topic Re: Change ASA Active-Standby Primary and Secondary role in Network Security

Change ASA Active-Standby Primary and Secondary role

johnlloyd_13 — Tue, 08 Nov 2022 13:52:25 GMT

hi,

i got a pair of ASA FW in active-standby setup each in a different building.

we're closing one of the building/rack and plan is to bring the primary-active FW to the next building where secondary-standby FW is installed.

is there a "safe" way of changing the primary-active FW to secondary and secondary-standby FW to primary and make it active?

do i disable failover in each ASA FW using a no failover command and change role with failover lan unit <primary/secondary> command? or do i just straight away change the role?

or is there an order to follow, i.e. force a failover primary-active > secondary-standby, disable failover, change secondary ASA to primary and lastly change primary ASA to secondary?

failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/7
failover key *****
failover replication http
failover link FAILOVER GigabitEthernet0/7
failover interface ip FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2

Re: Change ASA Active-Standby Primary and Secondary role

balaji.bandi — Tue, 08 Nov 2022 13:57:23 GMT

Sure if the Active standby configured as per the best practice :

"no failover active" on Primary ASA - that will bring secondary unit will now be the primary/active unit.

Once you bring back Primary in to the respected place, if you like you can failover.

no need to change the roles.

Re: Change ASA Active-Standby Primary and Secondary role

Rob Ingram — Tue, 08 Nov 2022 14:10:24 GMT

@johnlloyd_13 so you are physically moving the hardware of the "primary/active" ASA to another building?

If so you could unplug the primary ASA, failover would automatically occur to the secondary ASA. At which point change the configuration to primary (of the new active/primary ASA). Move the ASA hardware, before you re-plug into the network, set it as secondary. Once connected they should reconnect as a failover pair.

Re: Change ASA Active-Standby Primary and Secondary role

Marius Gunnerud — Tue, 08 Nov 2022 14:59:19 GMT

Changing the roles is not necessary and I would not recommend it as it would mean breaking and rebuilding the HA setup. Safest is to manually issue the command "failover active" on the standby device or "no failover active" on the primary and then remove the Primary-Standby device from the network and move it to the it's new location and plug it back into the network.

A failover back to the Primary-Standby would need to be done manually if you want it to be the active firewall as the current active will not give up the active role automatically.

Re: Change ASA Active-Standby Primary and Secondary role

johnlloyd_13 — Wed, 09 Nov 2022 02:04:06 GMT

hi rob,

yes, i'm going to physical move the primary-active ASA FW to the next building where the secondary-standby ASA FW is installed.

i want to force changing of role by making the secondary-standby ASA FW as the primary-active while the former primary-active is power off and waiting to be installed/cabled.

can you confirm if my thought process is correct:

force a failover primary-active > secondary-standby, disable failover, change secondary ASA to primary and lastly change primary ASA to secondary?

or is there a step i missed or anything to add?

Re: Change ASA Active-Standby Primary and Secondary role

Rob Ingram — Wed, 09 Nov 2022 08:09:51 GMT

@johnlloyd_13 yes, just ensure you've made the configuration changes to the old primary before physically reconnecting and attempt to establish communication with the new primary/active. And obviously ensure you've L2 connectivity.

Re: Change ASA Active-Standby Primary and Secondary role

Marius Gunnerud — Wed, 09 Nov 2022 09:35:30 GMT

Be careful when changing the failover configuration on the Secondary device. I would recommend the following steps for the move and do the configuration change in a service window:

Take a complete backup of the ASA configuration
Failover from Primary to Secondary (so that secondary is the active ASA)
Remove Primary (standby) device from the network
Move the Primary (standby) device to new location (do not connect to the network yet)
Clear the configuration on Primary (standby) and configure failover and set device to be Secondary
Change the Secondary (active) failover configuration to be Primary (I recommend doing this via console access)
Connect the new Secondary (standby) device to the network as well as failover and state link to the new Primary (active) device
Verify that configuration is synchronised to the new Secondary (standby device)
Perform a failover so that the new Secondary device becomes active and verify that traffic flows successfully through it without issues (Test failover)
Failover back to the Primary device
Be sure that configuration is saved

Re: Change ASA Active-Standby Primary and Secondary role

johnlloyd_13 — Wed, 09 Nov 2022 10:07:44 GMT

hi marius,

i'm going to do this remotely before we disconnect the initial primary-active and relocate to the next DC.

can't i just straight away reverse the ASA role secondary > primary and vice versa without clear config and disconnect the former primary-active ASA?

or maybe issue a "no failover" so the two ASA won't talk to each other while changing their roles?

Re: Change ASA Active-Standby Primary and Secondary role

Marius Gunnerud — Wed, 09 Nov 2022 10:37:39 GMT

The problem with the no failover command on a secondary device is that all configuration will be removed from the device.

I am uncertain of changing the role from Secondary to Primary and how this will affect the configuration as I have not tested this. This is why I have suggested the steps in my previous post.

If you will be remote and someone else will be physically moving the devices I would recommend that they have a PC ready and a console cable / mini USB cable so that you can connect to the devices if you should lose connectivity to them.