Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
850
Views
6
Helpful
8
Replies

Migrate from ASA 5525-x to 5555-x Failover

Go to solution
jroy777
Level 1
Level 1

‎06-14-2023 09:21 AM

Hello, we are migrating 5525-x to 5555-x appliances. We have two of each and the currently deployed 5525-x are in Active/Standby. The Secondary is Active at the moment. I have setup the 5555-x's in Lab and Active/Standby are working. I now want to deploy the NEW 5555-x Primary as Active unit and fail over from existing 5525-x Secondary. Code versions are 9.14(4) (5525) and 9.14(23) (5555) respectively.

1) Do the code versions need to match exactly or can I get by with this slight upgrade?

2) Failover is using MACS and of course they are different on all devices. Can I set up failover commands by using new Primary MAC's (see "Transition" below) and failover and it should come up?

 Existing 5525-x Secondary and Primary (Currently Secondary is active)

failover mac address GigabitEthernet0/0 006b.f1f9.e850 d48c.b5c2.6150
failover mac address GigabitEthernet0/1 006b.f1f9.e84c d48c.b5c2.6156
failover mac address GigabitEthernet0/6 006b.f1f9.e853 d48c.b5c2.6157

 Transition MAC's (Secondary/Active 5525-x -> Primary/Active 5555-x)

failover mac address GigabitEthernet0/0 006b.f1f9.e850 f4cf.e24c.b682
failover mac address GigabitEthernet0/1 006b.f1f9.e84c f4cf.e24c.b67e
failover mac address GigabitEthernet0/6 006b.f1f9.e853 f4cf.e24c.b685

 NEW 5555-x Primary and Secondary MAC's when all installed

failover mac address GigabitEthernet0/0 e865.49d6.bf39 f4cf.e24c.b682
failover mac address GigabitEthernet0/1 e865.49d6.bf35 f4cf.e24c.b67e
failover mac address GigabitEthernet0/6 e865.49d6.bf3c f4cf.e24c.b685

1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎06-14-2023 09:24 AM

The two units in a Failover configuration must:

  • Be the same model.

  • Have the same number and types of interfaces.

so 5525 and 5555 can not config with HA

View solution in original post

8 Replies 8

Go to solution
MHM Cisco World
VIP
VIP

‎06-14-2023 09:24 AM

The two units in a Failover configuration must:

  • Be the same model.

  • Have the same number and types of interfaces.

so 5525 and 5555 can not config with HA

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-14-2023 10:50 AM

What @MHM Cisco World said about models matching is key. That is mandatory for any HA pair.

Also, why manually specify MAC addresses? I have worked on hundreds (might be a thousand by now) over the years and never once have seen anybody use the "failover mac address" command.

Go to solution
MHM Cisco World
VIP
VIP
In response to Marvin Rhoads

‎06-14-2023 10:54 AM

I remember we discussed this point before I mention cisco recommend set the virtual mac, 
so I make double search and find this slide from ciscolive explain why we need set virtual mac 
take look 
thanks 
MHM 


Screenshot (792).png

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎06-14-2023 11:01 AM

Yes - I have seen that recommendation before. I'm just saying that none of the hundreds of customers I've worked with have ever used it.

Go to solution
jroy777
Level 1
Level 1
In response to Marvin Rhoads

‎06-14-2023 06:14 PM

I inherited this setup at a new employer that does SaaS and must be up 24/7 Can I just remove them and it would still function? 

0 Helpful

Go to solution
jroy777
Level 1
Level 1
In response to MHM Cisco World

‎06-30-2023 04:02 PM - edited ‎06-30-2023 04:03 PM

So based on this, this should work? And of Course I copy to all ASA's.

failover mac address GigabitEthernet0/0 aaaa.aaaa.aaaa aaaa.aaaa.aaab
failover mac address GigabitEthernet0/1 aaaa.aaaa.aaac aaaa.aaaa.aaad
failover mac address GigabitEthernet0/6 aaaa.aaaa.aaae aaaa.aaaa.aaaf

0 Helpful

Go to solution
jroy777
Level 1
Level 1

‎06-14-2023 06:24 PM - edited ‎06-14-2023 07:49 PM

What would be the best method for moving off an existing HA pair (5525-x) to a new HA pair (5555-x) since I don't have an option to fail over to the higher powered model? We bought these since we are moving to AWS over the next year and just to tide the company over till AWS is all setup and tested.

I assume there is no way without an outage and maintenance window now. I was able to backup config from 5525 and restore to 5555 and it seems to have worked successfully. Failover worked after the backup/restore process on the new pair and I compared all the configs, 5525Pri->5555Pri, 5525Sec->5555Sec and they match. Any gotcha's I should expect?

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎07-01-2023 12:23 AM - edited ‎07-01-2023 12:24 AM

Same as @Marvin Rhoads , I'd ever had to configure the failover MAC addresses manually for any customer, including financial companies. I would say there is no write and wrong on this one, it would be part of the risk assessment. If the business wants to trying to minimize the down time in case one of the scenarios shown on the slide above, then probably using the virutual MACs would be a better option. However, the only scenario I could see here is if you need to RMA the active device, in that case when you replace it with a new hardware, and the MAC needs to be learned by the switch, we are talking about seconds of a down time window, so again, imo it depends on the risk assessment discussion with the business.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card