Solved: Re: ASA Failover query

ahmed.gadi · ‎01-26-2012

Dear All,

I have 2 cisco 5520 ASAs and was configured for Failover.

Unfortunately our Primary ASA went down and Secondary becomes Active and network admin made lots of changes on Secondary Active ASA.

What is the best practise to rejoin Primary as standby or active without loosing the existing configuration on Secondary Active ?

Regards

Ahmed...

Marvin Rhoads · ‎01-26-2012

When your Primary comes back, it should do so in Standby mode and synchronize with the Secondary - Active device (and remain Primary - Standby)

The exception is if you have the preempt option set. If you do, the Primary unit will assume Active role once configuration is synced.

It wouldn't hurt to get a complete backup of the Secondary - Active unit prior to the re-introduction of the failed Primary just in case.

Please see this document for step-by-step details.

View solution in original post

Marvin Rhoads · ‎01-26-2012

When your Primary comes back, it should do so in Standby mode and synchronize with the Secondary - Active device (and remain Primary - Standby)

The exception is if you have the preempt option set. If you do, the Primary unit will assume Active role once configuration is synced.

It wouldn't hurt to get a complete backup of the Secondary - Active unit prior to the re-introduction of the failed Primary just in case.

Please see this document for step-by-step details.

ahmed.gadi · ‎01-26-2012

Thanks Marvin... I will update you

ahmed.gadi · ‎01-29-2012

Hi Rhoads,

The document you provided is perfect...

Actually the important fact is we need to configure "no failover" before connecting primary to "standby active" mate.

As when i tried without doing "no failover" on primary, please check the console message from primary asa after connecting failover cable to standby active.All the standby active config was overwritten by primary mate.since my primary mate had old config, it was overwritten on standby mate.

Can you please let me know what mistake i have done other than "no failover" before connecting failover cable ?

Your suggestion is highly appreciated.

Regards

Ahmed...

Marvin Rhoads · ‎01-29-2012

You already noted what you did incorrectly. If you follow the steps of the Cisco procedure exactly, you should get the configuration from the "standby - active" mate to synchronize to the replaced unit.

Once you have verified proper synchronization you can then force a given unit to become active with "failover active" command and/or use of the preempt configuration parameter.

suryakant.chavan · ‎01-29-2012

Hi Rhoads,

I have some queries about the point thet mentioned in document that you suggested.

There is mentioned that 1) when failover link failed within operation there is no failover .

2) when failover link failed at startup both firewalls becomes active.

As we know both unit track each other using hellos. So why both unit does not get active in scenario one as ther is no hello between both the unit. Please correct me , as I am littile bit confused after reading these point.

Thanks in advance.

Regard's ,

Surya

Marvin Rhoads · ‎01-29-2012

Surya,

If I understand your question, you would like to know why "when failover link failed within operation there is no failover".

That should not be the case. When the failover link itself fails, both units should become active. This would be the same as you note in 2) above. Please see the explanation in the ASA CLI Configuration Guide here.

- Marvin