topic Re: Add ASA 'failover key' command in Network Security

Add ASA 'failover key' command

johnlloyd_13 — Mon, 24 Jan 2022 13:07:05 GMT

hi,

i got a pair of ASA FW currently in production that doesn't have the 'failover key' configured.

i would need to add the said command but quite hesitant that it might "break" the FW pair.

is it "safe" to add this command in the primary/active FW and will this auto sync to the standby after a 'write mem'?

or do i totally remove failover config on both and re-add failover commands?

Re: Add ASA 'failover key' command

balaji.bandi — Mon, 24 Jan 2022 13:28:30 GMT

Personally i will do this in maintenace window, since this required to configure both the side.

if you using ASA 9.X or later, suggested ipsec (rather Plan replication)

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/ha-failover.html

Suggestions : always take the configuration backup out of the box.

Re: Add ASA 'failover key' command

Sheraz.Salim — Mon, 24 Jan 2022 14:39:50 GMT

First get the maintenace windows for this work.

apply this change on the Primary Active firewall and issue the write standby.

Solved: ASA failover key - Cisco Community above is a similar thread asking what you asked.

The following example configures the failover parameters for the primary unit:

failover lan unit primary
failover lan interface folink gigabitethernet0/3

failover interface ip folink x.x.x.x.x standby x.x.x.x.x
interface gigabitethernet 0/3
  no shutdown
failover link folink gigabitethernet0/3
failover key xxxxx
failover

The only configuration required on the secondary unit is for the failover link. The secondary unit requires these commands to communicate initially with the primary unit. After the primary unit sends its configuration to the secondary unit, the only permanent difference between the two configurations is the failover lan unit command, which identifies each unit as primary or secondary.

FYI- I have tested this ASA model 5525-X with code 9.12(2) and it worked.

with below config

failover lan unit primary
failover lan interface folink gigabitethernet0/3

failover interface ip folink 172.27.48.0 255.255.255.254 standby 172.27.48.1
interface gigabitethernet 0/3
  no shutdown
failover link folink gigabitethernet0/3
failover key xxxxx
failover
!
write standby

show failover | i host
This host: Primary - Active
Other host: Secondary - Bulk Sync

show failover | i host
This host: Primary - Active
Other host: Secondary - Bulk Sync
show failover | i host
This host: Primary - Active
Other host: Secondary - Bulk Sync
show failover | i host
This host: Primary - Active
Other host: Secondary - Standby Ready

Re: Add ASA 'failover key' command

johnlloyd_13 — Tue, 25 Jan 2022 01:01:46 GMT

hi,

thanks for the info! it's just the 'failover key' that is missing and not the whole failover config.

surely will do this in a maintenance window.

i also rarely use 'write standby' and had a bad experience with it, i.e. secondary FW got corrupted/sync errors in a production.

Re: Add ASA 'failover key' command

Calton69 — Tue, 25 Jan 2022 05:23:55 GMT

@Sheraz.Salim wrote:
First get the maintenace windows for this work.

apply this change on the Primary Active firewall and issue the write standby.

Solved: ASA failover key - Cisco Community above is a similar thread asking what you asked.

The following example configures the failover parameters for the primary unit:
failover lan unit primary
failover lan interface folink gigabitethernet0/3

failover interface ip folink x.x.x.x.x standby x.x.x.x.x
interface gigabitethernet 0/3
  no shutdown
failover link folink gigabitethernet0/3
failover key xxxxx
failover
The only configuration required on the secondary unit is for the failover link. The secondary unit requires these commands to communicate initially with the primary unit. After the primary unit sends its configuration to the secondary unit, the only permanent difference between the two configurations is the failover lan unit command, which identifies each unit as primary or epayitonline

FYI- I have tested this ASA model 5525-X with code 9.12(2) and it worked.

with below config
!
failover lan unit primary
failover lan interface folink gigabitethernet0/3

failover interface ip folink 172.27.48.0 255.255.255.254 standby 172.27.48.1
interface gigabitethernet 0/3
  no shutdown
failover link folink gigabitethernet0/3
failover key xxxxx
failover
!
write standby
show failover | i host
This host: Primary - Active
Other host: Secondary - Bulk Sync

show failover | i host
This host: Primary - Active
Other host: Secondary - Bulk Sync
show failover | i host
This host: Primary - Active
Other host: Secondary - Bulk Sync
show failover | i host
This host: Primary - Active
Other host: Secondary - Standby Ready

Thank you for the Help buddy, You solved my Query. Appreciate it.

Re: Add ASA 'failover key' command

Sheraz.Salim — Tue, 25 Jan 2022 06:54:49 GMT

sorry I forget to mentioned in my test failover configuration was already configured I only added the failover key.

I have used write standby many time in production never had issue with this command. This command write standby force the configuration from primary active firewall to standby.

as long your failover vlan/switching is solid you should be fine.

Re: Add ASA 'failover key' command

Sheraz.Salim — Tue, 25 Jan 2022 06:55:21 GMT

You are welcome @Calton69