhoto and Aperture, plus a whole pile of iOS updates. From the support questions I see that there is a number of people having problems.
  I presume that the first thing to do will be to rebuild the library of aperture.
  What is the correct procedure after that?

  If I do an upgrade through AppStore, and find it does not work, do I uninstall first by removing to trash? What do you mean by revert to an earlier version, and which previous version of Aperture should I use.
  Neville,
  So you did buy Aperture from the AppStore?
  Then move the Aperture application to the Trash, but do not empty it, just in case
  Sign into the AppStore and reinstall. In this case you do not need to revert to an earlier version. If the AppStore installer does not find an Aperture in your Applications folder, it will have to make a full install, and no incompatible frameworks should remain, as is the problem with the partial upgrades right now.
  Yes, I have a bootable clone,
  And have you checked, if you really can boot from your clone? Just being very cautious.
  Do you use facebook? Some posters are having problems, even after reinstalling, if the want to publish to Facebook. Post back, if you encounter that problem.
  Good Luck
  Léonie

• What is the correct procedure to connect and collect events from IPS through SDEE

  What is the correct procedure to connect and collect events from IPS through SDEE?
  We are a 3rd party application, that needs to collect and analyze the IPS events for a client.
  Currently the approach we are following is
  1) get a SubscriptionId using the URL below
  https://IP_Of_IPS/cgi-bin/sdee-server?action=open&events=evIdsAlert&force=yes
  This gets us a subscriptionId which is used in step 2
  2) Collect events from the url below
  https://IP_Of_IPS/cgi-bin/sdee-server?confirm=yes&action=get&subscriptionId=sub-sample&startTime=1362699903575432000
  a few more notes here are
  - starttime is current time in nanoseconds
  the peculiar problem here is that, even though we specify todays date, SDEE returns us the events from mid Feb (today is march 7)
  we did try a few combinations, but are out of ideas.
  any help or direction would be appreciated

  This is more an application issue than an IPS issue.
  Have you compared your app against other apps [IME]?

• My iphone 5 display has broken and i want to know there is any procedure to replace iphone ,it is out of warrenty

  display has broken and i have to replace my iphone 5 , there is any procedure to do this if yes then please help

  One option is to have it repaired: https://www.apple.com/support/iphone/repair/screen-damage/
  Not sure what you mean by "procedure to replace." How you would buy a new one depends on where you are located, whether you are under contract with a carrier for the old phone, etc. If you mean a procedure to move your data to a new phone, the following may help: Transfer content from an iPhone, iPad, or iPod touch to a new device - Apple Support

• Correct procedure to update IOS IPS signatures on 2911 router

  What is the correct procedure to update the IOS IPS signatures on an 2911 router?
  I know how to download the signatures file (eg. IOS-S556-CLI.pkg) but what is the correct way to install the update?
  Thank you in advance!

  The IPS signature package comes with a list of pre-enabled signatures, hence Cisco does not recommend enabling a lot more other signatures, especially not every single signature as documented.
  The reason why is because the package might include retired/old signatures only for references, and not every single signature is required to protect your environment because you might not have the traffic for some signatures, you might not have some end hosts that are written with specific signatures, therefore, it becomes irrelevant if you enable it.
  Typically here is how customer would enable/disable signatures:
  - Use the default signature that is enabled by Cisco (the default should fit majority of the customers).
  - Monitor it for a couple of months
  - Disable those that you don't need, and enable others if you think you require it for specific.

• Correct procedure to unplug E90 from USB?

  Are these the correct procedures?
  *** Data Transfer Mode for Win XP
  Using Windows, click on the little green thingy in the systray, click the appropriate device.
  Once Windows says I can unplug the device, I do.
  * Why I think I am doing something wrong
  The E90 complains about possibly interrupting transmissions and I am having non-stop problems with corruption of my microSD - I have used Windows Disk check and surface scan so I don't think there is a problem with my MicroSD card, although it is 4G, not 2G.
  *** PC Suite Mode
  I am not sure how to initiate a correct unplug here.
  *** As an aside.
  The E90 gives an option to ask which connection mechanism to use when plugging in - problem is, it goes ahead and connects with the current setting, regardless of what you say - then changes if you alter the setting - causing unexpected disconnects from the PC perspective.
  I have learned to set my preferred connection type in the settings panel PRIOR to plugging it in.

  if u connect using the pc suite mode, u can unplug or pull the plug directly out. if u use the data transfer mode, go through the normal process
  i just pull the usb cable out always in either of the modes and havent had any problems thus far
  Wishing u a great time with your device,
  eseriesaddict
  Chennai
  India.

