cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18881
Views
10
Helpful
7
Replies

Disabling ASA Failover

snowmizer
Level 1
Level 1

Currently we have two 5510s in a failover pair (running v8.4(7)). Things are working great. Now we are working on a project to move from one ISP to another. Due to the configuration change between us and the ISP (mainly switching from a connection where there is only one VLAN to a configuration where there are 2 VLANS that go from us to the ISP and then get routed differently from the ISP...one to the Internet and one to our rack at our disaster recovery site) I need to split these apart temporarily. I want to take the current standby firewall and configure it as an active firewall that will route traffic to the new ISP. Mainly I think I need to do this because I've got to split the outside interface into virtual interfaces so I can use VLAN tagging. Once I get the new config working I'll put the firewalls back in a failover pair.

My initial thought is that I can just log into the firewall that is currently "active" and turn off failover by unchecking the "Enable failover" checkbox. Is this correct or are there other gotchas that I need to consider?

Thanks.

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

To avoid any unnecesary down time:

1- Take off the network the secondary firewall and when you have it out of inline mode remove the standby configuration and configure it as necesary.

2- Remove Failover configuration on the active one (Still do not place the secondary in the network).

3- After all of this has been done then you can place the other firewall in the network routing as properly

Hey Buddy remember to Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

The fact is that if you make the Secondary the Active unit and then disable failover from the Primary/Standby it stays in pseudo standby since Primary was defined standby, this means it will not act as an Active unit it will still route traffic with the standby IPs.

Now regarding the New ISP, if it is routed through the same cable that connects to the ASA all the ISP needs to do is make the current line VLAN native VLAN on the trunk and then add the additional VLAN to that trunk and configure the sub-interface on the ASA, you wouldn’t even need to disable failover but the guy on the ISP needs to know what he is doing and if you are connecting the interface that is connected to the ISP through a switch that you own then this would be the configuration that you would need to place.

It would be a good idea to post a little more detail like configuration and diagrams.

Value our effort and rate the assistance!

The existing ASAs currently don't have a sub-interface on the inside or outside interfaces.This is part of the reason I have to pull the secondary ASA out and disable failover. I want as much time as possible to mess with the configuration in case something happens. I can't have my websites or Internet email down while I get the config correct. I will then configure the setup as 2 active ASAs. One will be for our current traffic so I don't disrupt anything and the other will be for my new configuration. I will only have a test PC connected to the second ASA just to make sure everything works. Once I have everything working on that ASA then I'll continue to work on migrating to the new ISP and eventually put everything back in a failover configuration.

I will completely wipe out the config on what is now the standby ASA and replace it with my new config.

Basically what I got out of jcarvaja's post is that on the active I can't just turn off the monitoring and uncheck the "enable failover" checkbox. I actually have to delete the failover config but only after I disconnect what was the standby ASA from the network. This shouldn't be an issue since I've got a copy of the config that's running now.

Thanks.

Hello,

That sounds good,

Let us know how it goes

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

please rate our assistance

Value our effort and rate the assistance!

I plan to do all the ratings stuff after I actually get a chance to implement this. Currently it is getting delayed so I haven't had a chance to implement.

I do appreciate all of the assistance on this issue.

Thanks.

Review Cisco Networking for a $25 gift card