Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
802
Views
0
Helpful
2
Replies

Failover Questions

Go to solution
CSCO11733516
Level 1
Level 1

‎09-09-2012 06:45 PM - edited ‎03-11-2019 04:51 PM

Hey guys,

     Just doing some studying and running into something that I am not quiete understanding...

  1. If i have 2 firewall's in Active/Active Stateful failover mode and 2 contexts (E1 and E2).  Let's say ASA1 has E1 as the active context and ASA2 has E2 as the active context.  E2 is the only context used to connect Router_X.  If I need to permit traffic to Router_X, would I make the ACL in the ASA1 E2 context (secondary) or in the ASA2 E2 context (primary)?

  2. I completed an Active\Active Statuful failover configuration between 2 firewalls, but once I was finished I remembered that i didn't configure the failover group 2 as secondary (problem).  So i went ahead and make the configuration change, once I did so I entered the commands NO FAILOVER/FAILOVER to "resynch" the configurations between the 2 firewalls.  Is this necessary or couldn't I just perform a WRITE on the primary ASA?

  3. Is there any command that will verify that each of the configurations on both firewalls are syncrhonized?

Thanks ahead of time guys!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
varrao
Level 10
Level 10

‎09-09-2012 08:24 PM

Hi Kenneth,

Here are your answers:

1. If you need to make changes, always do that on the active context, replication is always done from active to standby, so you need to make changes on E2 active context on ASA2.

2. You need not do this everytime, just do a write mem or write standby, that would save teh configuration on the standby context as well.

3. There is no command to verify the command replication, you can check the status of the contexts through "show failover" in the system context, if they show active and standby, then everything is fine. You can study different failovers status's from here:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s3_72.html#wp1285409

Hope that helps

Thanks,

Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

View solution in original post

0 Helpful
2 Replies 2

Go to solution
varrao
Level 10
Level 10

‎09-09-2012 08:24 PM

Hi Kenneth,

Here are your answers:

1. If you need to make changes, always do that on the active context, replication is always done from active to standby, so you need to make changes on E2 active context on ASA2.

2. You need not do this everytime, just do a write mem or write standby, that would save teh configuration on the standby context as well.

3. There is no command to verify the command replication, you can check the status of the contexts through "show failover" in the system context, if they show active and standby, then everything is fine. You can study different failovers status's from here:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s3_72.html#wp1285409

Hope that helps

Thanks,

Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful

Go to solution
CSCO11733516
Level 1
Level 1
In response to varrao

‎09-10-2012 07:48 AM

Thanks Varun!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card