10-05-2020 05:59 AM
We have two cisco asa 5585-X's in a failover setup.
Failover Link between Primary and Secondary Unit uses external switches for connecting the two ASA´s
We like to chanke the failover link to a directly connected link between the two devices.
What would be the best way of doing this? What config do we need to change? Where do we have to do the changes on the primary or secondary unit ?
To sum it up, we need a step by step plan in order to .
Solved! Go to Solution.
10-05-2020 12:13 PM - edited 10-05-2020 12:25 PM
First thing first make sure you have a change window
either you can power off the secondary unit and change the cables for the ASS Or you can directly unplug the cable from one unit at one time or you can take both cable off at one time from the extral switche. doing so will not trigger the Active firewall to go standby mode. in this case Active will stay active and passive will stay passive. the reason for this is as the failover interface are used for the health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.
here is the steps.
1. Get a change windows.
2. power off the secondary firewall. however make sure the secorday standby firewall is off. or as mentioned above unplug the cables from thre firewall.
3. on active asa give command "show failover | i host" it will show you the other unit is failed. or show failover.
4. cables the firewalls back to back.
5. power up the secondary firewall it will take 7 to 10 minutes to power up the unit.
6. as soon as the standby firewall bootup and seen by both firewalls replication will occured. replication take around 10 minutes also depends on the firewall configration (how long config are). you will see a messge on the Active firewall "Beginning configuration replication: Sending to mate"
7. you get a message on Active and standby firewall "End configuration replication from mate"
8. on active firewall give a command "asa/pri/act(config)# failover exec mate show version" it will show you both unit see each other.
change done. do your normal netowrk tests
10-05-2020 06:29 AM
Safe approach you do not want to any config changes required.
1. Turn off Secondary unit. ( see Primary is all working as expected)
2. change the link Direct connect to FW to FW
3. bring up the Secondary until, since primary already active, so Secondary will detect mate and join Active/Standby.
10-05-2020 12:13 PM - edited 10-05-2020 12:25 PM
First thing first make sure you have a change window
either you can power off the secondary unit and change the cables for the ASS Or you can directly unplug the cable from one unit at one time or you can take both cable off at one time from the extral switche. doing so will not trigger the Active firewall to go standby mode. in this case Active will stay active and passive will stay passive. the reason for this is as the failover interface are used for the health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.
here is the steps.
1. Get a change windows.
2. power off the secondary firewall. however make sure the secorday standby firewall is off. or as mentioned above unplug the cables from thre firewall.
3. on active asa give command "show failover | i host" it will show you the other unit is failed. or show failover.
4. cables the firewalls back to back.
5. power up the secondary firewall it will take 7 to 10 minutes to power up the unit.
6. as soon as the standby firewall bootup and seen by both firewalls replication will occured. replication take around 10 minutes also depends on the firewall configration (how long config are). you will see a messge on the Active firewall "Beginning configuration replication: Sending to mate"
7. you get a message on Active and standby firewall "End configuration replication from mate"
8. on active firewall give a command "asa/pri/act(config)# failover exec mate show version" it will show you both unit see each other.
change done. do your normal netowrk tests
10-15-2020 01:07 AM
10-15-2020 01:47 AM
Just configure the interface po8 with "no nameif" first.
11-13-2020 06:29 AM
Preliminary Remarks: This text is a summary of an ASA admin beginner, who was confronted with the following Problem
HowTo change Failoverlink on ASA from indirectly(using external switch) to directly connected using ports located on SSP and IPS SSP
This summary is based on many helpful hints posted in this community !
We are having a pair of Cisco ASA 5585-X running on 9.10(1)40 . Both Appliances are equipped with
1 Security Service Processor-60 (ASA-SSP-60) located in Slot 0
1 IPS Security Service Processor-60 (ASA-SSP-IPS60) located in Slot 1
Note: IPS module is not in use !
Security context mode is multiple
Firewall mode is Router
Failover mode is Active/Active
Initial Topology: Failoverlink with two 1GigE copper Ports(Port-channel
On both Appliances we are using two 1GigE copper Ports Gig0/4 and Gig0/5 located on SSP-60 as our failover+stateful link
bundled as Port-channel(Po 8). We are using two intermediate switches (Switch 1 and Switch 2) connected between the ASA Units
for the Fail-over interfaces.
