https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130048#M1072594 <P>Hey Shawn,</P><P>&nbsp;</P><P>It still not clear to me, in case of the primary having a network failure for instance I understand it moves to fail state, and the secondary node moves from passive to active. But is the config changed and the secondary node becomes primary?</P> Tue, 04 Aug 2020 11:43:25 GMT ThomasCaapiCci 2020-08-04T11:43:25Z https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130014#M1072587 <P>Hi</P><P>&nbsp;</P><P>I have 2 questions:</P><P>&nbsp;</P><P>We have 2 ASA 5525 that are setup for failover.</P><P>&nbsp;</P><P>Site A ASA was always the primary</P><P>Site B ASA was always the secondary</P><P>&nbsp;</P><P>Today I logged to Site A ASA and noticed the config had changed to secondary.</P><P>My first question is: can this happen automatically or do you need to change the config manually for it to happen? In case ASA in Site A would fail, would Site B failover and become primary or would it remain secondary but active?</P><P>&nbsp;</P><P>Site A ASA config is as follows:</P><P>&nbsp;</P><P>failover<BR />failover lan unit secondary<BR />failover lan interface FAILOVER GigabitEthernet0/7<BR />failover key *****<BR />failover link FAILOVER GigabitEthernet0/7<BR />failover interface ip FAILOVER 192.168.255.1 255.255.255.252 standby 192.168.255.2</P><P>&nbsp;</P><P>Site B ASA config:</P><P>&nbsp;</P><P>failover<BR />failover lan unit primary<BR />failover lan interface FAILOVER GigabitEthernet0/7<BR />failover key *****<BR />failover link FAILOVER GigabitEthernet0/7<BR />failover interface ip FAILOVER 192.168.255.1 255.255.255.252 standby 192.168.255.2</P><P>&nbsp;</P><P>My second question is: I want Site A asa to be primary again, how can I do that from the ASDM?</P> Tue, 04 Aug 2020 10:31:42 GMT https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130014#M1072587 ThomasCaapiCci 2020-08-04T10:31:42Z https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130039#M1072590 <P>1) The failover can occur due to various reasons including but not limited to firewall reboot, interface fail, etc. If any of these reasons occur, then failover automatically occurs.</P><P>You can check sh failover history for the reason of failover</P><P>&nbsp;</P><P>Yes, it will be secondary active and primary - failed / standby etc</P><P>&nbsp;</P><P>2) If you want whatever site to be active, there are two ways</P><P>&nbsp;</P><P>i) on Active firewall, execute 'no failover active' command</P><P>ii) on Standby firewall, execute 'failover active', they both achieve the same purpose.</P><P>&nbsp;</P><P>PS: You can include failover replication http and&nbsp;failover link failover commands in your failvoer configurutation.</P> Tue, 04 Aug 2020 11:30:45 GMT https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130039#M1072590 Brad_Shawh 2020-08-04T11:30:45Z https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130048#M1072594 <P>Hey Shawn,</P><P>&nbsp;</P><P>It still not clear to me, in case of the primary having a network failure for instance I understand it moves to fail state, and the secondary node moves from passive to active. But is the config changed and the secondary node becomes primary?</P> Tue, 04 Aug 2020 11:43:25 GMT https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130048#M1072594 ThomasCaapiCci 2020-08-04T11:43:25Z https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130052#M1072595 <P>The 'Primary' and "Secondary' states will never change, they are hard coded with configuration 'failover lan unit primary' 'failover lan unit seconeary'</P><P>&nbsp;</P><P>Only the 'Active' or 'Standby' states change with change in network.</P> Tue, 04 Aug 2020 11:52:08 GMT https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130052#M1072595 Brad_Shawh 2020-08-04T11:52:08Z https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130056#M1072596 <P>Ah...well then that means someone changed the config, I cant find any other explanation</P><P>&nbsp;</P><P>I still want to move the primary to the original ASA, on the ASDM this is the only place I can find that manages primary/secondary settings:&nbsp;<IMG src="https://i.imgur.com/k2NZLS9.png" border="0" /></P><P>&nbsp;</P><P>Should I move the Preferred role to Primary on ASA A so it is set as before and that will take care of it? Should I also set ASA B as preferred secondary? Will the change take care of changing the config?</P> Tue, 04 Aug 2020 12:01:01 GMT https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130056#M1072596 ThomasCaapiCci 2020-08-04T12:01:01Z https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130079#M1072599 <P>I have not done this myself, but if you have console access to secondary, it's safer.</P><P>&nbsp;</P><P>Moving role on Primary for Site A is fine, you should do it if that is how you want it. It will take care on the primary firewall.</P><P>&nbsp;</P><P>Once you change Site A to primary and see no issues, from CLI on site A, you can execute the following command to change site B to secondary</P><P>&nbsp;</P><P>failover exec mate&nbsp;failover lan unit secondary</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 04 Aug 2020 12:40:00 GMT https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130079#M1072599 Brad_Shawh 2020-08-04T12:40:00Z https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130100#M1072602 <P>cheers for that</P><P>&nbsp;</P><P>So on ASA A I issue:&nbsp;<SPAN>failover lan unit primary</SPAN></P><P>&nbsp;</P><P>Wait a bit (at that point there are 2 primary?)</P><P>&nbsp;</P><P>After a while on ASA B</P><P><SPAN>failover exec mate&nbsp;failover lan unit secondary</SPAN></P> Tue, 04 Aug 2020 12:59:51 GMT https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130100#M1072602 ThomasCaapiCci 2020-08-04T12:59:51Z https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130148#M1072609 <P>Before you do any of this you should break the failover.&nbsp; By issuing the failover lan unit primary on site A you will now have two primary ASAs in the HA setup.&nbsp; When doing this it is best that you have quick access to the console port of both ASAs in case you lose connectivity to the ASAs.</P> <P>Here is what I would recommend you do.</P> <P>1. make sure Site A is the Active ASA</P> <P>2. Remove site B ASA from the network</P> <P>3. Change configuration on Site A ASA to be primary</P> <P>4. Change configuration on Site B ASA to be secondary</P> <P>5. Add Site B ASA back into the network</P> <P>6. Force a configuration replication from primary/active to secondary/standby (write standby)</P> Tue, 04 Aug 2020 14:05:02 GMT https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130148#M1072609 Marius Gunnerud 2020-08-04T14:05:02Z https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130228#M1072615 <P>Please follow what Marius said, you need to break the failover, take console of secondary and then make the changes.</P> Tue, 04 Aug 2020 15:48:18 GMT https://community.cisco.com/t5/network-security/asa-failover-config/m-p/4130228#M1072615 Brad_Shawh 2020-08-04T15:48:18Z