• The correct procedure to install PeopleTools 8.49

  Dear Friends,
  Hello. I am still not sure the correct procedure to install PeopleTools 8.49. I have done the following:
  Step 1: Install Windows Server 2003
  Step 2: Install MS SQL Server 2005
  Step 3: Install BEA WebLogic 8.1
  Step 4: Download 7 disks of PeopleTools 8.49 from Oracle e-delivery site
  Step 5: Install PeopleTools 8.49 using setup.exe located in Disk 1.
  Step 6: Setup PeopleSoft Database using C:\PeopleTools8.49\setup\PsMpDbInstall\setup.exe
  Step 7: Install Tuxedo using C:\PeopleTools8.49\appserv\pstuxinstall.exe
  Step 8: Install application server using C:\PeopleTools8.49\appserv\psadmin.exe
  Step 9: Install PIA using C:\PeopleTools8.49\setup\PsMpPIAInstall\setup.exe
  From Step 1 to Step 6, my system works correctly. But from Step 7 to Step 9, my system is not working correctly. Is the above procedure correct to install PeopleTools 8.49 in Windows Server 2003 ? Thanks.
  Lucy

  Nicolas,
  Thanks a lot for replying to me. I have 3 questions as follows:
  First, How many PeopleTools can be installed using 7 disks ?
  As I indicated in previous discussed, I have done:
  Step 4: Download 7 disks of PeopleTools 8.49 from Oracle e-delivery site and extract them.
  Step 5: Install PeopleTools 8.49 using setup.exe located in Disk 1.
  Step 6: Setup PeopleSoft Database using C:\PeopleTools8.49\setup\PsMpDbInstall\setup.exe
  In step 5, setup.exe in Disk 1 load all of files in 7 Disks into C:\PeopleTools8.49\ and PsMpDbInstall install PeopleSoft Database successfully. I can log into Application Designer and develop my first application successfully in 2-tier mode.
  Second, As you said in previous discussion, "Tuxedo is apart from PeopleSoft..." , do you mean I don't need to do Step 7: Install Tuxedo using C:\PeopleTools8.49\appserv\pstuxinstall.exe
  Third, I don't understand how to install the rest of PeopleTools using the files in 7 Disks. Are they application Server and PIA ? Thus, we do:
  Step 8: Install application server using C:\PeopleTools8.49\appserv\psadmin.exe
  Step 9: Install PIA using C:\PeopleTools8.49\setup\PsMpPIAInstall\setup.exe
  Lucy

• Update my app. What is the correct procedure for updating an app/folio?

  I designed a folio in Indesign CS6 and created an app of the folio in adobe dps and succesfully uploaded it to the app store. Now I want to update my app. What is the correct procedure for updating an app/folio?

  no, just update your content and recreate the Single Edition App. Your certificate should still be valid so there is not need to recreate these.
  ... your App ID absolutely need to be the exact same one you used for the first version if you want to make sure this is an update.

• Can I replace the G5 CP units in my pre intel power mac? I get the 3 flash light and am heating them with a hair dryer. It works but needs fixing and I can't afford a new mac

  Can I replace the G5 CP units in my pre intel power mac? I get the 3 flash light and am heating them with a hair dryer. It works but needs fixing and I can't afford a new mac

  OK, it looks like all but the first G5 1.6 Ghz, & the last 3 G5 Dual Cores will take PC3200 RAM...
  Power Macintosh G5 1.8 (PCI-X) PowerMac7,2   1 Power Macintosh G5 2.0 DP (PCI-X) PowerMac7,2   1 Power Macintosh G5 1.8 DP (PCI-X) PowerMac7,2   1 Power Macintosh G5 1.8 DP (PCI) PowerMac7,3   1 Power Macintosh G5 2.0 DP (PCI-X 2) PowerMac7,3   1 Power Macintosh G5 2.5 DP (PCI-X) PowerMac7,3   1 Power Macintosh G5 1.8 (PCI) PowerMac9,1   1 Power Macintosh G5 2.0 DP (PCI) PowerMac7,3   1 Power Macintosh G5 2.3 DP (PCI-X) PowerMac7,3   1 Power Macintosh G5 2.7 DP (PCI-X) PowerMac7,3