topic Re: make secondary ASA the new Primary and active asa in Network Security

make secondary ASA the new Primary and active asa

ellbom101 — Tue, 12 Mar 2019 04:23:53 GMT

We have two cisco asa 5510's in a failover setup.

I'd like to take the secondary/failover and make it the primary/active and do this for good..not just for testing. And of course make the other the new secondary/failover.

What would be the best way of doing this? What config do I need to change?

To sum it up, Id like to swap the units from primary to secondary and vice versa.

Just issue the command "no

Marius Gunnerud — Sun, 29 Jun 2014 10:18:22 GMT

Just issue the command "no failover active" on the primary ASA. The secondary unit will now be the primary/active unit and will remain that way until another failover situation occurs.

Please remember to select a correct answer and rate helpful posts

hi,marius is correct.you

johnlloyd_13 — Mon, 30 Jun 2014 08:48:59 GMT

hi,

marius is correct.

you could alternatively do this via ASDM.

click on Make Standby button.

see screenshot attached.

Re: hi,marius is correct.you

Saurabh_Srivastava — Thu, 14 Sep 2017 14:21:17 GMT

Primary will be always primary and secondary will be always secondary.., only you can change the Active and standby mode. after putting "failover active" on standby unit, it will become Secondary/Active and other will be primary/Standby.

Regards,

Saurabh

Re: make secondary ASA the new Primary and active asa

Marvin Rhoads — Thu, 14 Sep 2017 15:14:22 GMT

Is you want to change the role and not just the state, you will need to make the failover unit Secondary-Active as others have described. Then take the Primary-Standby offline. Modify the Secondary-Active configuration to designate it as Primary and the (offline) Primary unit to make it Secondary. Then bring the former Primary (newly designated Secondary) back online.

The bigger question is why go the the trouble? The designation is purely cosmetic in 99% of the use cases.

Re: make secondary ASA the new Primary and active asa

plongba278 — Fri, 23 Feb 2018 06:59:40 GMT

Can you elaborate all the steps that you have describe?

Re: make secondary ASA the new Primary and active asa

Marvin Rhoads — Fri, 23 Feb 2018 08:54:22 GMT

I suggest you start a new thread and describe what you're trying to accomplish.

Re: make secondary ASA the new Primary and active asa

dsanchez81 — Mon, 02 Jul 2018 14:08:34 GMT

Sorry, old post, but just wanted to thank Marvin and post another follow-up question to his response.

I believe you're correct, and that Marius was missing those last steps(as his would only change from active/standby, and not the primary/secondary). However, you mentioned it was mostly cosmetic. So, are you saying I can make changes to the config on my secondary, and it will push those changes out to the primary as well? All changes don't have to go through the primary to propagate to the secondary?

Re: make secondary ASA the new Primary and active asa

Marvin Rhoads — Mon, 02 Jul 2018 15:39:40 GMT

Propagation of configuration changes is always from Active to Standby.

Whether a unit is Primary or Secondary has nothing to do with that bit - it's strictly a convention to distinguish one appliance from the other.

Re: make secondary ASA the new Primary and active asa

NeverOutofTune — Mon, 30 Jul 2018 13:54:52 GMT

I have a similar scenario. The Secondary is Active. The Primary is offline and out of sync with the Secondary. I want to make change my Secondary to Primary, wipe my old Primary and make it Secondary. The process appears easy.

My question is when I change my current Secondary/Active to Primary/Active via:

failover lan unit primary

will this cause any downtime?

Re: hi,marius is correct.you

jca_connecticut@hotmail.com — Wed, 17 Jul 2019 19:45:26 GMT

Thank you Marius. It was a pretty easy fix.

Re: make secondary ASA the new Primary and active asa

johnlloyd_13 — Fri, 18 Nov 2022 13:06:18 GMT

hi marvin,

i have the same scenario wherein i needed to reverse the primary and secondary role.

when you say take the primary-standby offline, do you mean disable failover/sync using the 'no failover' command?

does it need to be applied on both ASA or just the primary-standby?

can i just straight away reverse role without disabling failover/sync? it's just less than of a second to apply in CLI.

will there be an issue if both secondary-active and primary-standby FW temporarily have the "failover lan unit primary"?

Re: make secondary ASA the new Primary and active asa

Marvin Rhoads — Fri, 18 Nov 2022 14:18:40 GMT

@johnlloyd_13 I'm not sure if your suggested method would work. It shouldn't hurt to try but I'd hesitate to do so in production.

My suggestion for taking primary-standby offline was to take it truly offline - disconnect or shutdown its data interfaces. Then modify the secondary-active with the "failover lan unit primary". Similarly modify the offline unit with "failover lan unit secondary". Then bring it back online.

Re: make secondary ASA the new Primary and active asa

johnlloyd_13 — Sat, 19 Nov 2022 00:28:12 GMT

hi marvin,

thanks! just to be in the safe side, i will do this in a change window and disable failover between the two before changing/reverse the primary and secondary role.