Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
312
Views
5
Helpful
5
Replies

Failover/sync issue

marc07cisco
Level 1
Level 1

‎04-20-2018 11:53 AM - edited ‎02-21-2020 07:39 AM

Hi Cisco Experts,

 

We have recently replaced our standby ASA5520, the failover was turned off on the primary box during the replacement being fitted(this is where we think our mistake has happened!!!).

 

Once we had the upgraded the standby asa to 9.1(7.4)(same as primary). we turned the failover on the primary.

 

We appear to have lost management access to the firewall, I think that the synchronised possibly from secondary to primary because both boxes think they are the active box. Is there another possibility? Has the cluster  gone down because it need a box rebooting to decide which one is the active box?

 

We are sending an engineer to site currently, I was going to get them to console in(no remote console) and reboot the secondary in hope that the configuration in the primary is still there.    

Labels:
0 Helpful
5 Replies 5

Marius Gunnerud
VIP
VIP

‎04-20-2018 12:04 PM

If you configured the replacement secondary ASA with "failover lan unit secondary" it should not have overwritten the primary.  If this command was not added or it was configured to primary, you would have a split brain issue and it is possible that the active primary ASA configuration has been overwritten.

 

I have done quite a few of these replacements and have never had to do a reboot of the ASA to get the failover up.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

marc07cisco
Level 1
Level 1
In response to Marius Gunnerud

‎04-20-2018 12:14 PM

Thanks Marius,

 

Yes I believe the "failover lan unit secondary" was added, so unsure why we lost management access at the moment.

 

So if both PRIMARY & SECONDARY are active I take it when failover is turned on (#failover) then the boxes work it out between themselves using there lan unit status?

 

 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to marc07cisco

‎04-20-2018 12:19 PM

So if both PRIMARY & SECONDARY are active I take it when failover is turned on (#failover) then the boxes work it out between themselves using there lan unit status?

The ASA that is the current active primary will remain as the primary until a failover situation occurs or manually changed.

You could issue the "show failover", "show failover history" and "show failover status" for more information.

 

Another possibility is that this is an ARP issue on the next hop device.

--
Please remember to select a correct answer and rate helpful posts

Florin Barhala
Level 6
Level 6
In response to marc07cisco

‎04-23-2018 01:36 AM

Did you find out what actually happen?
0 Helpful

marc07cisco
Level 1
Level 1
In response to Florin Barhala

‎04-23-2018 01:40 AM

Hi Florin,

Not yet, we are hoping to get somone to site today to check. I will update the chat once we
Jave found out thanks
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card