Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2536
Views
0
Helpful
2
Replies

ASA failover commands

jer0nim0x
Level 1
Level 1

‎08-16-2012 12:35 AM - edited ‎03-11-2019 04:43 PM

Hi there,

we have a pair of ASAs, one of which I need to move. For that I would like to turn off failover to be on the safe side.

Turning it off is described everywhere, but not how to turn it back on correctly (so that configs will sync again etc.).

So, how would I proceed for the entire process?

- First, I check if the one I'd like to remain in production is active. (If not I make it active using "failover active")

- Second, I say 'no failover' and this will have been the last command that will be issued automatically to both cluster members, and no automatic failover will occur.

- Then, I do whatever I have to do with the standby cluster member.

- When I'm finished, I do what exactly? Just say "failover" again to enable it? On both devices? (since both devices are not in sync anymore)

Regards,

Marki

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎08-16-2012 03:04 AM

Hi,

I haven't really had to move any firewall equipment in the failover pair but I have had to disconnect a secondary firewall because of a failover related problem (Configuration Sync didnt go through and the Secondary Firewall caused the whole pair to loose connectivity....for some reason).

Basically what I did in the situation was the following

- Disconnected the Secondary firewall from the network

- Erased the configurations from the Secondary firewall and reloaded it

- Configured the Secondary firewall with Failover configurations only

- Connected the Secondary firewall back to the network (everything but the actual Failover interface)

- Connected the Secondary firewall to Primary firewall with the failover cable (Actual firewalls located in 2 different datacenters)

- Watched as the Secondary firewall found the Primary firewall and started receiving the configuration from the Primary unit

The failover configuration on the Secondary device is the following (Primary devices configuration only difference is naturally that its defined as primary unit)

failover

failover lan unit secondary

failover lan interface failover GigabitEthernet0/1

failover key

failover link failover GigabitEthernet0/1

failover interface ip failover x.x.x.x 255.255.255.252 standby y.y.y.y

- Jouni

0 Helpful

jer0nim0x
Level 1
Level 1
In response to Jouni Forss

‎08-16-2012 04:48 AM

That is exactly the thing I'd like to do (move one ASA to other datacenter)

Disconnecting the sync is not the hard part. The ASAs won't bother (active remains active, standby remains standby)

However, when the secondary's sync link goes back up (and suppose the sync transit network is not correctly configured) it won't see the primary, it will go active and we'll have a split brain scenario which I'd like to avoid...

Marki

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card