Showing results for 
Search instead for 
Did you mean: 


ASA 5585-X Howto change failover-link

We have two cisco asa 5585-X's in a failover setup.

Failover Link between Primary and Secondary Unit uses external switches for connecting the two ASA´s

We like to chanke the failover link to a directly connected link between the two devices.

What would be the best way of doing this? What config do we need to change? Where do we have to do the changes on the primary or secondary unit ?

To sum it up, we need a step by step plan in order to .

VIP Mentor

Safe approach you do not want to any config changes required.


1. Turn off Secondary unit. ( see Primary is all working as expected)

2. change the link Direct connect to FW to FW

3. bring up the Secondary until, since primary already active, so Secondary will detect mate and join Active/Standby.


*** Rate All Helpful Responses ***
VIP Advocate

First thing first make sure you have a change window

either you can power off the secondary unit and change the cables for the ASS Or you can directly unplug the cable from one unit at one time or you can take both cable off at one time from the extral switche. doing so will not trigger the Active firewall to go standby mode. in this case Active will stay active and passive will stay passive. the reason for this is as the failover interface are used for the health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.


here is the steps.


1. Get a change windows.

2. power off the secondary firewall. however make sure the secorday standby firewall is off. or as mentioned above unplug the cables from thre firewall.

3. on active asa give command "show failover | i host" it will show you the other unit is failed. or show failover.

4. cables the firewalls back to back.

5. power up the secondary firewall it will take 7 to 10 minutes to power up the unit.

6. as soon as the standby firewall bootup and seen by both firewalls replication will occured. replication take around 10 minutes also depends on the firewall configration (how long config are). you will see a messge on the Active firewall "Beginning configuration replication: Sending to mate"

7. you get a message on Active and standby firewall "End configuration replication from mate"

8. on active firewall give a command "asa/pri/act(config)# failover exec mate show version" it will show you both unit see each other.


change done. do your normal netowrk tests

please do not forget to rate.


thanks very much for your hints; i have a problem with your hint;
because we have to change the failover link
configuration; at the moment failoverlink is realized by port-channel 8
which consist of 2 10gigE Copper ports.
In order to change to the new 10 GigE Links Ten1/0 and Ten0/9 (SFP+)
fibre optic we have to change the configuration on
secondary and primary unit. We tried to do this; after first disabling
failover on secondary, which was disconnected from our
network, with command no failover, we got an error message when changing
the interface configuration for failover

ERROR: Cannot remove the last member of port-channel interface
Port-channel8 which has nameif configure.

So question arises, how can we change the configuration for failoverlink
on secondary and primary unit

greetings Manfred

Just configure the interface po8 with "no nameif" first.

Content for Community-Ad