Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1886
Views
0
Helpful
5
Replies

The primary/secondary priorities changed after issuing the command "no failover active" on the prim/act ASA

Go to solution
Ve Con
Level 1
Level 1

‎07-12-2016 10:47 AM - edited ‎03-12-2019 06:10 PM

Hi,

I have 2 ASA configured in the cluster with active/standby state and primary/secondary priority.

Prim/Act ASA has IP ending with .9

Sec/Stby has IP ending with .8

I did the failover test last week by issuing the below command on the .9 (prim/act ASA)

#no failover active

"show failover" command on the .9 ASA then gave the result as:

Failover On
Failover unit Secondary

..

This host: Secondary - Active 

..

          Interface INT (x.x.x.9): Normal (Monitored)

..

Other host: Primary - Standby Ready 

...

Interface INT (x.x.x.8): Normal (Monitored)

...

"show failover" command on the .8 ASA then gave the result as:

Failover On
Failover unit Primary
Failover LAN Interface: LAN-FAILOVER GigabitEthernet0/2 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.3(2), Mate 9.3(2)
Last Failover at: 16:59:44 EDT Jul 8 2016
This host: Primary - Standby Ready
Active time: 10027871 (sec)
slot 0: ASA5515 hw/sw rev (1.0/9.3(2)) status (Up Sys)
...
       Interface INTERNAL (x.x.x.8): Normal (Monitored)
...
slot 1: SFR5515 hw/sw rev (N/A/5.4.0-763) status (Up/Up)
ASA FirePOWER, 5.4.0-763, Up
Other host: Secondary - Active
Active time: 1271 (sec)
slot 0: ASA5515 hw/sw rev (1.0/9.3(2)) status (Up Sys)
....
....
          Interface INTERNAL (x.x.x.9): Normal (Monitored)

And from my understanding, the primary/secondary priority is permanent as it's defined in the .cfg file. The Active/Standby state will change when the failover changes.  However, my case it worked opposite, the Active/Standby (.9/.8) remained with the IPs and the primary/secondary priority switched between the two ASA as the failover move from .9 to .8 ASA

I am still very confusing and don't know what to look further here.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
m.kafka
Level 4
Level 4

‎07-12-2016 12:17 PM

Dear Ve Con,

this looks quite normal to me. You are correct, IP addresses stay with primary/secondary role. But during failover the two boxes swap IP addresses.

So, when you connect to the .8 (assigned to the standby) you will always see

This host: xxxx/Standby Ready (xxxx can be Primary or Secondary)
Local address x.x.x.8

Same goes for the .9, it will always show:

This host: xxxx/Active (xxxx can be Primary or Secondary)
Local address x.x.x.9

Now depending which of the two boxes is active you will see the "xxxx" in the "show failover" output accordingly as Primary or Secondary.

I hope that helps,

MiKa

View solution in original post

0 Helpful

Go to solution
John Forester
Level 1
Level 1
In response to m.kafka

‎07-12-2016 02:09 PM

Hi Ve Con,

I have had a similar experience in trying to figure it out. What I noticed was that the serial number of the Standby firewall is a good way to tell which has taken over - otherwise everything looks very much the same. I check to see that the Standby's serial number is now running with .9 as its IP address to be sure.

Hope that helps some

View solution in original post

0 Helpful
5 Replies 5

Go to solution
m.kafka
Level 4
Level 4

‎07-12-2016 12:17 PM

Dear Ve Con,

this looks quite normal to me. You are correct, IP addresses stay with primary/secondary role. But during failover the two boxes swap IP addresses.

So, when you connect to the .8 (assigned to the standby) you will always see

This host: xxxx/Standby Ready (xxxx can be Primary or Secondary)
Local address x.x.x.8

Same goes for the .9, it will always show:

This host: xxxx/Active (xxxx can be Primary or Secondary)
Local address x.x.x.9

Now depending which of the two boxes is active you will see the "xxxx" in the "show failover" output accordingly as Primary or Secondary.

I hope that helps,

MiKa

0 Helpful

Go to solution
John Forester
Level 1
Level 1
In response to m.kafka

‎07-12-2016 02:09 PM

Hi Ve Con,

I have had a similar experience in trying to figure it out. What I noticed was that the serial number of the Standby firewall is a good way to tell which has taken over - otherwise everything looks very much the same. I check to see that the Standby's serial number is now running with .9 as its IP address to be sure.

Hope that helps some

0 Helpful

Go to solution
Ve Con
Level 1
Level 1
In response to John Forester

‎07-13-2016 07:53 AM

Thanks, John and Mika.  I got the reply back from the Cisco support and it's just like what you said.  The IPs defined in the .cfg file will reassign when the failover happened.

In my case:

.cfg file has .9 as active and .8 as standby

Before issuing the "no failover active" on .9 (which was prim/act as the time) - physically labeled as FW1 (.8 physically labeled as FW2)

FW1 = .9 = Primary/Active

FW2 = .8 = Secondary/Stby

#no failover active                            

issued on .9 (FW1 at the time) and then that caused the failover to FW2 (.8 at the time).  Consequently, FW2 then became Active.  With the .cfg file defined, Active ASA should have .9 IP.  So, the IP .9 now assigned to FW2.

I didn't know the IPs were swapped between the two ASA after the failover happened.  So, I kept ssh to the .8 ASA (FW2) and expected it to show me as  Secondary (priority should stay the same) and Active (state changed).  However, at this time, it turned out to be the .8 already swapped to the FW1 (which had priority "Primary" and state "Active" before and became Prim/Stby after the failover happened).  So, my expectation was wrong and what happened was correct.

As I am writing this reply, I still confused and had to pause so many times to make sure I am making sense :) Hopefully i don't confuse anyone who will read my post and reply and hopefully help to reduce the confusion.  

Mika's explanation is really helpful and clear

John, that is really helpful.  I wish I knew about this when i performed the test.  I opened the support ticket with cisco to ask for tips and recommendation a month before I performed the test but no one brought this up to my attention.  I am a newbie to ASA and still at my learning curve.  

Thanks so much all for your quick replies and inputs.  I really appreciated

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎07-12-2016 12:24 PM

So you are saying that the show run failover show the command failover lan unit primary on the ASA that was previously configured with failover lan unit secondary?

These commands will never switch between the two ASAs if configured and will always indicate which box was originally the primary.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Ve Con
Level 1
Level 1
In response to Marius Gunnerud

‎07-12-2016 03:38 PM

Hi Marius,

I did not use that command during the my failover test

I used the "no failover active" initially to start the test on the prim/act ASA

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card