Showing results for 
Search instead for 
Did you mean: 

Why one asa primary status always go into secondary status ?


Hi I configured failover ASA as following. I set up ASA1 as primary ASA, but after running for a while, the ASA1 become secondary. After i added command "failover lan unit primary", the ASA1 became primary. After a while, it automatically changed back to secondary again. I want ASA1 is always primary. Any one can give me some suggestion ? Thank you


HSRP has priority command, does failover have ? 



ASA1/sec/act# sh run failover 
failover lan unit secondary
failover lan interface folink GigabitEthernet0/5
failover key *****
failover replication http
failover interface ip folink standby

12 Replies 12

Maykol Rojas
Cisco Employee
Cisco Employee

Ok this is the part that is very confusing, and will try to explain as best as I can. 

When you configure the firewalls for Active/Standby failover, ALL the configuration is being replicated, all of it, except for the failover commands, so when you say that you are accessing ASA1 because of the hostname, that really doesnt make any sense since both ASAs will have the hostname as ASA1 (being "hostname" a command that is replicated). 


You should NEVER use the "failover lan unit xxx" to change roles, you should be changing states meaning making a unit active or standby, not changing their priorities. Priorities will never change unless you apply the command you are showing there. 

If you want to access the primary firewall, you should use the regular IP that you use to connect, however, if you want to connect to the SECONDARY firewall, you need to use the standby IP configured. 


NOW, to your problem: 

Probably the units are doing failover, so when you connect to the Unit you are really connecting to the active one, in some cases the active unit might be the secondary unit. In this case, it seems to be so: 


The middle indicator says that you are connecting to the secondary Unit, probably you connect to it using the regular IP address you use to connect to your firewall. 


in order to find out why it is doing failover, you might need to pull the "show failover history" and "show failover state" to see the reason for the failure. 


Let me know if you have any questions.