Primary Unit -------- Po 8 --------- Switch 1 --------- Switch 2 -------- Po 8 -------- Secondary Unit
ASA 5585-X ASA 5585-X
Target topology: Failoverlink directly connected via two fibre optic 10GigE Ports (Port-channel 10) located on SSP-60 and IPS SSP
We need 6 10GigE fibre optic ports; two for inside, two for outside and two for failover+stateful link; SSP 60 has only 4 TenGigE fibre optic ports
IPS SSP the same; we dont use the IPS SSP and the question was
Can Traffic ports located on the IPS SSP be used as additional firewall interfaces which are allowed to use them as failover interfaces ?
Exception from Cisco Documentation:
The IPS module runs a separate application from the ASA. The IPS module might include an external management interface so you can connect to the IPS module directly; if it does not have a management interface, you can connect to the IPS module through the ASA interface. Any other interfaces on the IPS module, if available for your model, are used for ASA traffic only.
The ASA SSP resides in slot 0 (bottom). A second SSP (or network module) can be installed in slot 1 (top). When you install a non-ASA SSP in slot 1, all non-management interfaces belong to the ASA in slot 0, while the management interfaces belong to the module. If you install dual ASA SSPs, then they are completely independent systems.
Answer is YES
Before doing anything:
1) Check if Console connection to Primary and Secondary Unit works
2) Check if Fallback Login with local Account works on Primary and Secondary
in our case the first test was unsuccessful; we had to change our configuration see below
On Primary (admin context) check:
ASA/pri/act# changeto context admin
ASA/pri/act/admin# sh run aaa-serv
aaa-server uklantacacs protocol tacacs+
aaa-server TACACS+ protocol tacacs+
reactivation-mode timed
aaa-server TACACS+ (inside) host xx.xx.xx.xx
key *****
aaa-server TACACS+ (inside) host xx.xx.xx.xx
key *****
ASA/pri/act/admin# conf t
ASA/pri/act/admin(config)# aaa-server TACACS+ protocol tacacs+
ASA/pri/act/admin(config-aaa-server-group)# no reactivation-mode timed
ASA/pri/act/admin(config-aaa-server-group)# reactivation-mode depletion deadtime 10
ASA/pri/act/admin(config-aaa-server-group)# end
ASA/pri/act/admin# changeto context admin
ASA/pri/act/admin# sh run all aaa-serv
aaa-server uklantacacs protocol tacacs+
accounting-mode single
reactivation-mode depletion deadtime 10
max-failed-attempts 3
aaa-server TACACS+ protocol tacacs+
accounting-mode single
reactivation-mode depletion deadtime 10
max-failed-attempts 3
aaa-server TACACS+ (inside) host xx.xx.xx.xx
timeout 10
key *****
Note: In our case we are using Port-channel 5 for inside on Secondary connected to Switch 2 and Port-Channel 5 for inside on Primary connected to Switch 1.
We have tested the functionality of Local Fallback Account on Secondary in order to avoid user impact; Secondary is Standby for both failover groups 1 and 2. We disabled Po 5 (inside) on Switch 2 in order to disconnect Secondary from our TACACS Servers and tried to login successfully with local Account.
3) Save initial configuration to disk0: (same like copy run start on Cisco Routers or Switches)
On Primary(system context) write mem all
Note: Using write mem all Configuration of all existing contexts are saved on both appliances Primary AND Secondary on disk0:
4) save initial configuration on usb-stick (disk1:) (optional)
first attempt was without success; USB-stick was inserted and not detected
Note: Cisco ASA5585-X support external USB as disk1; when inserted usb-stick is not detected during normal operation; usb-stick is detected only if inserted after Reboot of appliance
5)take a backup of the firewall. Save initial configuration on i.e. tftp-server
ASA/pri/act# copy disk0:contextname.cfg tftp://xx.xx.xx.xx/config/contextname.cfg
5) In order to avoid confusion, make sure on which ASA(Primary or Secondary), in which context, active or passive Unit you are working !
