Solved: Config changes in ASA Failover Pair?

brettp · ‎09-14-2017

I have some ideas, but I was curious to learn how more seasoned admins would approach this. I have two ASAs in an active/standby failover pair. I want to essentially separate the two by breaking the failover pair, keep on of them in in active production, make config changes to one not in production (without going into details… I need to do prep work for some big changes,) bring failover back and have those new config changes be pushed from the “not in production” unit to the “in production” unit.

My idea was to:

1. failover to secondary unity

2. log into primary and and issue “no failover” (does that command replicate to the secondary?)

3. make config changes to the primary unit

4. reconfigure failover on the primary unit with the “failover” command.

I believe since “not in production” unit has the “lan failover-unit primary” command, the config will be pushed from that unit and overwrite the “in production” unit when I re-enable failover. Is that correct?

Any insight is greatly appreciated. Many thanks!!!

jumora1 · ‎09-14-2017

1. You failover to the Secondary and that unit becomes ACTIVE on the failover pair.

2. You disable failover from the Secondary/Active and the Primary unit goes into Pseudo/Standby and the Secondary will maintain active connection role using the primary MAC addresses and IPs on the Secondary unit.

If you put it back into the network after reloading or power cycling it will try to find and active mate and will again stay in standby and the configuration will be overriten with the old configuration that you have on the Secondary/Active.

So if you want to consider configuration changes what you need to do run a backup through ASDM and if necessary a restore and open a window to do these changes.

I could mention some other options but I would need details

Details regarding pseudo standby

When failover is disabled from the active peer after having been enabled, the standby peer shows Failover Off (pseudo-Standby), indicating that the standby peer continues to use its standby IP addresses even though it is no longer connected to an active peer. The standby peer continues to listen for a connection on its failover LAN. If failover is re-enabled on the active peer with a failover LAN configuration, then the standby peer resumes ordinary standby status after re-synchronizing the rest of its configuration. Otherwise, a pseudo-standby peer retains its status until it reloads or receives a command to become active or to re-enable failover.

Security Engineer
juanmh8419@gmail.com
Skype: juanmh8419@hotmail.com

View solution in original post

jumora1 · ‎09-14-2017

1. You failover to the Secondary and that unit becomes ACTIVE on the failover pair.

2. You disable failover from the Secondary/Active and the Primary unit goes into Pseudo/Standby and the Secondary will maintain active connection role using the primary MAC addresses and IPs on the Secondary unit.

If you put it back into the network after reloading or power cycling it will try to find and active mate and will again stay in standby and the configuration will be overriten with the old configuration that you have on the Secondary/Active.

So if you want to consider configuration changes what you need to do run a backup through ASDM and if necessary a restore and open a window to do these changes.

I could mention some other options but I would need details

Details regarding pseudo standby

When failover is disabled from the active peer after having been enabled, the standby peer shows Failover Off (pseudo-Standby), indicating that the standby peer continues to use its standby IP addresses even though it is no longer connected to an active peer. The standby peer continues to listen for a connection on its failover LAN. If failover is re-enabled on the active peer with a failover LAN configuration, then the standby peer resumes ordinary standby status after re-synchronizing the rest of its configuration. Otherwise, a pseudo-standby peer retains its status until it reloads or receives a command to become active or to re-enable failover.

Security Engineer
juanmh8419@gmail.com
Skype: juanmh8419@hotmail.com

brettp · ‎09-18-2017

Thank you for the reply… Essentially, here’s what I need to do. Excluding some details, we have one internet connection coming into both Primary/Secondary ASAs in an HA Failover pair. We are getting a new internet connection which is going to require numerous changes to the ASA config including IPs, NATs, VPN config, etc. I want to separate the two ASAs because I want to configure everything in advance so it can be test prior to going live while keeping our existing connection up. I simply want to break the failover, configure everything, and then write the new config to the other ASA during a maintenance window.

jumora1 · ‎09-22-2017

You don´t have the need to do this if you have another interface available on the unit you can configure the second ISP on that inteface and test out, you can also configure the new interface to not be monitored over failover with the ¨no monitor¨ command.

Security Engineer
juanmh8419@gmail.com
Skype: juanmh8419@hotmail.com

jumora1 · ‎09-23-2017

If you want help with the configuration let me know

Security Engineer
juanmh8419@gmail.com
Skype: juanmh8419@hotmail.com

brettp · ‎09-25-2017

Thanks you again for the reply! I guess this would have been an additional important detail that I failed to mention… there are no free interfaces because I have two dmz interfaces connected to the ASAs. Furthermore, that would actually be quite a bit more work because I would have to create new objects, ACLs, etc. if I was to run test / production on the same unit. I’m okay with failover not working (I guess this will be my famous last words… but…)

Richard Burts · ‎09-25-2017

I have a slightly different approach that you might consider:

- do a failover from the Primary/Active ASA to the Secondary/Standby ASA and verify that the failover was successful and that the Secondary/Active ASA is operating correctly.

- power down the Primary/Standby ASA (it should work with either ASA but the Primary ASA may be easiest).

- disconnect the interfaces of the powered down ASA.

- this will leave one ASA running the original config and functioning as the Active member of the failover pair.

- power up the Primary ASA. It should be running the original config and looking for its peer for failover. Since it will not find a peer it will run as an active but with no interfaces connected.

- make your config changes and verify them. If you need to test it gets tricky since you do not want both ASAs to see each other.

- when you are satisfied with your config changes, power down the Secondary/Active ASA that has been running the network.

- reconnect the interfaces of the Primary ASA which is running with the changed config.

- power up the Secondary ASA. It will see the other ASA which is running as Active and the newly powered up Secondary should sync with the Active ASA and get a copy of the new config.

HTH

Rick

HTH

Rick

brettp · ‎09-27-2017

Interesting approach! It seems like it should work but I'm going to have to give it some deep thought to ensure it work in our environment. Thanks for the input.

Richard Burts · ‎09-27-2017

I am glad that you believe that this is a good suggestion. Yes you certainly do need to give this some deep thought. Any time that you face significant change like this you nee to think very carefully about whether the suggested approach does really fit your own local situation and your requirements.

HTH

Rick

HTH

Rick

Nerka · ‎07-22-2020

It is failover function. "show failover"

If failover disabled also requires additional disable system configuration

conf ter
failover
failover standby config-lock
no failover
end

Nerka · ‎07-22-2020

It is failover function. "show failover"
If failover disabled also requires additional disable system configuration
conf ter
failover
failover standby config-lock
no failover
end