Solved: Re: Cisco ASA sync issues with multiple admins issuing commands

synergy2025 · ‎09-19-2025

I have run into an issue in our lab which I'm curious how others have dealt with. With more than 1 user logged into the active firewall and issuing commands. The active firewall has the expected config and differentiates the users commands. The commands are sent to the standby firewall in the order in which they were entered and leads to unexpected results on the standby unit.

Perhaps theres a config to prevent or mitigate this? I know of 'wr standby' and disabling failover and re-enabling to re-sync configs, but I'm thinking there may be something to prevent it. I appreciate any information, I couldn't find anything on this.

balaji.bandi · ‎09-19-2025

You need to make a standard process here Like change control, who can track the changes, so you not get in to inconsistence config on ASA.

Cisco ASA high-availability (HA) pair, synchronization issues with multiple administrators issuing commands typically occur when the Active/Standby devices get out of sync. Because configuration changes are meant to be applied only to the active unit and then automatically synchronized to the standby, multiple admins performing certain actions simultaneously can cause inconsistencies

Commands executed on the standby unit: Configuration changes must only be made on the active ASA. Any changes made directly on the standby unit will be overwritten during the next synchronization from the active unit. However, if the standby unit was promoted to active without the configurations being properly synced, you can end up with mismatched configurations.

there is good discussion on this may help you :

https://community.cisco.com/t5/network-security/asa5585-cluster-out-of-sync-config/td-p/2810400#:~:text=Hello!,NGFW%20Firewalls

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎09-19-2025

You need to make a standard process here Like change control, who can track the changes, so you not get in to inconsistence config on ASA.

Cisco ASA high-availability (HA) pair, synchronization issues with multiple administrators issuing commands typically occur when the Active/Standby devices get out of sync. Because configuration changes are meant to be applied only to the active unit and then automatically synchronized to the standby, multiple admins performing certain actions simultaneously can cause inconsistencies

Commands executed on the standby unit: Configuration changes must only be made on the active ASA. Any changes made directly on the standby unit will be overwritten during the next synchronization from the active unit. However, if the standby unit was promoted to active without the configurations being properly synced, you can end up with mismatched configurations.

there is good discussion on this may help you :

https://community.cisco.com/t5/network-security/asa5585-cluster-out-of-sync-config/td-p/2810400#:~:text=Hello!,NGFW%20Firewalls

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

synergy2025 · ‎09-23-2025

I appreciate the accurate response

For posterity. I filed a TAC, the reply was that this is by design. The commands replicated across the HA FAIL link are a single stream. This makes automation more difficult because of this design. Other popular firewall vendors have, in my opinion, a better approach to config synchronization. In my environment we have network automation which constantly logs into our firewall and makes changes.

I hope this information benefits others as well.