Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6232
Views
10
Helpful
6
Replies

ASA - change the secondary configuration to be primary

Go to solution
mdodge
Level 1
Level 1

‎03-15-2018 06:35 AM - edited ‎02-21-2020 07:31 AM

I'm replacing my 5516 ASA's due to the forced RMA. Anyways, I'm in an active/standby configuration. I replaced the secondary and failed over to test, all is good and I'm running on it. So the state I'm in is Primary/standby and Secondary/Active.

 

Now I want to replace the primary asa, but I would like to first promote the secondary to primary. That way I can just add the secondary configs on the new firewall and have what's active now send the config to it.

 

I'm thinking I would shutdown the primary device then enter the "failover lan unit primary" on the secondary, but can I do that on the fly? Are there any issues I'm going to run into? After that I'd connect the new firewall with a secondary config entered and let it update like any secondary would.

 

Is there a better way to do this? Thanks in advance.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-15-2018 09:10 AM

The way you mentioned is a good plan.

 

It'll be no problem to make the Secondary unit Primary while running Active and as the only live member.

View solution in original post

6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-15-2018 09:10 AM

The way you mentioned is a good plan.

 

It'll be no problem to make the Secondary unit Primary while running Active and as the only live member.

Go to solution
mdodge
Level 1
Level 1
In response to Marvin Rhoads

‎03-15-2018 09:43 AM

Thank you for the reply Marvin!

 

I wouldn't think I would but, would I need to run a "no failover lan unit secondary" before adding "failover lan unit primary"?

 

Knowing that "secondary" is the default mode it seems like a wash, but I'm curious if "failover lan unit primary"will overwrite "failover lan unit secondary" on the fly.

0 Helpful

Go to solution
mdodge
Level 1
Level 1
In response to Marvin Rhoads

‎03-16-2018 05:38 AM - edited ‎03-16-2018 05:40 AM

To follow up, shutting down the primary/standby ASA and running these commands on the secondary/active ASA did the trick :

 

conf t

failover lan unit primary

exit

 

It took the commands directly, on the fly. After that I showed the old secondary/active was now primary/active, and the secondary was in a failed state (remember it was powered down).

 

I preconfigured the appropriate "failover lan unit secondary"on the replacement ASA, cabled it up, powered it up and it pulled the configuration in as expected. It wasn't long and I was in primary/active, secondary/standby state.

 

I will note, since replacing both firewalls I had to add rehost (have Cisco) give me a new license per box. Also, I preloaded the same OS, ASDM, and Anyconnect files on both boxes to end up exactly where I was when I started.

 

I did not get a chance to try Octavian's suggestion. I would assume that it the way it is supposed to work but felt more comfortable doing it the way I did it.

 

Thanks guys!

 

Go to solution
Octavian Szolga
Level 4
Level 4

‎03-15-2018 12:19 PM - edited ‎03-15-2018 12:22 PM

Hi,

 

There's no need to switch roles just because your primary ASA failed.

Even though your secondary box is the only one left, it's active.

You can physically connect the primary (RMA box) to the secondary/active ASA, power it on, and the config will be replicated from secondary/active to primary/standby.

 

The only thing you should pay attention to is not to forget that the primary/RMA box should not be turned on before the cabling is in place. You have to minimally configure the RMA box with failover and no shut, and power it on after the cables are in place. Because the secondary is already active, it will not take over (single context failover is not preemptive).

 

If you turn on your primary ASA and connect the cables afterwards, primary will become active (no connection between them; it doesn't know that secondary is already active) and the standby ASA will be synced by the primary ASA. (with no config, just failover and IPs... just messing the whole thing up) :)

 

Thanks,

Octavian

0 Helpful

Go to solution
noc
Level 1
Level 1
In response to Octavian Szolga

‎03-19-2018 07:48 AM

Cisco says if you change a Primary ASA with a new hardware and a Primary ASA boot up the mac address on Secondary ASA will be replaced from Primary. There will be an interruption for network traffic.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.pdf

 

If the secondary unit boots without detecting the primary unit, the secondary unit becomes the active unit

and uses its own MAC addresses, because it does not know the primary unit MAC addresses. However,

when the primary unit becomes available, the secondary (active) unit changes the MAC addresses to

those of the primary unit, which can cause an interruption in your network traffic. Similarly, if you swap

out the primary unit with new hardware, a new MAC address is used.

  

0 Helpful

Go to solution
Octavian Szolga
Level 4
Level 4
In response to noc

‎03-19-2018 02:48 PM

Hi,

Sorry, you're right. I totally forgot about the MAC of the primary box.

Still, I think that the disruption would be insignificant. ASA should send gratuitous ARP for the new MAC (even though is the same IP).

The only thing I would worry about is any NAT config for which it wouldn't send gratuitous ARP.

 

Thanks,

Octavian

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card