09-14-2007 10:31 AM - edited 03-11-2019 04:11 AM
One of my failover pair of ASA 5520s need to be replaced. It is the primary unit. Will the following commands suffice:
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
speed 1000
duplex full
failover
failover lan unit primary
failover lan interface State_Failovr GigabitEthernet0/3
failover link State_Failovr GigabitEthernet0/3
failover interface ip State_Failovr 10.10.30.161 255.255.255.248 standby 10.10.30.162
interface GigabitEthernet0/3
no shutdown
I guess what I'm asking is what is the logic. Once the new unit is configured it will come up as active before it sees the secondary which is also active. Once communication is established over the failover link, will the secondary remain the active ASA since it has been up the longest or will the primary remain the active ASA since this is the first contact with the secondary as far as it knows?
09-20-2007 11:12 AM
From your description I think that you are using Active/Standby failover. In this scenario when the active (master) unit goes down the standby unit takes over as the active unit and it will constantly poll to check if the master unit is available and is working fine. if the master unit is availalbe it will then transfer the control to the master unit making it once again the active unit.
09-20-2007 11:28 AM
Actually control does not automatically flip back should the master come back up.
In regards to the question the primary/standby role as strictly defined in the pix is not really valid per se. When the new ASA comes in add the following:
Do not reverse the interface IP Addresses, the ASA will understand and assign them correctly automagically
The key points you will need to change are
Primary to Secondary
Choose the right interface and ip address for your network
?failover lan unit primary ?failover lan interface FAILOVER g0/3 ?failover link FAILOVER g0/3 ?failover interface ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2 ?failover key cisco123 ?failover replication http
09-25-2007 08:34 AM
Yes, this is an active /standby pair in a single security context. Thanks for your reply but I've already replaced the failed unit. I first connected the failover link, then powered up the replacement ASA having put in only the config in my previous message. The new Primary unit made contact with the Active /secondary unit, downloaded the active running configuration, and then went into standby mode. I then connected the other ports on the primary unit and it is running in standby mode.
Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide