Solved: No Failover Active command

GRANT3779 · ‎11-16-2015

Hi All,

I have an active/standby pair of ASAs in transparent mode. 5515x running 9.1 (2). I have been trying to test failover by issuing the no failover active command on the primary. I thought that when I done this on the primary/active unit it would stop processing traffic and the othe ASA would take over. This doesn't seem to be the case. When I ran that command, all it has done is set the Active unit to "Secondary" and the Standby unit to "Primary"

Last Failover at: 19:30:34 GMT/BST Nov 16 2015
This host: Primary - Standby Ready - This was/is my standy ASA
Active time: 513 (sec)
slot 0: ASA5515 hw/sw rev (1.0/9.1(2)) status (Up Sys)
Interface VLAN_101 (172.27.4.221): Normal (Monitored)
Interface VLAN_51 (172.27.255.6): Normal (Monitored)
Interface VLAN_94 (): Normal (Monitored)
Interface VLAN_1 (172.27.4.221): Normal (Monitored)
Interface VLAN_194 (): Normal (Monitored)
Interface VLAN_951 (172.27.255.6): Normal (Monitored)
Interface MGMT (10.44.0.17): Normal (Monitored)
slot 1: IPS5515 hw/sw rev (N/A/7.2(1)E4) status (Up/Up)
IPS, 7.2(1)E4, Up
Other host: Secondary - Active - This is my main ASA that I would like to stop processing traffic

I even tried issuing the reload command on the ASA that is currently passing traffic but it somehow the other ASA reloads and the one I issued the command on stays up.

Karsten Iwen · ‎11-16-2015

I assume that it's just a misunderstanding of the way failover works.

Is it right that you connected by SSH to the ASA that you assume to be the standby one? Then it would make perfectly sense.

Be aware that there are two elements:

primary and secondary: These are assigned to the physical boxes. Whatever changes in failover, the primary stays primary and the secondary stays secondary.

active and standby: At the beginning, typically the primary ASA is also active and the secondary ASA is standby. These roles can be changed with "(no) failover active".

When you issue the commad "no failover active" on the active ASA (which is the primary in this scenario), then the secondary ASA becomes active and the primary ASA becomes standby.

The active ASA always uses the first IP address that you configured on your interface.

When you ssh to the first address, you alsways connect to the active ASA, regardles if this is the primary or secondary ASA.

Same when you connect to the IP that is configured as standby IP. You connect always to the standby ASA which also could be the primary ASA.

View solution in original post

Karsten Iwen · ‎11-16-2015

I assume that it's just a misunderstanding of the way failover works.

Is it right that you connected by SSH to the ASA that you assume to be the standby one? Then it would make perfectly sense.

Be aware that there are two elements:

primary and secondary: These are assigned to the physical boxes. Whatever changes in failover, the primary stays primary and the secondary stays secondary.

active and standby: At the beginning, typically the primary ASA is also active and the secondary ASA is standby. These roles can be changed with "(no) failover active".

When you issue the commad "no failover active" on the active ASA (which is the primary in this scenario), then the secondary ASA becomes active and the primary ASA becomes standby.

The active ASA always uses the first IP address that you configured on your interface.

When you ssh to the first address, you alsways connect to the active ASA, regardles if this is the primary or secondary ASA.

Same when you connect to the IP that is configured as standby IP. You connect always to the standby ASA which also could be the primary ASA.

GRANT3779 · ‎11-17-2015

Hi Karsten,

I'm connected to both of the ASAs via their management interfaces which are on different IP addresses.

Looking through the config of each - these lines here -
failover lan unit secondary
failover lan unit primary

I'm assuming this is what is used to determine the primary and secondary ASA? And unless I switch these commands, this will always be the case?

I am bridging multiple vlans through my setup and have 3 BVI interfaces. On each ASA, should my BVI interfaces have exactly the same addressing or is this part of the config not replicated between them?

Akshay Rastogi · ‎11-17-2015

Hi,

Adding to what Karsten has mentioned, the First IP is always used by Active Device and that First IP is assigned to Primary Unit once the ASAs comes in the Failover Pair for the first time(and Primary ASA becomes Active). Not only IP, Active ASA uses interface Mac-address of the Unit assigned the Primary Status(this is always the case). If you switch these commands then the mac-address would be used that of the newly made primary unit.

So when you change status from standby to active, the now became active unit take over the first ip and the mac-address(which is associated with Primary ASA's interfaces).

Regarding your another question, all the configuration gets replicated from Active Unit to Standby as it is. However Standby unit would use the second ip mentioned in the interface ip address configuration after the keyward 'standby' as first ip is being used by Active unit.

below link explains this in detail:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/77809-pixfailover.html

Hope it helps.

Regards,

Akshay Rastogi

vinayjaiswal · ‎11-15-2017

Are you sure the ASA took that command because primary and secondary are just names.

No failover active changes active device to standby and vice versa. There is no relation with primary and secondary.