03-15-2018 06:35 AM - edited 02-21-2020 07:31 AM
I'm replacing my 5516 ASA's due to the forced RMA. Anyways, I'm in an active/standby configuration. I replaced the secondary and failed over to test, all is good and I'm running on it. So the state I'm in is Primary/standby and Secondary/Active.
Now I want to replace the primary asa, but I would like to first promote the secondary to primary. That way I can just add the secondary configs on the new firewall and have what's active now send the config to it.
I'm thinking I would shutdown the primary device then enter the "failover lan unit primary" on the secondary, but can I do that on the fly? Are there any issues I'm going to run into? After that I'd connect the new firewall with a secondary config entered and let it update like any secondary would.
Is there a better way to do this? Thanks in advance.
Solved! Go to Solution.
03-15-2018 09:10 AM
The way you mentioned is a good plan.
It'll be no problem to make the Secondary unit Primary while running Active and as the only live member.
03-15-2018 09:10 AM
The way you mentioned is a good plan.
It'll be no problem to make the Secondary unit Primary while running Active and as the only live member.
03-15-2018 09:43 AM
Thank you for the reply Marvin!
I wouldn't think I would but, would I need to run a "no failover lan unit secondary" before adding "failover lan unit primary"?
Knowing that "secondary" is the default mode it seems like a wash, but I'm curious if "failover lan unit primary"will overwrite "failover lan unit secondary" on the fly.
03-16-2018 05:38 AM - edited 03-16-2018 05:40 AM
To follow up, shutting down the primary/standby ASA and running these commands on the secondary/active ASA did the trick :
conf t
failover lan unit primary
exit
It took the commands directly, on the fly. After that I showed the old secondary/active was now primary/active, and the secondary was in a failed state (remember it was powered down).
I preconfigured the appropriate "failover lan unit secondary"on the replacement ASA, cabled it up, powered it up and it pulled the configuration in as expected. It wasn't long and I was in primary/active, secondary/standby state.
I will note, since replacing both firewalls I had to add rehost (have Cisco) give me a new license per box. Also, I preloaded the same OS, ASDM, and Anyconnect files on both boxes to end up exactly where I was when I started.
I did not get a chance to try Octavian's suggestion. I would assume that it the way it is supposed to work but felt more comfortable doing it the way I did it.
Thanks guys!
03-15-2018 12:19 PM - edited 03-15-2018 12:22 PM
Hi,
There's no need to switch roles just because your primary ASA failed.
Even though your secondary box is the only one left, it's active.
You can physically connect the primary (RMA box) to the secondary/active ASA, power it on, and the config will be replicated from secondary/active to primary/standby.
The only thing you should pay attention to is not to forget that the primary/RMA box should not be turned on before the cabling is in place. You have to minimally configure the RMA box with failover and no shut, and power it on after the cables are in place. Because the secondary is already active, it will not take over (single context failover is not preemptive).
If you turn on your primary ASA and connect the cables afterwards, primary will become active (no connection between them; it doesn't know that secondary is already active) and the standby ASA will be synced by the primary ASA. (with no config, just failover and IPs... just messing the whole thing up) :)
Thanks,
Octavian
03-19-2018 07:48 AM
Cisco says if you change a Primary ASA with a new hardware and a Primary ASA boot up the mac address on Secondary ASA will be replaced from Primary. There will be an interruption for network traffic.
If the secondary unit boots without detecting the primary unit, the secondary unit becomes the active unit
and uses its own MAC addresses, because it does not know the primary unit MAC addresses. However,
when the primary unit becomes available, the secondary (active) unit changes the MAC addresses to
those of the primary unit, which can cause an interruption in your network traffic. Similarly, if you swap
out the primary unit with new hardware, a new MAC address is used.
03-19-2018 02:48 PM
Hi,
Sorry, you're right. I totally forgot about the MAC of the primary box.
Still, I think that the disruption would be insignificant. ASA should send gratuitous ARP for the new MAC (even though is the same IP).
The only thing I would worry about is any NAT config for which it wouldn't send gratuitous ARP.
Thanks,
Octavian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide