Replace Primary of Failover Pair

Unanswered Question
Sep 14th, 2007

One of my failover pair of ASA 5520s need to be replaced. It is the primary unit. Will the following commands suffice:

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

speed 1000

duplex full


failover lan unit primary

failover lan interface State_Failovr GigabitEthernet0/3

failover link State_Failovr GigabitEthernet0/3

failover interface ip State_Failovr standby

interface GigabitEthernet0/3

no shutdown

I guess what I'm asking is what is the logic. Once the new unit is configured it will come up as active before it sees the secondary which is also active. Once communication is established over the failover link, will the secondary remain the active ASA since it has been up the longest or will the primary remain the active ASA since this is the first contact with the secondary as far as it knows?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
didyap Thu, 09/20/2007 - 11:12

From your description I think that you are using Active/Standby failover. In this scenario when the active (master) unit goes down the standby unit takes over as the active unit and it will constantly poll to check if the master unit is available and is working fine. if the master unit is availalbe it will then transfer the control to the master unit making it once again the active unit.

whisperwind Thu, 09/20/2007 - 11:28

Actually control does not automatically flip back should the master come back up.

In regards to the question the primary/standby role as strictly defined in the pix is not really valid per se. When the new ASA comes in add the following:

Do not reverse the interface IP Addresses, the ASA will understand and assign them correctly automagically

The key points you will need to change are

Primary to Secondary

Choose the right interface and ip address for your network

?failover lan unit primary ?failover lan interface FAILOVER g0/3 ?failover link FAILOVER g0/3 ?failover interface ip FAILOVER standby ?failover key cisco123 ?failover replication http

jeffland_98 Tue, 09/25/2007 - 08:34

Yes, this is an active /standby pair in a single security context. Thanks for your reply but I've already replaced the failed unit. I first connected the failover link, then powered up the replacement ASA having put in only the config in my previous message. The new Primary unit made contact with the Active /secondary unit, downloaded the active running configuration, and then went into standby mode. I then connected the other ports on the primary unit and it is running in standby mode.

Thanks for your help.


This Discussion