Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2091
Views
15
Helpful
7
Replies

ASA 5520 - Move failover interface from current to management interface

Go to solution
kasper123
Level 4
Level 4

‎01-21-2016 12:28 AM - last edited on ‎03-25-2019 05:57 PM by Community Manager

Hi,

We have two ASA 5520 working as a failover pair.

It is using the GigabitEthernet0/0 interface as a failover interface but now we need that interface for traffic and would like to use the management interface as a faillover interface because we don't use the management interface for anything else. We configured the management interface with "no management only".

Here is the relevant config:

interface GigabitEthernet0/0
description LAN Failover Interface

failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/0
failover key *****
failover interface ip failover 172.16.254.1 255.255.255.0 standby 172.16.254.2

What is the correct procedure to do this? Can it be done while both devices are powered on and connected?

Regards.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎01-21-2016 03:12 AM

Doing it on the fly has much potential for a desaster ... I would do it the following way:

  1. Remove the secondary ASA from the network and do a write erase or just remove all failover-config. Doing a write erase is probably less work.
  2. Remove the old failover config on the primary ASA and add the new failover config.
  3. Configure the secondary ASA for failover and write your config.
  4. Shutdown the secondary ASA and add the ASA back to the network.
  5. Switch the secondary ASA on, it will sync and take over the standby role.

And be aware of the following limitation:

If you use the failover link as the state link, you should use the fastest Ethernet interface available. If you experience performance problems on that interface, consider dedicating a separate interface for the state link.

But at least on the 5520 I never had problems with that.

View solution in original post

7 Replies 7

Go to solution
Karsten Iwen
VIP
VIP

‎01-21-2016 03:12 AM

Doing it on the fly has much potential for a desaster ... I would do it the following way:

  1. Remove the secondary ASA from the network and do a write erase or just remove all failover-config. Doing a write erase is probably less work.
  2. Remove the old failover config on the primary ASA and add the new failover config.
  3. Configure the secondary ASA for failover and write your config.
  4. Shutdown the secondary ASA and add the ASA back to the network.
  5. Switch the secondary ASA on, it will sync and take over the standby role.

And be aware of the following limitation:

If you use the failover link as the state link, you should use the fastest Ethernet interface available. If you experience performance problems on that interface, consider dedicating a separate interface for the state link.

But at least on the 5520 I never had problems with that.

Go to solution
kasper123
Level 4
Level 4
In response to Karsten Iwen

‎02-02-2016 01:55 PM

Hi Karsten,

We will be re configuring the ASA pair so I have a quick question regarding the primary/secondary and active firewall.

What if the secondary firewall is the one that is currently active? Should we first make the primary firewall the active one and then shut down the secondary and make the configuration changes?

Does it matter which one of the firewalls we shut down?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to kasper123

‎02-02-2016 02:38 PM

You can remove the primary or the secondary to start the migration. But as forcing a failover-event shouldn't cause any problems, I would first switch back to the primary unit and remove the secondary unit. Takes five seconds longer, but is the more "clean" procedure.

Go to solution
kasper123
Level 4
Level 4
In response to Karsten Iwen

‎02-02-2016 02:47 PM

Hi Karsten,

Will forcing a failover cause the current connections through the firewall to be dropped?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to kasper123

‎02-02-2016 10:50 PM

With statefull failover the users will probably not notice the change. The connections (and VPNs) stay up.

Is the above config the whole failover config? Well, then statefull failover is not enabled (why not?). For statefull failover you would need the command

failover link failover GigabitEthernet0/0

Go to solution
kasper123
Level 4
Level 4
In response to Karsten Iwen

‎02-03-2016 09:33 AM

Thank you very much Karsten. I followed your advice and everything went fine.

0 Helpful

Go to solution
Chris Izatt
Level 1
Level 1

‎01-21-2016 07:54 AM

Another idea to think about is you can create a port channel and use it as the failover int. So that way you could add and remove ports from the po without taking a downtime. 

something to think about. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card