Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1226
Views
0
Helpful
3
Replies

Bring new Primary, to sync with Active Secondary

Go to solution
AlexFer
Level 1
Level 1

‎03-16-2020 09:43 AM - edited ‎03-16-2020 11:22 AM

Hi Experts,

I'm migrating 5525-X HA to 5555-X HA.

Due to logistics, I've migrated Secondary first. I now need to bring Primary into HA.

I need to ensure that new Primary syncs from Secondary, and not the other way around.

Would the best way to ensure this - either:

(a) only connect the Failover LAN interface links of the new Primary (but not its monitored interfaces), thus ensuring it cannot become Active? Or;

(b) power down the Primary, connect all its interfaces, and power-up (as rebooted ASA cannot become Active if it sees a mate)? Or;

(c) other?

R's, Alex

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP
In response to AlexFer

‎03-16-2020 12:33 PM

correction.

yes. it will work. I had done kind of a similar thing. make sure the sub-interface(if you have any) and monitor interfaces are monitor mode. the reason of this is other unit will sync and find out there is link failure and keep the unit secondary active.

please do not forget to rate.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Sheraz.Salim
VIP
VIP

‎03-16-2020 11:10 AM

Would the best way to ensure this:

(a) only connect the Failover LAN interface links of the new Primary (but not its monitored interfaces), thus ensuring it cannot become Active?

yes. it will work. I had done kind of a similar thing. make sure the sub-interface(if you have) and monitor interfaces are not monitor mode. the reason of this is other unit will sync and find out there is link failure and keep the unit secondary active.

 

(b) power down the Primary, connect all its interfaces, and power-up (as rebooted ASA cannot become Active if it sees a mate)?

if you have access to switch which is connected to firewall you can shutdown the port except the failover link between two units. instead of power off and power on the unit.

 

 

(c) other?

make sure you have a backup configuration just in case the change goes wrong. always better to have a backup plan/exit window.

please do not forget to rate.
0 Helpful

Go to solution
AlexFer
Level 1
Level 1
In response to Sheraz.Salim

‎03-16-2020 11:30 AM - edited ‎03-16-2020 11:30 AM

thanks...
> make sure the sub-interface(if you have) and monitor interfaces are not monitor mode.
I don't understand interface's "monitor mode" - can you explain?

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to AlexFer

‎03-16-2020 12:33 PM

correction.

yes. it will work. I had done kind of a similar thing. make sure the sub-interface(if you have any) and monitor interfaces are monitor mode. the reason of this is other unit will sync and find out there is link failure and keep the unit secondary active.

please do not forget to rate.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card