Solved: Will Primary Firewall Keep Config Put In Failover with Seconday?

haggittmark@tm-america.com · ‎04-30-2020

We have two ASA 5508x that are paired together in a fail over fashion. We what to separate them and use them as two separate firewalls to test if we see a speed increase with a new dedicated Internet line and IP address. How do I that?

Richard Burts · ‎04-30-2020

Perhaps there are aspects of the original post that we do not understand, but it seems a fairly straightforward question. If there is a pair of ASA configured for active/standby failover and you want to use one of the ASA for testing I would suggest these steps:

- identify which ASA is currently the standby unit.

- make a copy of the config of the standby unit.

- disconnect that ASA that is the standby. The unit that is active will continue to be active, will maintain the same configuration, but would not be able to failover.

- modify the config of the standby unit to remove references to failover. (might be best to erase the existing config and start a new config)

- configure the testing ASA for the test environment.

- conduct the testing.

- when testing is completed remove the testing config from the ASA.

- either restore the failover config that was backed up, or do enough basic config to allow the ASA to rejoin the ASA failover environment.

HTH

Rick

View solution in original post

Richard Burts · ‎04-30-2020

You are welcome. I am glad that my explanation was helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. Your marking and points awarded are correct. No need to change anything.

HTH

Rick

View solution in original post

Mark Elsen · ‎04-30-2020

- The question is kind of irrelevant because if you want to use one for testing another Internet connection, then it will need another configuration anyway (so either you the pair in failover-mode., or you configure 2 boxes with 2 different purposes).

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Richard Burts · ‎04-30-2020

Perhaps there are aspects of the original post that we do not understand, but it seems a fairly straightforward question. If there is a pair of ASA configured for active/standby failover and you want to use one of the ASA for testing I would suggest these steps:

- identify which ASA is currently the standby unit.

- make a copy of the config of the standby unit.

- disconnect that ASA that is the standby. The unit that is active will continue to be active, will maintain the same configuration, but would not be able to failover.

- modify the config of the standby unit to remove references to failover. (might be best to erase the existing config and start a new config)

- configure the testing ASA for the test environment.

- conduct the testing.

- when testing is completed remove the testing config from the ASA.

- either restore the failover config that was backed up, or do enough basic config to allow the ASA to rejoin the ASA failover environment.

HTH

Rick

haggittmark@tm-america.com · ‎04-30-2020

thanks!. I'm not sure if I awarded points correctly. please let me know if i nee to change something

Richard Burts · ‎04-30-2020

You are welcome. I am glad that my explanation was helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. Your marking and points awarded are correct. No need to change anything.

HTH

Rick

haggittmark@tm-america.com · ‎04-30-2020

temporary test