Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1053
Views
0
Helpful
7
Replies

ASA Failover in Active/Active

Go to solution
Hari Vishnu
Level 1
Level 1

‎11-06-2012 12:10 AM - edited ‎03-11-2019 05:19 PM

Hi,

We have 2 ASA's configured in ACTIVE/ACTIVE mode. Have 2 failover groups configured and currently both the groups (1 and 2) are active in secondary unit. How I can bring the groups to its default position. i.e. group 1 active in Primary and group 2 active in secondary unit?

Apologies if the question is a basic one ••L

.

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Hari Vishnu

‎11-06-2012 03:14 AM

You are right, this general answer was to broad and only valid in A/S. For A/A you can only send commands to your peer or "mate" context. At least that is a documented limitation, but I didn't test is myself.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Karsten Iwen
VIP
VIP

‎11-06-2012 12:36 AM

You can control that with the following command:

failover active group group_id

This is explained in the cinfig-guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_active.html#wp1095257

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Hari Vishnu
Level 1
Level 1
In response to Karsten Iwen

‎11-06-2012 01:02 AM

Many Thanks for the update. 2 more questions Please help

1. What happens when we do "failover exec active" on Primary unit.

2.On intitial configuration, how we can control which  group is active in which unit ?

Thanks,

Hari

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Hari Vishnu

‎11-06-2012 01:44 AM 

1. What happens when we do "failover exec active" on Primary unit.

with the "failover exec" you can send commands to the active, standby or mate unit. And be aware of that the primary doesn't need to be the active one. You can use the "prompt" command to extend the prompt to include information like unit and state.

That's explained in the same chapter:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_active.html#wp1298990

2.On intitial configuration, how we can control which  group is active in which unit ?

when configuring the contexts you specify which failover-group to join:

join-failover-group 1

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Hari Vishnu
Level 1
Level 1
In response to Karsten Iwen

‎11-06-2012 01:54 AM

Apologies, for bothering you again.

But here is my confusion. in Active/Active failover. How does the concept of Active unit and standby unit comes in ACTIVE/ACTIVE fail over ? There is only Primary and secondary unit right. In which Group 1 can be be active in Primary ASA unit and group 2 can be be active in Secondary active unit.  Please feel free to correct, If i am horribly wrong.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Hari Vishnu

‎11-06-2012 02:03 AM

that's right. And by joining CTX1 to group 1 it will become active on the primary ASA. And joining CTX2 to group 2 will make that context active on the secondary unit. You can also configure preemption so that the contexts rebalance after a failure is corrected:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_active.html#wp1298206

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Hari Vishnu
Level 1
Level 1
In response to Karsten Iwen

‎11-06-2012 02:41 AM

okay thanks. Now on to your reply before:

""with the "failover exec" you can send commands to the active, standby or mate unit. And be aware of that the primary doesn't need to be the active one. You can use the "prompt" command to extend the prompt to include information like unit and state""

I am confused about the terms here to be honest. As there is no concept of Active and stand by ASA units in ACTIVE/ACTIVE   failover (There is only primary and secondary units, each of them having one failover group active). So can you please elaborate what active, standby refers to in your reply.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Hari Vishnu

‎11-06-2012 03:14 AM

You are right, this general answer was to broad and only valid in A/S. For A/A you can only send commands to your peer or "mate" context. At least that is a documented limitation, but I didn't test is myself.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card