We performed an ASA upgrade on an HA Pair of ASA 5555-X's that are in Active/Standby HA from 9.6(4)34 to 9.12(3)12. We upgraded the secondary/standby unit first. When we failed the active unit to the secondary, all AnyConnect users had connection issues. Pings were lost until a user disconnected and then re-connected. After we upgraded the Primary unit and then failed the Active back to the Primary, the same event occurred. My understanding is this should not happen when HA is properly configured regardless of the versions difference? We don't have a standby IP address on the outside interface. Our understanding of this is it should only impact failure detection of interface not state-full sub-second switchover? We'd like to determine if we have an issue with our configuration to prevent this from happening again, so that fail-overs don't impact AnyConnect users for more than a few seconds. Any input on this or assistance would be greatly appreciated.
Configure the Primary Unit for Active/Standby Failover
Follow the steps in this section to configure the primary in an Active/Standby failover configuration. These steps provide the minimum configuration needed to enable failover on the primary unit.
Before you begin
We recommend that you configure standby IP addresses for all interfaces except for the failover and state links.
Do not configure anameiffor the failover and state links.
For multiple context mode, complete this procedure in the system execution space. To change from the context to the system execution space, enter thechangeto systemcommand.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
