Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2462
Views
20
Helpful
6
Replies

Add ASA 'failover key' command

johnlloyd_13
Level 9
Level 9

‎01-24-2022 05:07 AM

hi,

i got a pair of ASA FW currently in production that doesn't have the 'failover key' configured.

i would need to add the said command but quite hesitant that it might "break" the FW pair.

is it "safe" to add this command in the primary/active FW and will this auto sync to the standby after a 'write mem'?

or do i totally remove failover config on both and re-add failover commands?

0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎01-24-2022 05:28 AM

Personally i will do this in maintenace window, since this required to configure both the side.

 

if you using ASA 9.X or later, suggested ipsec (rather Plan replication)

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/ha-failover.html

 

Suggestions : always take the configuration backup out of the box.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Sheraz.Salim
VIP
VIP

‎01-24-2022 06:21 AM - edited ‎01-24-2022 06:39 AM

First get the maintenace windows for this work. 

 

apply this change on the Primary Active firewall and issue the write standby.

 

 

Solved: ASA failover key - Cisco Community above is a similar thread asking what you asked. 

 

 

The following example configures the failover parameters for the primary unit:

failover lan unit primary
failover lan interface folink gigabitethernet0/3

failover interface ip folink x.x.x.x.x standby x.x.x.x.x
interface gigabitethernet 0/3
  no shutdown
failover link folink gigabitethernet0/3
failover key xxxxx
failover

The only configuration required on the secondary unit is for the failover link. The secondary unit requires these commands to communicate initially with the primary unit. After the primary unit sends its configuration to the secondary unit, the only permanent difference between the two configurations is the failover lan unit command, which identifies each unit as primary or secondary.

 

 

 

FYI- I have tested this ASA model 5525-X with code 9.12(2) and it worked.

 

with below config

!

 

failover lan unit primary
failover lan interface folink gigabitethernet0/3

failover interface ip folink 172.27.48.0 255.255.255.254 standby 172.27.48.1
interface gigabitethernet 0/3
  no shutdown
failover link folink gigabitethernet0/3
failover key xxxxx
failover
!
write standby

 

 

 

 

 

show failover | i host
This host: Primary - Active
Other host: Secondary - Bulk Sync

show failover | i host
This host: Primary - Active
Other host: Secondary - Bulk Sync
 show failover | i host
This host: Primary - Active
Other host: Secondary - Bulk Sync
 show failover | i host
This host: Primary - Active
Other host: Secondary - Standby Ready

please do not forget to rate.

johnlloyd_13
Level 9
Level 9
In response to Sheraz.Salim

‎01-24-2022 05:01 PM

hi,

thanks for the info! it's just the 'failover key' that is missing and not the whole failover config.

surely will do this in a maintenance window.

i also rarely use 'write standby' and had a bad experience with it, i.e. secondary FW got corrupted/sync errors in a production.

0 Helpful

Sheraz.Salim
VIP
VIP
In response to johnlloyd_13

‎01-24-2022 10:50 PM - edited ‎01-24-2022 10:54 PM

Hi

 

sorry I forget to mentioned in my test failover configuration was already configured I only added the failover key.

 

I have used write standby many time in production never had issue with this command. This command write standby force the configuration from primary active firewall to standby.

 

as long your failover vlan/switching is solid you should be fine.

please do not forget to rate.
0 Helpful

Calton69
Level 1
Level 1
In response to Sheraz.Salim

‎01-24-2022 09:23 PM

@Sheraz.Salim wrote:

First get the maintenace windows for this work. 

 

apply this change on the Primary Active firewall and issue the write standby.

 

 

Solved: ASA failover key - Cisco Community above is a similar thread asking what you asked. 

 

 

The following example configures the failover parameters for the primary unit:

failover lan unit primary
failover lan interface folink gigabitethernet0/3

failover interface ip folink x.x.x.x.x standby x.x.x.x.x
interface gigabitethernet 0/3
  no shutdown
failover link folink gigabitethernet0/3
failover key xxxxx
failover

The only configuration required on the secondary unit is for the failover link. The secondary unit requires these commands to communicate initially with the primary unit. After the primary unit sends its configuration to the secondary unit, the only permanent difference between the two configurations is the failover lan unit command, which identifies each unit as primary or epayitonline

 

 

 

FYI- I have tested this ASA model 5525-X with code 9.12(2) and it worked.

 

with below config

!

 

failover lan unit primary
failover lan interface folink gigabitethernet0/3

failover interface ip folink 172.27.48.0 255.255.255.254 standby 172.27.48.1
interface gigabitethernet 0/3
  no shutdown
failover link folink gigabitethernet0/3
failover key xxxxx
failover
!
write standby

 

 

 

 

 

show failover | i host
This host: Primary - Active
Other host: Secondary - Bulk Sync

show failover | i host
This host: Primary - Active
Other host: Secondary - Bulk Sync
 show failover | i host
This host: Primary - Active
Other host: Secondary - Bulk Sync
 show failover | i host
This host: Primary - Active
Other host: Secondary - Standby Ready

Thank you for the Help buddy, You solved my Query. Appreciate it.

Sheraz.Salim
VIP
VIP
In response to Calton69

‎01-24-2022 10:55 PM

You are welcome @Calton69 

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card