ASA active/standby failover configuration

Unanswered Question
Jun 14th, 2010

Hi every body,

I have configured my ASA 5520 (Software version 8.1) as active/standby failover and it works very well, however i want to perfect my configuration. regarding my network topology, i would like that the primary device will be always active when it's running properly.

How do I can force the primary to be always active ?

Thank you very much,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Mon, 06/14/2010 - 16:07


See some guidelines here..

your primary unit will be always active  until  two occurances happened , a failure on primary active fw  will trigger the standby to become  Secondary active, or when you expliceitly force a  unit to be the  active firewall..   if your primary active firewall becomes primary standby   for any reason   you  need to issue on the Secondary active   the ( no failover active  )  to force the  of Primary  firewall become active one and Secondary the standby.


mnoureddine Tue, 06/15/2010 - 01:23


Yes I know that, but I want to automate this process. I dont want to each time the firewall failover accede to the standby and execute the commande.

is there any configuration line that can do this automatically ?

Best regards,


JORGE RODRIGUEZ Tue, 06/15/2010 - 06:22

AFAIK  it cannot be automated  in active/standby  by configuration , you have to manually force it. 


mnoureddine Tue, 06/15/2010 - 06:23

I know that we can use the preempt command to force a group to be always the active one in active/active mode.

Is there any one can help me to do that in active/standby mode ?

Many thanks,


John Blakley Tue, 06/15/2010 - 07:20

As Jorge said, this can't be manually done. You may be able to script something using Except, but I've never done it. There are 3 things though that I want to mention will fail over a unit:

The primary fails over to the secondary automatically because of an interface failing

The secondary becomes primary when it doesn't get a response from the primary within the hold time

A manual failover by issuing "no failover active" on the primary or "failover active" on the secondary.

You may want to look at creating an Expect script. You could do something like poll the primary for a line like "This host: Primary - Active" if you get anything else like: "This host: Primary - Standby Ready" then you can have the Expect script run your "failover active" command on the primary unit. It's not going to be graceful, but it should work. There's nothing in the ASA that will allow you to do this automatically for active/standby.



david.g.white Mon, 07/12/2010 - 04:35

Convention would say do NOT automate the fail back !

The ASA Primary device will fail over in many circumstances, one of which could be excessive errors on an interface or an interface 'flapping'.

If you set up the system to auto fail back , then in such circumstances the unit will be likely to fail over again, this can get you into a downward spiral (i.e. a loop) where the unit becomes so busy failing over and back again, that it fails to pass user traffic.

In all cases where a fail over has occurred investigation should be undertaken to estbalish the root cause, and when this root has been fixed, then the unit can be failed back.

please note that in the event that a transient  failure causes a fail over, the unit can automatically fail over (i.e. fail back) by itself (i.e. it becomes a reverse Standby / Active configuration until manually failed back).


This Discussion