01-26-2012 07:24 AM - edited 03-11-2019 03:19 PM
Dear All,
I have 2 cisco 5520 ASAs and was configured for Failover.
Unfortunately our Primary ASA went down and Secondary becomes Active and network admin made lots of changes on Secondary Active ASA.
What is the best practise to rejoin Primary as standby or active without loosing the existing configuration on Secondary Active ?
Regards
Ahmed...
Solved! Go to Solution.
01-26-2012 08:01 AM
When your Primary comes back, it should do so in Standby mode and synchronize with the Secondary - Active device (and remain Primary - Standby)
The exception is if you have the preempt option set. If you do, the Primary unit will assume Active role once configuration is synced.
It wouldn't hurt to get a complete backup of the Secondary - Active unit prior to the re-introduction of the failed Primary just in case.
Please see this document for step-by-step details.
01-26-2012 08:01 AM
When your Primary comes back, it should do so in Standby mode and synchronize with the Secondary - Active device (and remain Primary - Standby)
The exception is if you have the preempt option set. If you do, the Primary unit will assume Active role once configuration is synced.
It wouldn't hurt to get a complete backup of the Secondary - Active unit prior to the re-introduction of the failed Primary just in case.
Please see this document for step-by-step details.
01-26-2012 10:21 AM
Thanks Marvin... I will update you
01-29-2012 08:25 AM
Hi Rhoads,
The document you provided is perfect...
Actually the important fact is we need to configure "no failover" before connecting primary to "standby active" mate.
As when i tried without doing "no failover" on primary, please check the console message from primary asa after connecting failover cable to standby active.All the standby active config was overwritten by primary mate.since my primary mate had old config, it was overwritten on standby mate.
Can you please let me know what mistake i have done other than "no failover" before connecting failover cable ?
Your suggestion is highly appreciated.
Regards
Ahmed...
01-29-2012 08:40 AM
You already noted what you did incorrectly. If you follow the steps of the Cisco procedure exactly, you should get the configuration from the "standby - active" mate to synchronize to the replaced unit.
Once you have verified proper synchronization you can then force a given unit to become active with "failover active" command and/or use of the preempt configuration parameter.
01-29-2012 03:47 PM
Hi Rhoads,
I have some queries about the point thet mentioned in document that you suggested.
There is mentioned that 1) when failover link failed within operation there is no failover .
2) when failover link failed at startup both firewalls becomes active.
As we know both unit track each other using hellos. So why both unit does not get active in scenario one as ther is no hello between both the unit. Please correct me , as I am littile bit confused after reading these point.
Thanks in advance.
Regard's ,
Surya
01-29-2012 04:13 PM
Surya,
If I understand your question, you would like to know why "when failover link failed within operation there is no failover".
That should not be the case. When the failover link itself fails, both units should become active. This would be the same as you note in 2) above. Please see the explanation in the ASA CLI Configuration Guide here.
- Marvin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide