https://community.cisco.com/t5/network-security/active-standby-asa-failover-config-changes/m-p/1692995#M562219 <P>Hello,</P><P></P><P>I have 2 ASA 5540s ver 8.3 in Active/Standby state.</P><P></P><P>I am considering a future hypothetical situation where I might need to rename interfaces or reallocate redundant interface groups.&nbsp; Doing so obviously has a major impact on the current primary configuration.&nbsp; My goal would be to minimize or eliminate network downtime during the interface changes.</P><P></P><P>I am wondering if it is possible to force the secondary ASA from the standby to active state.</P><P>Then temporarily disable failover on the primary unit.</P><P>Make the interface changes on the primary unit</P><P>Then reactivate failover on the primary unit</P><P>Force the primary unit back to active and secondary unit to standby</P><P></P><P>My new interface configuration would then sync from the primary to the secondary.</P><P></P><P>I believe this would work but must ensure that the secondary ASA can function as the active unit while the failover is disabled on the primary unit.&nbsp; Is there a set length of time the secondary unit can remain active without a failover peer? </P><P></P><P>Does anyone see issues with operating the secondary unit in this manner while making changes to the primary unit?</P><P></P><P>Thank you </P> Mon, 11 Mar 2019 20:34:11 GMT Cody Ridge 2019-03-11T20:34:11Z https://community.cisco.com/t5/network-security/active-standby-asa-failover-config-changes/m-p/1692995#M562219 <P>Hello,</P><P></P><P>I have 2 ASA 5540s ver 8.3 in Active/Standby state.</P><P></P><P>I am considering a future hypothetical situation where I might need to rename interfaces or reallocate redundant interface groups.&nbsp; Doing so obviously has a major impact on the current primary configuration.&nbsp; My goal would be to minimize or eliminate network downtime during the interface changes.</P><P></P><P>I am wondering if it is possible to force the secondary ASA from the standby to active state.</P><P>Then temporarily disable failover on the primary unit.</P><P>Make the interface changes on the primary unit</P><P>Then reactivate failover on the primary unit</P><P>Force the primary unit back to active and secondary unit to standby</P><P></P><P>My new interface configuration would then sync from the primary to the secondary.</P><P></P><P>I believe this would work but must ensure that the secondary ASA can function as the active unit while the failover is disabled on the primary unit.&nbsp; Is there a set length of time the secondary unit can remain active without a failover peer? </P><P></P><P>Does anyone see issues with operating the secondary unit in this manner while making changes to the primary unit?</P><P></P><P>Thank you </P> Mon, 11 Mar 2019 20:34:11 GMT https://community.cisco.com/t5/network-security/active-standby-asa-failover-config-changes/m-p/1692995#M562219 Cody Ridge 2019-03-11T20:34:11Z https://community.cisco.com/t5/network-security/active-standby-asa-failover-config-changes/m-p/1692996#M562220 <HTML><HEAD></HEAD><BODY><P>Hi Cody,</P><P></P><P>That is the right way to do, the trAffic would pass normally through the secondary firewall so don't worry about it, thats the whole purpose of failover on ASA. The secondary would keep passing the traffic normally until it is active, there is no time limit to it. As far as your question regarding minimizing the downtime is concerned, I suggest you have a look at the virtual mac-address configuration and stateful configuration in failover. Here is the doc for it:</P><P></P><P><SPAN>Stateful failover -----&gt;</SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml</A></P><P><SPAN>Virtual mac-address-------&gt;</SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/partner/docs/security/asa/asa83/command/reference/m.html#wp2111374">http://www.cisco.com/en/US/partner/docs/security/asa/asa83/command/reference/m.html#wp2111374</A></P><P></P><P>Hope this helps.</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Mon, 16 May 2011 16:39:18 GMT https://community.cisco.com/t5/network-security/active-standby-asa-failover-config-changes/m-p/1692996#M562220 varrao 2011-05-16T16:39:18Z