12-17-2009 04:23 PM - edited 03-11-2019 09:49 AM
I plan to deploy a second ASA soon and i want to make sure there won't be a service outage on my Active ASA. So, does anyone know if there will be an outage on my Primary ASA when i add the standby config and connect my secondary ASA? We have several site to site VPNs that i can't drop.
thanks!
12-17-2009 04:59 PM
cowetacoit wrote:
I plan to deploy a second ASA soon and i want to make sure there won't be a service outage on my Active ASA. So, does anyone know if there will be an outage on my Primary ASA when i add the standby config and connect my secondary ASA? We have several site to site VPNs that i can't drop.
thanks!
There should be no outage as long as you configure it correctly.
Jon
12-17-2009 10:09 PM
Hey,
Follow this link, am sure you wont have any problems.
Hope this helps.
Regards,
Sian
12-18-2009 05:22 AM
Sounds good, thanks. I've already built my config so it should work.
12-18-2009 08:37 AM
Hi
As other said, you shouldnt have issues here.. but have console on your failover when you do this change.. sometimes when you do a wr standby you might have to enable the "failvoer" configuration manually on secondary firewall , to bring the failover up.. i faced issues when bringing failover sometime back and had to manually do it thro console.. also, even though it might not affect, I would think you take atleast a 30 min downtime, to make sure your production traffic is not affected ! better to take a downtime , rather than being on priority 1 calls
All the best
Raj
12-21-2009 08:30 AM
Agreed on the downtime, rather i call it maintenence window:)
Adding to above, it takes around 2-4 minutes for active ASA to replicate the config (depending on the size) to the secondary, so, "show failover" might show you the peer not connected during that. Connecting console to the right box is the key
12-21-2009 10:29 AM
Mohsin,
Primary and Secondary are the units designation.
Active and Standby are the roles that they take/play.
A Primary unit can be active or standby
A Secondary unit can be standby or active.
It takes a while to get used to the terminology. I had a hard time too when I first started.
Now, when the primary unit is active (with the failover lines in the config and failover enabled) you are wanted to add the secondary unit as standby correct?
Follow these steps.
1. Copy and paste the output of "sh run fail" - from the Primary/active unit on notepad
2. Then change the "failover lan unit primary" to "failover lan unit secondary".
3. Now copy all the lines to the secondary unit except the "failover" part - leave it out.
4. Issue "sh run fail" in both units -make sure one says primary and the other says secondary
5. Then issue "sh fail" on the primary - make sure it says "this unit active" "other unit failed"
6. Then enable "failover" in the standby unit
conf t
failover
7. watch it detect an active mate and sync up.
8. once done verify "sh fail" output in both units.
On the primary you will see this unit active other unit standby ready
on the secondary unit will see this unit standby other unit active.
You are done.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide