We have two cisco asa 5585-X's in a failover setup.
Failover Link between Primary and Secondary Unit uses external switches for connecting the two ASA´s
We like to chanke the failover link to a directly connected link between the two devices.
What would be the best way of doing this? What config do we need to change? Where do we have to do the changes on the primary or secondary unit ?
To sum it up, we need a step by step plan in order to .
Safe approach you do not want to any config changes required.
1. Turn off Secondary unit. ( see Primary is all working as expected)
2. change the link Direct connect to FW to FW
3. bring up the Secondary until, since primary already active, so Secondary will detect mate and join Active/Standby.
First thing first make sure you have a change window
either you can power off the secondary unit and change the cables for the ASS Or you can directly unplug the cable from one unit at one time or you can take both cable off at one time from the extral switche. doing so will not trigger the Active firewall to go standby mode. in this case Active will stay active and passive will stay passive. the reason for this is as the failover interface are used for the health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.
here is the steps.
1. Get a change windows.
2. power off the secondary firewall. however make sure the secorday standby firewall is off. or as mentioned above unplug the cables from thre firewall.
3. on active asa give command "show failover | i host" it will show you the other unit is failed. or show failover.
4. cables the firewalls back to back.
5. power up the secondary firewall it will take 7 to 10 minutes to power up the unit.
6. as soon as the standby firewall bootup and seen by both firewalls replication will occured. replication take around 10 minutes also depends on the firewall configration (how long config are). you will see a messge on the Active firewall "Beginning configuration replication: Sending to mate"
7. you get a message on Active and standby firewall "End configuration replication from mate"
8. on active firewall give a command "asa/pri/act(config)# failover exec mate show version" it will show you both unit see each other.
change done. do your normal netowrk tests