cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4705
Views
4
Helpful
6
Replies

Adding failover ASA back after config changes on "primary" ASA?

RussDraper
Level 1
Level 1

I had a working active/passive pair of ASA5510's, and then I had to do a rush firmware upgrade, but didn't have time to do it on the secondary at the same time.  Now I have made config changes and upgraded the secondary firmware to be the same, and wish to know if I plug it back in if it will think the secondary has the "correct" config or if it will know that the primary is newer.  I disconnected the failover cable because it was complaining about version mismatches constantly.

Is it safe to add the secondary back in or is it possible it will be declared newer and overwrite the config?

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

There should be no problem adding another ASA back to the network.

Here is what I just did (and what happened) on a rather big customer

  • A power fault broke Secondary ASA and it never booted up
  • A replacement device was aquired
  • The replacement device was 
    • Updated to matching hardware setup (mainly memory)
    • Updated to same software (OS and ASDM)
    • Configured with its physical interface up with "no shutdown"
    • Configured with ONLY "failover" configurations (exact configuration ofcourse depends on your setup)
    • It was attached to the rack and powered up.
    • After boot every interface BUT "failover" was attached to the network (Dont necesarily have to do it in this order) and I checked that every single one was up.
  • After everything above was done I connected the failover interface and watched as the devices "noticed" eachother and the Active firewall copied its configuration to the new Secondary unit.

This was done in a factory environment and all went fine.

There should be no problems doing this though I personally still prefer doing the replacement by attaching a "blank" ASA with only Failover configurations.

EDIT: Beeing that I am always paranoid when doing anything like this, I had ofcourse saved the configurations to flash on a separate file for worst case scenario and was ready to boot the original primary unit incase it took in something it wasnt supposed to.

EDIT 2: In the case where you think the Secondary unit doesnt have the exact configuration of the Primary unit, you can issue the command write standby on the Primary unit to save/copy the COMPLETE configuration of the Primary unit to the Secondary. Think the "write mem" on the Primary unit only updates some changes you have made to the Secondary unit

- Jouni

Thank you, I have added a fresh ASA as the secondary before, but this is the same secondary unit with an existing configuration on it.  I want to make sure that it won't decide that the secondary is newer and replicate that over to the primary!

Hi,

I dont think the ASA has that kind of functionality.

To my understanding the Active ASA will never change its role unless you change it manually or there is some serious network problem when you are attaching the Secondary back to the network. To my understanding the Primary would have to Fail before you attach the Secondary to the network (Presuming it actually has any configurations)

As I said, I personally just erase the configurations from the Secondary and attach it to back to the network with the Failover configuration only. It will get a copy of the configuration from the Primary unit anyway so it seems simpler to me when the Secondary unit attached to the network just doesnt contain anything other than configurations needed to bring the Failover up.

Naturally, I havent had to do this many times as I have had only had one ASA firewall break during about 5 years and other cases have been where the actual Failover has been in some sort of error state where it just wont seem to recover.

- Jouni

Hi,

I am new to ASA and have configured the Active/standby failover. I like to know how to cnfigure the failover revertive. means if primary link is broken and switch to secondary and again the primary unit is active, the data should be from primary unit.

Hi,

You should make a new Discussion on the forums when asking questions, especially since your question isnt specifically related to the original post in this discussion.

But in general in the Active/Standby Failover pair the Active device ONLY changes when there is a event that triggers the failover. So if your Secondary device becomes Active and the Primary device recovers from the fault THEN the Primary device will ONLY become Active the next time the Secondary device fails. In other words the Active device has to fail or its connections have to fail before any changes in the Failover happen.

The Primary device wont automatically return to the Active state even if it has recovered. This has to be done manually.

On an Active/Active Failover pair you can configure the original Primary device to return to Active when it has recovered but not in Active/Standby

Please rate if you have found the information helpfull

- Jouni

Hi,

Thank you for your reply and is very helpful.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: