ASA Failover

cowetacoit · ‎12-17-2009

I plan to deploy a second ASA soon and i want to make sure there won't be a service outage on my Active ASA. So, does anyone know if there will be an outage on my Primary ASA when i add the standby config and connect my secondary ASA? We have several site to site VPNs that i can't drop.

thanks!

Jon Marshall · ‎12-17-2009

cowetacoit wrote:

I plan to deploy a second ASA soon and i want to make sure there won't be a service outage on my Active ASA. So, does anyone know if there will be an outage on my Primary ASA when i add the standby config and connect my secondary ASA? We have several site to site VPNs that i can't drop.

thanks!

There should be no outage as long as you configure it correctly.

Jon

Parminder Sian · ‎12-17-2009

Hey,

Follow this link, am sure you wont have any problems.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Hope this helps.

Regards,

Sian

cowetacoit · ‎12-18-2009

Sounds good, thanks. I've already built my config so it should work.

sachinraja · ‎12-18-2009

Hi

As other said, you shouldnt have issues here.. but have console on your failover when you do this change.. sometimes when you do a wr standby you might have to enable the "failvoer" configuration manually on secondary firewall , to bring the failover up.. i faced issues when bringing failover sometime back and had to manually do it thro console.. also, even though it might not affect, I would think you take atleast a 30 min downtime, to make sure your production traffic is not affected ! better to take a downtime , rather than being on priority 1 calls

All the best

Raj

mohsin.khan · ‎12-21-2009

Agreed on the downtime, rather i call it maintenence window:)

Adding to above, it takes around 2-4 minutes for active ASA to replicate the config (depending on the size) to the secondary, so, "show failover" might show you the peer not connected during that. Connecting console to the right box is the key

Kureli Sankar · ‎12-21-2009

Mohsin,

Primary and Secondary are the units designation.

Active and Standby are the roles that they take/play.

A Primary unit can be active or standby

A Secondary unit can be standby or active.

It takes a while to get used to the terminology. I had a hard time too when I first started.

Now, when the primary unit is active (with the failover lines in the config and failover enabled) you are wanted to add the secondary unit as standby correct?

Follow these steps.

1. Copy and paste the output of "sh run fail" - from the Primary/active unit on notepad

2. Then change the "failover lan unit primary" to "failover lan unit secondary".

3. Now copy all the lines to the secondary unit except the "failover" part - leave it out.

4. Issue "sh run fail" in both units -make sure one says primary and the other says secondary

5. Then issue "sh fail" on the primary - make sure it says "this unit active" "other unit failed"

6. Then enable "failover" in the standby unit

conf t

failover

7. watch it detect an active mate and sync up.

8. once done verify "sh fail" output in both units.

On the primary you will see this unit active other unit standby ready

on the secondary unit will see this unit standby other unit active.

You are done.

-KS