Hi ,

thanks for your valuable update.

do you have any Cisco document which says this !!

Thansk in advance.

Hi,

If you are attempting to do a speed change for your Failover environment and you dont want to cause outage to the network connections then I would suggest doing the following

• Configure the Standby ASA physical interface and the connected devices interface to the new speed
• Confirm that the link is up after the change and there is no problem in connectivity from the Standby to the routers
• Switch the Standby device to Active
• Log to the new Standby device (former Active) and do the same changes to it and its connected devices port
• Confirm that its connectivity is fine after the change
• Change the Standby back to Active if you want

Do notice that since you are configuring the Standby device all the time it means that the ASA will give a warning message about the configurations not being in sync if you configure the Standby device. This doesnt matter as we are only changing some basic interface configurations and after the change is done the configurations will again match eachother.

I have only had to do this once and even then it was in a hospital environment.

I didnt expirience any outage in network connections following the above steps

Hope this helps

- Jouni

Hi,

Thanks for the details,

Should i remove the Primary firewall  failover link from standby ?

since u mentioned confirm that the link is up after the change and there is no problem in connectivity from the Standby to the routers

Please let me know what we need to do in active firewall during this changes in standby firewall !

Hi,

The idea is to do NO CHANGES on the Active unit.

Since we are doing the changes on the ASA that is Standby it basically means that we are causing NO ISSUES to the traffic. The Active firewall is handling all the connnections through it while we are configuring the Standby device that IS NOT passing traffic.

After we have changes the "speed" setting on the Standby ASA unit and confirmed that it can reach its gateway routers then we can safely change this Standby firewall to Active as it has had its changes done.

Now that we changed the Standy device to Active after the changes to the interface "speed" setting this means that the old Active ASA is now Standby and we can do the same changes on that ASA also wihtout causing any distruption to the traffic through the Failover pair.

- Jouni

Hi,

Do u mean to say we need to login standby and do the changes and make this as active then we have to make the changes in standby (old active) .

Is it possible to Physical Interfaces speed and duplex set in active firewall the will be

will be replicated to seconday

All the configuration replicated to secondary FW ? So these interfaces changes will replicate or not from primary !

Please confirm!!

Hi,

Naturally you could do the changes on the Active device right away and have them be replicated to the Standby device too.

But in that case there is a higher chance that you will cause outage to the network connections.

I for example did these changes with a console connection to the firewalls because we were changing the interface settings of the interface that was used for the management connections. If we had made the changes remotely we would probably have lost our management connection and have to issue commands through the Failover link from the other ASA.

For that purpose there is a command

failover exec mate

With that you should be able to send commands to other device through the Failover link (if no other connection can be made to the other device other than through the Failover link)

I guess either way of doing the change is fine. Its up to you to decide which one to use. Just make sure you dont end up in a situation where you are doing this remotely and loose remote connection to the actual devices completely if the links dont come up.

Please do remember to mark the reply as the correct answer if it answered your question.

- Jouni