ASA reload and reconfigure

icecream-guy · December 01, 2017, 10:34:13 AM

it was useful in the routing and switching arena to "reload in 10" make a configuration change, not save, if one gets bogged out the device reloads in 10 minutes hopefully putting every back in order.

I was configuring AAA on a HA ASA pair yesterday. I was wondering if the same rule applies.

On my primary ASA, I did reload in 10, didn't save, applied my AAA config, thinking that if I locked myself out, reload in 10 would save me, but later thinking that since this is HA, it wouldn't work. no sure how the config sync works,

in theory, if my primary active firewall has an unsaved config, the secondary standby may have the same config from sync,
But if I lock myself out and the timer expires, the primary reloads, secondary standby becomes active. (still thinking I would be locked out at this point). When the primary reloads, it should negotiate and become primary active again, (without the aaa config) restoring my access.

problem is I don't know if during the primary/seondary negotiation, that the AAA config that is on the secondary active, gets propagated back to the primary device, when it becomes active, keeping me locked out.

deanwebb · December 01, 2017, 11:04:20 AM

AAA will not copy to the standby automatically. In some cases, not even the write mem or copy run start will do it: you'd have to write standby to get the secondary unit to update its config.

At least it was that way in 8.4... https://supportforums.cisco.com/t5/firewalling/asa-8-4-failover-not-replicating-configs/td-p/1669267

You could check the running-config on the secondary unit to see if the changes you made on the primary were sent over to it. If yes, then you need to cycle both firewalls at the same time to clear a change. Shut down the secondary, then reboot the primary, then bring back up the secondary. If no, then rebooting the primary will have the secondary come up with the old config and then you can force a failover back to the primary when it comes back up.

SimonV · December 01, 2017, 11:06:51 AM

I think the configuration will remain active, even if the primary is back online. Not 100% sure though.

Maybe you can enter the reload in command on the secondary unit as well? This lets you enter commands directly on the backup firewall:

failover exec standby <command>

icecream-guy · December 04, 2017, 10:14:43 AM

labbed this today,

loaded
'aaa authentication serial console LOCAL' on the primary active firewall.
the aaa config change was synched to the secondary standby
reloaded the primary active firewall without saving config
config not saved on the secondary firewall
the primary came up as primary standby
the aaa configuration was synched back to the primary standby
I was able to get into the firewall config mode without logging into the firewall before the config synch
when I logged out, I was required to login in again.

test 2.
'aaa authentication serial console LOCAL' on the primary active firewall.
the aaa config change was synched to the secondary standby
configs remain unsaved
'reload in 2' on the secondary standby
'reload in 1' on the primary active.
(this will cause an outage)
the aaa config change was gone as expected.

so there you go, if you can afford an outage, you'll need to reload both firewalls when making risky changes in an HA environment.

wintermute000 · December 05, 2017, 04:17:23 AM

doesn't ASA have a rollback 0 or commit confirm? <ducks>

friends don't let friends use ASAs in 2017

sorry for the tangent, I got triggered!

deanwebb · December 05, 2017, 08:27:19 AM

Quote from: wintermute000 on December 05, 2017, 04:17:23 AM
doesn't ASA have a rollback 0 or commit confirm? <ducks>

friends don't let friends use ASAs in 2017

sorry for the tangent, I got triggered!

I think you have to do a "write standby" to force the change to the secondary.

icecream-guy · December 05, 2017, 08:43:01 AM

Quote from: deanwebb on December 05, 2017, 08:27:19 AM
Quote from: wintermute000 on December 05, 2017, 04:17:23 AM
doesn't ASA have a rollback 0 or commit confirm? <ducks>

friends don't let friends use ASAs in 2017

sorry for the tangent, I got triggered!

I think you have to do a "write standby" to force the change to the secondary.

no the configs will synch to the secondary the minute the command is entered into the primary. just not saved.
oh, I see what you mean, yes write standby will save the configuration on the standby firewall.
beware though the write standby is wrought with bugs.

deanwebb · December 05, 2017, 09:21:04 AM

Which gets us back to wintermute's comment... friends don't let friends use ASA in 2017.

icecream-guy · December 05, 2017, 10:41:25 AM

That's pretty much what I do.

deanwebb · December 05, 2017, 06:32:56 PM

These are the ones with FirePower, right?

icecream-guy · December 06, 2017, 06:18:19 AM

Quote from: deanwebb on December 05, 2017, 06:32:56 PM
These are the ones with FirePower, right?

no, just simple ASA's, Firepower running on the 4100 series.