Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1559
Views
5
Helpful
8
Replies

ASA Failover config

ThomasCaapiCci
Level 1
Level 1

‎08-04-2020 03:31 AM

Hi

 

I have 2 questions:

 

We have 2 ASA 5525 that are setup for failover.

 

Site A ASA was always the primary

Site B ASA was always the secondary

 

Today I logged to Site A ASA and noticed the config had changed to secondary.

My first question is: can this happen automatically or do you need to change the config manually for it to happen? In case ASA in Site A would fail, would Site B failover and become primary or would it remain secondary but active?

 

Site A ASA config is as follows:

 

failover
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/7
failover key *****
failover link FAILOVER GigabitEthernet0/7
failover interface ip FAILOVER 192.168.255.1 255.255.255.252 standby 192.168.255.2

 

Site B ASA config:

 

failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/7
failover key *****
failover link FAILOVER GigabitEthernet0/7
failover interface ip FAILOVER 192.168.255.1 255.255.255.252 standby 192.168.255.2

 

My second question is: I want Site A asa to be primary again, how can I do that from the ASDM?

0 Helpful
8 Replies 8

Brad_Shawh
Level 1
Level 1

‎08-04-2020 04:30 AM

1) The failover can occur due to various reasons including but not limited to firewall reboot, interface fail, etc. If any of these reasons occur, then failover automatically occurs.

You can check sh failover history for the reason of failover

 

Yes, it will be secondary active and primary - failed / standby etc

 

2) If you want whatever site to be active, there are two ways

 

i) on Active firewall, execute 'no failover active' command

ii) on Standby firewall, execute 'failover active', they both achieve the same purpose.

 

PS: You can include failover replication http and failover link failover commands in your failvoer configurutation.

0 Helpful

ThomasCaapiCci
Level 1
Level 1
In response to Brad_Shawh

‎08-04-2020 04:43 AM

Hey Shawn,

 

It still not clear to me, in case of the primary having a network failure for instance I understand it moves to fail state, and the secondary node moves from passive to active. But is the config changed and the secondary node becomes primary?

0 Helpful

Brad_Shawh
Level 1
Level 1
In response to ThomasCaapiCci

‎08-04-2020 04:52 AM

The 'Primary' and "Secondary' states will never change, they are hard coded with configuration 'failover lan unit primary' 'failover lan unit seconeary'

 

Only the 'Active' or 'Standby' states change with change in network.

0 Helpful

ThomasCaapiCci
Level 1
Level 1
In response to Brad_Shawh

‎08-04-2020 05:01 AM

Ah...well then that means someone changed the config, I cant find any other explanation

 

I still want to move the primary to the original ASA, on the ASDM this is the only place I can find that manages primary/secondary settings: 

 

Should I move the Preferred role to Primary on ASA A so it is set as before and that will take care of it? Should I also set ASA B as preferred secondary? Will the change take care of changing the config?

0 Helpful

Brad_Shawh
Level 1
Level 1
In response to ThomasCaapiCci

‎08-04-2020 05:40 AM

I have not done this myself, but if you have console access to secondary, it's safer.

 

Moving role on Primary for Site A is fine, you should do it if that is how you want it. It will take care on the primary firewall.

 

Once you change Site A to primary and see no issues, from CLI on site A, you can execute the following command to change site B to secondary

 

failover exec mate failover lan unit secondary

 

 

ThomasCaapiCci
Level 1
Level 1
In response to Brad_Shawh

‎08-04-2020 05:59 AM

cheers for that

 

So on ASA A I issue: failover lan unit primary

 

Wait a bit (at that point there are 2 primary?)

 

After a while on ASA B

failover exec mate failover lan unit secondary

0 Helpful

Marius Gunnerud
VIP
VIP
In response to ThomasCaapiCci

‎08-04-2020 07:05 AM

Before you do any of this you should break the failover.  By issuing the failover lan unit primary on site A you will now have two primary ASAs in the HA setup.  When doing this it is best that you have quick access to the console port of both ASAs in case you lose connectivity to the ASAs.

Here is what I would recommend you do.

1. make sure Site A is the Active ASA

2. Remove site B ASA from the network

3. Change configuration on Site A ASA to be primary

4. Change configuration on Site B ASA to be secondary

5. Add Site B ASA back into the network

6. Force a configuration replication from primary/active to secondary/standby (write standby)

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Brad_Shawh
Level 1
Level 1
In response to ThomasCaapiCci

‎08-04-2020 08:48 AM

Please follow what Marius said, you need to break the failover, take console of secondary and then make the changes.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card