Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1378
Views
0
Helpful
3
Replies

Need to "move" failover to different interface/port

Go to solution
Bill Dickerson
Level 1
Level 1

‎09-18-2014 09:32 AM - edited ‎03-10-2019 12:17 AM

Sorry if this is the wrong area, we have so seldom had questions that were not otherwise handled I don't frequent this area.

How difficult is it to change the interface used for active/standby failover? It's a working, already configured pair with standby, but I need to move the crossover cable and tell them to use a different interface. 
ASA 5510 pair, already set up and working with failover that was originally configured on Ethernet port 0/3 by the senior network admin. It appears that from his use of interfaces or ports he used things straight out of examples on the web, including the interfaces used. 
The senior network admin retired last spring and left me "in charge", gee, thanks.
I need to make some changes and need an Ethernet port for a new important project.
The Management 0/0 interface is unused and shutdown. We manage via inside interface from a specific subnet inside so don't need the dedicated management interface.
I want to move failover FROM Ethernet 0/3  TO Management 0/0

*This is the current setup:

Result of the command: "sh run failover"

failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover link failover Ethernet0/3
failover interface ip failover 169.254.255.1 255.255.255.252 standby 169.254.255.2

*And this is the current interface configuration for 0/3 and Management:

interface Ethernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 speed 100
 duplex full
 shutdown
 nameif management
 security-level 0
 no ip address
 ospf cost 10

I know it can run on the Management 0/0 interface because I see a lot of "how to configure" as if the ASA is brand new and several examples out there indeed show it being setup on Management.

I'm looking for how to take an ASA pair that is currently configured and has a working functional failover configuration and simply "move failover" to a different hole or change the interfaces used for the "heartbeat" as it were.

I assume it's not hard - but I also assume there's a specific sequence of events that must take place to prevent the pair from going into failover and switching lead roles........... 
For example - would I shut off or turn off failover, and if so how, and on which ASA (frankly, I'm not sure how to access the secondary or standby if this must be done from or on the standby unit as I've never done that "deep" a config before)
CLI is fine - I'd be just as comfortable in either ASDM or cli. 

I sure hope this makes sense - I'm more of a troubleshooter and fixer than a designer or network engineer....
And many many thanks - getting this moved will free up the interface I need and can really make a big dent in my project list while the supervisor is on vacation this week! I'd love to have this done and working before his return. 

Oh, in case it does matter as I've been told, this is the Currently running license and versions shown here:

Cisco Adaptive Security Appliance Software Version 8.4(4)1 
Device Manager Version 6.4(7)

Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"

VRDSMFW1 up 141 days 4 hours
failover cluster up 141 days 4 hours

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00 
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1

 0: Ext: Ethernet0/0         : address is 0024.972b.e020, irq 9
 1: Ext: Ethernet0/1         : address is 0024.972b.e021, irq 9
 2: Ext: Ethernet0/2         : address is 0024.972b.e022, irq 9
 3: Ext: Ethernet0/3         : address is 0024.972b.e023, irq 9
 4: Ext: Management0/0       : address is 0024.972b.e01f, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : 250            perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5510 Security Plus license.


Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 4              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 4              perpetual
AnyConnect Essentials             : 250            perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 4              perpetual
Total UC Proxy Sessions           : 4              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5510 Security Plus license.

Serial Number: ABC12345678
Running Permanent Activation Key: eieioandapartridgeinapeartree 
Configuration register is 0x1
Configuration last modified by me at 15:03:07.132 CDT Mon Sep 15 2014

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-19-2014 11:14 AM

Disconnect a monitored interface on your standby unit  that will ensure it doesn't take over as active. Then disconnect the failover link and modify it's settings for failover. (You'll have to remove the nameif for M0/0 first.)

Then make the similar complimentary set of changes on the primary-active unit. Reconnect the failover link, confirm the units sync and finally reconnect the production interface on the standby unit. 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-19-2014 11:14 AM

Disconnect a monitored interface on your standby unit  that will ensure it doesn't take over as active. Then disconnect the failover link and modify it's settings for failover. (You'll have to remove the nameif for M0/0 first.)

Then make the similar complimentary set of changes on the primary-active unit. Reconnect the failover link, confirm the units sync and finally reconnect the production interface on the standby unit. 

0 Helpful

Go to solution
Bill Dickerson
Level 1
Level 1
In response to Marvin Rhoads

‎09-22-2014 07:30 AM

If there was a "smack-self-on-forehead" icon here I'd use it now.

Of course, totally logical - if you disconnect a monitored connection on the standby it's not about to take over as primary because it's had a failure and can't do the job, forcing the primary or active to remain that way. There's the key that would allow all other changes.

Since the settings or config lines are in place already, then if I'm correct it's a matter of then just modifying what's there, and of course removing the name of the Management interface (no nameif) and making sure it's not shut down (no shutdown), etc.

You are a handy person to have around. Thanks.

By the way, *thanks to prior answers received here* and reading responses to others who had questions I can say I've set a record for this agency and done what no one else had been able to do - I've taken a troublesome LAN-to-LAN connection and made it trouble-free with a solid connection that is just 7.5 hours away from being up 90 days with no interruption, no collapse of any SA and improved performance.  I have 2 others out of our 34 that aren't too far behind that. The boss has recognized this after seeing his monthly up-time reports.

Once I get this done failover change made I will be setting up a "DMZ" of sorts and trying out my hand at telling the 5510s to forward specific traffic aimed at a specific public IP address to a specific server. (But that's another topic............)

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Bill Dickerson

‎09-22-2014 07:33 AM

You're welcome. Happy to help.

Thanks for the rating and kind words.

0 Helpful
Customers Also Viewed These Support Documents