cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
647
Views
4
Helpful
3
Replies

ASA config modifications in Active/Active mode

mukundh86
Level 1
Level 1

Hello,

I have two ASA 5510s running in Active/Active mode. I need to make config changes on them. How do I go about it? Do I power off the secondary ASA and make the config changes on the primary and then power on the secondary ASA ? Or this another way to do this?

Thanks

Mukundh

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Since you are running Active/Active you probably have 2 Security Context atleast configured on the ASAs of which Context1 (for example) is Active on the ASA1 and other Context2 is Active on ASA2. This is presuming a very default setup

If you make changes to System Context (where you create Contexts and attach interfaces to them) you just need to do configurations on the Primary ASA unit for the "admin" context (to my understanding). There is no need or point to turn of the the other ASA unit.

Depending on how you have configured the Failover groups, defines which device you log into when you want to make changes to either Context 1 or Context 2

If you make configurations on the wrong device (The ones which isnt Active) or attempt it  (use the command "conf term" for example) you should see the warning message from the ASA stating that you are configuring the Standby Unit and the configurations wont be replicated to the other unit.

You can use the "show failover" command on the device you are logged in to confirm at which state it is in the failover.

- Jouni

View solution in original post

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Since you are running Active/Active you probably have 2 Security Context atleast configured on the ASAs of which Context1 (for example) is Active on the ASA1 and other Context2 is Active on ASA2. This is presuming a very default setup

If you make changes to System Context (where you create Contexts and attach interfaces to them) you just need to do configurations on the Primary ASA unit for the "admin" context (to my understanding). There is no need or point to turn of the the other ASA unit.

Depending on how you have configured the Failover groups, defines which device you log into when you want to make changes to either Context 1 or Context 2

If you make configurations on the wrong device (The ones which isnt Active) or attempt it  (use the command "conf term" for example) you should see the warning message from the ASA stating that you are configuring the Standby Unit and the configurations wont be replicated to the other unit.

You can use the "show failover" command on the device you are logged in to confirm at which state it is in the failover.

- Jouni

Hi Jouni

I think i might be mistaken about the Active/Active part. I do not have access to the firewall and just have its config. The " sh ver" showed Failover as Active/Active and i assumed it is active/active. But the failover configs doesnot show any failover cotexts. Here is failover configs from primary ASA. Does it mean it is in active/standby:

failover

failover lan unit primary

failover lan interface failover Management0/0

failover polltime unit 1 holdtime 3

failover polltime interface 2 holdtime 10

failover key *****

failover link failover Management0/0

failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2

Thanks

Mukundh

Hi,

You said you dont have access to the firewall, only the configuration? How are you going to configure the firewall or is someone else going to do it?

If the ASA were Active/Active the ASAs would be in multiple context mode with atleast 2 Security Contexts and 2 failover groups configured with command "failover group 1" and "failover group 2".

In this case it does seem the ASAs are Active/Standby.

If you make any configurations changes to the firewall configurations, you do them on the Primary unit (by taking management connection to the Primary IP address configured on the ASA interface you are using for management connections). When you save the configuration changes with "wr mem" all the changes you have made will also be saved on the other ASA unit that is at that time Stanby unit.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: