04-20-2018 11:53 AM - edited 02-21-2020 07:39 AM
Hi Cisco Experts,
We have recently replaced our standby ASA5520, the failover was turned off on the primary box during the replacement being fitted(this is where we think our mistake has happened!!!).
Once we had the upgraded the standby asa to 9.1(7.4)(same as primary). we turned the failover on the primary.
We appear to have lost management access to the firewall, I think that the synchronised possibly from secondary to primary because both boxes think they are the active box. Is there another possibility? Has the cluster gone down because it need a box rebooting to decide which one is the active box?
We are sending an engineer to site currently, I was going to get them to console in(no remote console) and reboot the secondary in hope that the configuration in the primary is still there.
04-20-2018 12:04 PM
If you configured the replacement secondary ASA with "failover lan unit secondary" it should not have overwritten the primary. If this command was not added or it was configured to primary, you would have a split brain issue and it is possible that the active primary ASA configuration has been overwritten.
I have done quite a few of these replacements and have never had to do a reboot of the ASA to get the failover up.
04-20-2018 12:14 PM
Thanks Marius,
Yes I believe the "failover lan unit secondary" was added, so unsure why we lost management access at the moment.
So if both PRIMARY & SECONDARY are active I take it when failover is turned on (#failover) then the boxes work it out between themselves using there lan unit status?
04-20-2018 12:19 PM
So if both PRIMARY & SECONDARY are active I take it when failover is turned on (#failover) then the boxes work it out between themselves using there lan unit status?
The ASA that is the current active primary will remain as the primary until a failover situation occurs or manually changed.
You could issue the "show failover", "show failover history" and "show failover status" for more information.
Another possibility is that this is an ARP issue on the next hop device.
04-23-2018 01:36 AM
04-23-2018 01:40 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide