Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1727
Views
0
Helpful
3
Replies

Cisco ASA - Invert primary/secondary

Christian Jorge
Level 1
Level 1

‎02-12-2013 04:42 AM - edited ‎03-11-2019 05:59 PM

Hello

This is my first post in this forum.

I haven't found an answear to my issue, so I decided to open a new discussion

We take care of 2 Cisco ASA 5580 (primary/secondary) working as usual (active/standby). Image version 8.2.5.

Today I found that the firewall that has been supposed to rule as primary, actually has been the secondary and vice-versa.

How can I configure (and what's the impact, as they are active im customer/business environment) to invert the situation: the primary become the secondary and the secondary become the primary.

I'm not talking about to perform a failover, but a config to fix that confusion with roles.

Regards

Christian

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎02-12-2013 05:15 AM

Hi,

Welcome to the CSC

Since we are talking about an Active/Standby ASA Failover environment then configuring the "primary" and "secondary" in the "failover" configurations of the ASAs doesnt to my understanding have much meaning to the firewall operation other than deciding which becomes Active WHEN they BOTH boot at the same time.

If we for example have the below situation

  • We have ASA1 and ASA2 in Active/Standby Failover
  • ASA1 is configured as "primary" and ASA2 is configured as "secondary"
  • ASA1 is originally the Active unit and ASA2 the Standby unit

Now lets assume that either ASA1 boots or becomes Standby because of one of its interfaces failing THEN to my understanding there is NO mechanism in the Active/Standby Failover that would return the Active role back to the ASA1 when it becomes operational.

However in the case of Active/Active Failover its possible to configure a "preempt" parameter that defines that the unit that you have decided as the Active unit will return to Active role after network outage after a configured perioid of time. This is NOT possible on Active/Standby.

So in normal networking operation to my understanding the only way to really keep the preferred physical ASA as Active is to monitor the Failover and manually set the original physical ASA Active if there has been a failover.

There doesnt seem to be any automatic mechanism for the Active role to return to the original Active physical ASA.

IF you are just talking about changing the commands "failover lan unit primary" and "failover lan unit secondary" to the correct physical ASAs THEN sadly I can't say for sure (without testing) what effect configuring those commands have (when changing them around). I'd presume that changing these wont have any effect on the operation of the firewall as in production they DONT actually decide which unit STAYS Active

According to the Command Reference of 8.2 software the default setting is Secondary

I imagine you could possibly do the following (But cant say for 100% certainty without testing it myself)

  • remove the possible configuration "failover lan unit secondary" from the other unit
  • remove the "failover lan unit primary" from the other unit
  • configure the "failover lan unit primary" on the correct unit
  • And finally if you want configure the other unit with the "secondary" option (even though the default setting should be secondary according to the command reference)

Maybe I'll try to check if I have a identical Failover pair of ASA (physical) to test this out for you.

Heres link to the Command Reference for 8.2 software and the command "failover lan unit"

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1930580

Hope the information was helpfull.

- Jouni

0 Helpful

Christian Jorge
Level 1
Level 1
In response to Jouni Forss

‎02-12-2013 05:48 AM

Hello Jouni

I was exactly talking about changing the commands "failover lan unit primary" and "failover lan unit secondary" to the correct physical ASAs.

I can force the traffic to the correct ASA using failover, but my major concern is to be in accordance with topology/planning and to ease the troubleshooting.

But first of all I need to certify how worthy is to perform that change, according to:

- Will this activity produce any kind of impact in connectivity?

- Do I have to perform this locally/phisically or maybe remotelly (for example, using ssh)?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Christian Jorge

‎02-12-2013 06:37 AM

Hi,

Seems I dont have any suitable ASAs at my disposal to test this thing.

So unfortunately I can't test this for you at the moment.

Personally if I have any doubt of some configuration change to normal operation of customer network I usually setup a date and time to do the change. Most of the its not needed but still been a good practise.

I will let you know if I get my hands on some ASAs to test this out.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card