Solved: Replacing Failover cables in a production HA Setup

jpeterson6 · ‎01-30-2014

Hello,

When you need to bring down the Failover lan and state interfaces (ie, to replace cabling), what would be the best steps in order to prevent downtime, in a production environment?

If I unplug the failover cabling, how can I prevent both firewalls from going Active, assuming the other ASA is down? Will monitoring the 'inside' interface on both ASAs prevent this, so long as they can still reach each other?

Thanks.

Marius Gunnerud · ‎01-30-2014

If there is no connection via the failover and state links the ASA will send test packets out its monitored interfaces to make sure there really is no connection to the standby ASA. If the ASA gets a reply from the standby on the monitored interface failover will not occur.

So you should be ok when swapping the cables.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎01-30-2014

If there is no connection via the failover and state links the ASA will send test packets out its monitored interfaces to make sure there really is no connection to the standby ASA. If the ASA gets a reply from the standby on the monitored interface failover will not occur.

So you should be ok when swapping the cables.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

jpeterson6 · ‎01-30-2014

Okay, as I suspected. Thank you for the confirmation!