For Beginners, the situation is a little bit confusing; you have admin, system and usercontexts; each context may be active or passive on Primary exclusiveor Secondary; changes must be done in active context; system context is changed on Primary and synchronized to Secondary. If you connect via Console you are automatically in system context; if you connect via i.e. ssh you are automatically connected to admin context.
ASA# conf t
ASA(config)# prompt hostname ?
Configure mode commands / options: context Display the context in the session prompt (multimode only) domain Display the domain in the session prompt priority Display the priority in the session prompt state Display the traffic passing state in the session prompt ASA(config)# prompt hostname priority state context
ASA/pri/act (config)# end
ASA/pri/act# changeto context A
ASA/pri/act/A#
6) Move all Usercontexts to Primary ; Secondary becomes standby for both failover groups 1 and 2
In our case Usercontexts associated to failover group 2 were initially active on Secondary, usercontexts associated to failovergroup 1 were active on Primary
ASA/pri/act# sh failover | in Group|host
Group 1 last failover at: 06:04:11 CEST Nov 11 2020
Group 2 last failover at: 06:35:37 CEST Nov 11 2020
This host: Primary
Group 1 State: Active
Group 2 State: Standby Ready
Other host: Secondary
Group 1 State: Standby Ready
Group 2 State: Active
Force failover group 2 to be active on Primary by using following command
On Primary (system context) failover active group 2
alternative is
On Secondary (system context) failover active group 2
Note: moving contexts between Primary and Secondary may result in little packet loss (user impact) !
7) Patch new Failoverlink fibre optics on Secondary and Primary; test new link and shutdown new Port-channel (in our case Po10) on Primary and Secondary
Note: When you use a redundant or EtherChannel interface as a failover link, it must be pre-configured on both units in the failover pair; you cannot
configure it on the primary unit and expect it to replicate to the secondary unit because the failover link itself is required for replication.
Use Console for doing changes !
Step by Step:
! Get a maintenance window.
Duration time step 1. to 8. about 20 minutes; no user impact
1. disconnect Secondary from Network either unplug the cables from the firewall or in our case disable all Ports on Switch 2 connecting to Secondary
Note: Disconnecting from Network results in Secondary changes from standby to active mode
2. On Secondary(system context) - disable failover with command no failover
3. On Secondary(system context) - disable old Port-Channel and its associated physical interfaces with shutdown
4. On Secondary(system context) - Change Failoverlink in configuration from old Port-Channel Po 8 to new Port-channel Po10
5. On Secondary(system context) - enable failover on Secondary with command failover
6. On Secondary(system context) - enable new Port-Channel and its associated physical interfaces with no shutdown
7. On Secondary(system context) - Save new configuration write mem
8. power off the secondary firewall
Do not disconnect Primary from Network ! Continue with change on Primary !
9. On Primary(system context) - disable failover with command no failover
10. On Primary(system context) - disable old Port-Channel and its associated physical interfaces with shutdown
11. On Primary(system context) - Change Failoverlink in configuration from old Port-Channel Po 8 to new Port-channel Po10
12. On Primary(system context) - enable failover on Secondary with command failover
13. On Primary(system context) - enable new Port-Channel and its associated physical interfaces with no shutdown
14. power on the secondary firewall (it will take 7 to 10 minutes to power up the unit)
Note: as soon as the standby firewall bootup and new failoverlink is seen by both Secondary and Primary you get a message on Secondary
Console Screen "Detected an Active mate" The statement implies that Secondary detects Primary as Active Mate(new failoverlink works) and goes into Standby mode.
Now replication will start from Primary to Secondary. you will see a messge on the Active firewall "Beginning configuration replication: Sending to mate" . On the standby firewall you will see the message "Beginning configuration replication from mate".
When replication is finished you get a message on Active "End Configuration Replication to mate" and standby firewall "End configuration replication from mate"
15. On Primary(system context) - check failover status command "ASA/pri/act# show failover | in Group|host" it will show you both unit see each other and both failovergroups are active on Primary and Standby on Secondary
16. continue with your normal netowk tests
17. Save configuration change on Primary
Duration time step from 9. up to 17. about 20 minutes; no user impact
11-13-2020 04:25 AM - edited 11-13-2020 05:52 AM
Due to an error i deleted my answer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide