×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

failover lan unit (name)

Answered Question
Jul 16th, 2013
User Badges:

During an Internet upgrade, I changed the roles of my ASA's. The site that was originally designedf to be Secondary is now a better fit as Primary.

So, what used to be my Secondary ASA is now my Primary. Howvere, the command "failover lan unit secondary" was set on the Secondary unit and

failover lan unit Primary was set on original Primary device.


Can I change these to reflect the correct role "failover lan unit Primary or Secondary" without causing any outages or problems??

Correct Answer by Jouni Forss about 4 years 1 month ago

Hi,


We are talking about 2 different things.


Primary and Secondary are the roles configured for the firewalls. As I said they arent that important (atleast doesnt seem to be) in an Active/Standy type Failover.


Then you have the actual State of the device in Failover which are Active and Standby Ready.


Naturally the start situation might be that you have


  • Primary - Active
  • Secondary - Standby Ready


Now lets consider that the Primary unit reboots because of power failure. The new situation would be


  • Primary - Standby Ready
  • Secondary - Active


If Secondary device would suffer from a reboot caused by a power outage the roles would again change to


  • Primary - Active
  • Secondary - Standby Ready


So the most important things to watch is which unit is Active and which is in Standby Ready state. Those tell which device is handling the traffic currently. As long as neither devices fail and cause a Failover, the same device will stay Active whether its configured as Primary or Secondary. As I said before, if you had Active/Active setup, there you could control the Failover so that one unit its always the Primary/Active and in the vent of failure (and recovery) the original Primary/Active unit would return to the Active state with a small delay.


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jatin Katyal Tue, 07/16/2013 - 12:25
User Badges:
  • Cisco Employee,

As far as I know, you can not swap the failover units roles on the fly. There is a proper procedure that can be performed from the console session of both the ASA's.



~BR
Jatin Katyal

**Do rate helpful posts**

Steve Coady Tue, 07/16/2013 - 12:42
User Badges:

Jatin


Thnaks for your response.


At the time we did issue a command that made the secondary ACTIVE. So now I have the following:

(I have modified IP's to remain anonymous)


ASA-5520# sh failover

Failover On

Failover unit Secondary

Failover LAN Interface: Heartbeat GigabitEthernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 160 maximum

Version: Ours 8.2(3), Mate 8.2(3)

Last Failover at: 13:43:59 CST Dec 21 2012

This host: Secondary - Active

                Active time: 17894886 (sec)

                slot 0: ASA5520 hw/sw rev (2.0/8.2(3)) status (Up Sys)

                  Interface outside (216.x.x.2): Normal

                  Interface inside (192.168.x.1): Normal

                  Interface dmz (192.168.x.1): Normal (Not-Monitored)

                  Interface management (192.168.x.84): No Link (Waiting)

                slot 1: empty


        Other host: Primary - Standby Ready

                Active time: 5267283 (sec)

                slot 0: ASA5520 hw/sw rev (2.0/8.2(3)) status (Up Sys)

                  Interface outside (216.x.x.12): Normal

                  Interface inside (192.168.x.2): Normal

                  Interface dmz (192.168.x.2): Normal (Not-Monitored)

                  Interface management (0.0.0.0): No Link (Waiting)

                slot 1: empty


I also modified the ip route statements to make the Internet router connecting to what is currently called the Secondary as my default toute out to world.


          route outside 0.0.0.0 0.0.0.0 216.x.x.11 1 track 1

          route outside 0.0.0.0 0.0.0.0 216.x.x.1 254


I simply want the ASA I am using as Primary to be called the Primary. What would you/anyone advise?

Jouni Forss Wed, 07/17/2013 - 09:06
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Is the above "show failover" output now correct for you?


Is the one that you configured as Secondary/Primary showing as you have configured?


Atleast the start of the output suggests that the unit where the output was taken is configured as Secondary and showing up as Secondary.


If you are referring to the name of the ASA showing as Primary and Secondary then that is not possible as they share the "hostname" configuration.


What you could do though is a configure an additional global command that will show you on the unit you are logged into

  • Is it configured as Primary or Secondary
  • What is its state, Active or Standby Ready


You could use this command for example


prompt hostname priority state


What I mean by this is that it would actually show you on the command line interface all the time the status of the unit with regards to the failover


Cant give you a good example since my own ASA is only ASA5505 which is not configured for Failover. But with the above command its hostname prompt is now


ASA/sec/actNoFailover(config)#


Its showing Secondary as the default setting for a ASA unit in Failover is Secondary unless otherwise configured to be Primary specifically.


Do also notice that configuring one unit as Primary and one as Secondary doesnt have generally that noticiable affect on the operation. If both of the firewalls were to boot at the sametime then the Primary unit would become the Active unit. If however the Primary unit was Active and then Failed and recovered again IT WOULD NOT become Active automatically. You would have to manually make it Active again or the Secondary unit (which would then be Active) would have to fail.


Only Active/Active Failover can use a command/configuration that will return the original unit back to Active when its recovered.


Hope this helps


- Jouni

Steve Coady Wed, 07/17/2013 - 09:24
User Badges:

Question?


The device shows a Secondary, but also states it is the ACTIVE device. "This host: Secondary - Active"

Doesn't ACTIVE mean the the device is being used as PRIMARY/?

Steve Coady Wed, 07/17/2013 - 09:26
User Badges:

Traffic passing thru the ASA's is being sent first to the physical device which is currently showing up as Secondary-ACTIVE?

Correct Answer
Jouni Forss Wed, 07/17/2013 - 09:29
User Badges:
  • Super Bronze, 10000 points or more

Hi,


We are talking about 2 different things.


Primary and Secondary are the roles configured for the firewalls. As I said they arent that important (atleast doesnt seem to be) in an Active/Standy type Failover.


Then you have the actual State of the device in Failover which are Active and Standby Ready.


Naturally the start situation might be that you have


  • Primary - Active
  • Secondary - Standby Ready


Now lets consider that the Primary unit reboots because of power failure. The new situation would be


  • Primary - Standby Ready
  • Secondary - Active


If Secondary device would suffer from a reboot caused by a power outage the roles would again change to


  • Primary - Active
  • Secondary - Standby Ready


So the most important things to watch is which unit is Active and which is in Standby Ready state. Those tell which device is handling the traffic currently. As long as neither devices fail and cause a Failover, the same device will stay Active whether its configured as Primary or Secondary. As I said before, if you had Active/Active setup, there you could control the Failover so that one unit its always the Primary/Active and in the vent of failure (and recovery) the original Primary/Active unit would return to the Active state with a small delay.


- Jouni

Actions

This Discussion