Cisco ASA Standby device “copy TFTP” syntax

That’s a mouthful. I’ve been having a hard time figuring out how to successfully transfer images to the Standby ASA’s flash from the Active’s CLI. Finally figured it out. Here’s the syntax:

failover exec standby copy /noconfirm tftp://{ip address}/{file name} disk0:/{file name}

Without the /noconfirm it’ll fail. You also need a standby ip address on the interface facing the tftp server and I haven’t confirmed this but I think it might also need to be on the same subnet. I’m still having some trouble with a situation where the standby ASA would have to reach another subnet.

5 comments

  1. hi,

    we use the management interface to for a link between active/standby asa. it uses a separate network. the tftp is on another subnet. i can’t even ping the tftp server. i can only ping the active interface from the standby ? did you find a solution?

  2. Hi Guys –

    Using that syntax above you should be able to hit a TFTP/FTP server on a different subnet if your firewalls use static routes as opposed to a dynamic routing protocol like OSPF. (dynamic routing protocol info is not synched to the standby unit until code v8.4)

    And if you’re using multi-context mode, then you’ll run the commands from the ‘system’, but the ASA will actually use whichever context you’ve designated as ‘admin’ to establish the connection.

    cheers
    mark

  3. Hi,

    Nice post. Just curious if you have had any luck in the situation where your standby unit is directly connected to the active unit via the mnmt port.

    The issue being that while the standby unit is not active – it has no IP addresses on any interfaces and is not reachable except via the active unit.

    Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *