11-08-2022 05:44 AM - edited 11-08-2022 05:52 AM
hi,
i got a pair of ASA FW in active-standby setup each in a different building.
we're closing one of the building/rack and plan is to bring the primary-active FW to the next building where secondary-standby FW is installed.
is there a "safe" way of changing the primary-active FW to secondary and secondary-standby FW to primary and make it active?
do i disable failover in each ASA FW using a no failover command and change role with failover lan unit <primary/secondary> command? or do i just straight away change the role?
or is there an order to follow, i.e. force a failover primary-active > secondary-standby, disable failover, change secondary ASA to primary and lastly change primary ASA to secondary?
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/7
failover key *****
failover replication http
failover link FAILOVER GigabitEthernet0/7
failover interface ip FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2
11-08-2022 05:57 AM - edited 11-08-2022 05:57 AM
Sure if the Active standby configured as per the best practice :
"no failover active" on Primary ASA - that will bring secondary unit will now be the primary/active unit.
Once you bring back Primary in to the respected place, if you like you can failover.
no need to change the roles.
11-08-2022 06:10 AM
@johnlloyd_13 so you are physically moving the hardware of the "primary/active" ASA to another building?
If so you could unplug the primary ASA, failover would automatically occur to the secondary ASA. At which point change the configuration to primary (of the new active/primary ASA). Move the ASA hardware, before you re-plug into the network, set it as secondary. Once connected they should reconnect as a failover pair.
11-08-2022 06:04 PM
hi rob,
yes, i'm going to physical move the primary-active ASA FW to the next building where the secondary-standby ASA FW is installed.
i want to force changing of role by making the secondary-standby ASA FW as the primary-active while the former primary-active is power off and waiting to be installed/cabled.
can you confirm if my thought process is correct:
force a failover primary-active > secondary-standby, disable failover, change secondary ASA to primary and lastly change primary ASA to secondary?
or is there a step i missed or anything to add?
11-09-2022 12:09 AM
@johnlloyd_13 yes, just ensure you've made the configuration changes to the old primary before physically reconnecting and attempt to establish communication with the new primary/active. And obviously ensure you've L2 connectivity.
11-09-2022 01:35 AM
Be careful when changing the failover configuration on the Secondary device. I would recommend the following steps for the move and do the configuration change in a service window:
11-09-2022 02:07 AM
hi marius,
i'm going to do this remotely before we disconnect the initial primary-active and relocate to the next DC.
can't i just straight away reverse the ASA role secondary > primary and vice versa without clear config and disconnect the former primary-active ASA?
or maybe issue a "no failover" so the two ASA won't talk to each other while changing their roles?
11-09-2022 02:37 AM
The problem with the no failover command on a secondary device is that all configuration will be removed from the device.
I am uncertain of changing the role from Secondary to Primary and how this will affect the configuration as I have not tested this. This is why I have suggested the steps in my previous post.
If you will be remote and someone else will be physically moving the devices I would recommend that they have a PC ready and a console cable / mini USB cable so that you can connect to the devices if you should lose connectivity to them.
11-08-2022 06:59 AM
Changing the roles is not necessary and I would not recommend it as it would mean breaking and rebuilding the HA setup. Safest is to manually issue the command "failover active" on the standby device or "no failover active" on the primary and then remove the Primary-Standby device from the network and move it to the it's new location and plug it back into the network.
A failover back to the Primary-Standby would need to be done manually if you want it to be the active firewall as the current active will not give up the active role automatically.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide