ASA Failover

Unanswered Question
Dec 17th, 2009

I plan to deploy a second ASA soon and i want to make sure there won't be a service outage on my Active ASA. So, does anyone know if there will be an outage on my Primary ASA when i add the standby config and connect my secondary ASA? We have several site to site VPNs that i can't drop.

thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 12/17/2009 - 16:59

cowetacoit wrote:

I plan to deploy a second ASA soon and i want to make sure there won't be a service outage on my Active ASA. So, does anyone know if there will be an outage on my Primary ASA when i add the standby config and connect my secondary ASA? We have several site to site VPNs that i can't drop.

thanks!

There should be no outage as long as you configure it correctly.

Jon

cowetacoit Fri, 12/18/2009 - 05:22

Sounds good, thanks. I've already built my config so it should work.

sachinraja Fri, 12/18/2009 - 08:37

Hi

As other said, you shouldnt have issues here.. but have console on your failover when you do this change.. sometimes when you do a wr standby you might have to enable the "failvoer" configuration manually on secondary firewall , to bring the failover up.. i faced issues when bringing failover sometime back and had to manually do it thro console.. also, even though it might not affect, I would think you take atleast a 30 min downtime, to make sure your production traffic is not affected ! better to take a downtime , rather than being on priority 1 calls

All the best

Raj

Kureli Sankar Mon, 12/21/2009 - 10:29

Mohsin,

Primary and Secondary are the units designation.

Active and Standby are the roles that they take/play.

A Primary unit can be active or standby

A Secondary unit can be standby or active.

It takes a while to get used to the terminology.  I had a hard time too when I first started.

Now, when the primary unit is active (with the failover lines in the config and failover enabled) you are wanted to add the secondary unit as standby correct?

Follow these steps.

1. Copy and paste the output of "sh run fail" - from the Primary/active unit on notepad

2. Then change the "failover lan unit primary" to "failover lan unit secondary".

3. Now copy all the lines to the secondary unit except the "failover" part - leave it out.

4. Issue "sh run fail" in both units -make sure one says primary and the other says secondary

5. Then issue "sh fail" on the primary - make sure it says "this unit active" "other unit failed"

6. Then enable "failover" in the standby unit

conf t

failover

7. watch it detect an active mate and sync up.

8. once done verify "sh fail" output in both units.

On the primary you will see this unit active other unit standby ready

on the secondary unit will see this unit standby other unit active.

You are done.

-KS

Actions

This Discussion