Showing results for 
Search instead for 
Did you mean: 

Replacing failed unit in Active/Standby pair.

Level 1
Level 1


Just wanted to do a quick sanity check with the community on the process to replace a failed unit on an Active/Standby pair:

1)      Change the current firewall to primary (our active firewall now is currently configured as a secondary) – failover lan unit primary

2)      Plug in the new firewall, configure this new FW as the secondary unit.

3)      Connect all of the cables.

4)      The current firewall should detect the new one and sync the config.

Does this seem right? I should only have to configure the new firewall for failover as the secondary unit - once that happens and I plug it in, our current firewall should sync the config and it should be good - right?

2 Replies 2

Level 1
Level 1

check this video from one of the Cisco security engineers. She discusses this around the 21:00 minute mark.

1) To make a standby unit active use the 'failover active' command on the standby unit. You can also use 'no failover active' on the active unit to put it in standby mode.

2) Once the unit you want to replace is standby, power it off and cable up the new unit.

3) Make sure to enable the failover interfaces. You will have to do a 'no shut' on the physical interfaces. *Note: you do not need to 'no shut' your other interfaces. They will be activated when the configuration syncs.

4) Enter in all the failover commands identical to the active unit. The only difference will be the 'failover lan unit ' command. The last command you should enter is the 'failover' command. This is the final command that activates the failover feature. Make sure all the other failover commands are in place when you enter this command.

I hope this helps.



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card